ABSTRACT
Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.
- Abdullah Alqahtani and Frederick T Sheldon. 2022. A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook. Sensors, Vol. 22, 5 (2022), 1837.Google ScholarCross Ref
- Kurniadi Asrigo, Lionel Litty, and David Lie. 2006. Using VMM-based sensors to monitor honeypots. In Proceedings of the 2nd international conference on Virtual execution environments. 13--23.Google ScholarDigital Library
- Jens Axboe. 2023. FIO. https://github.com/axboe/fio.Google Scholar
- SungHa Baek, Youngdon Jung, Aziz Mohaisen, Sungjin Lee, and DaeHun Nyang. 2018. SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). 875--884.Google ScholarCross Ref
- SungHa Baek, Youngdon Jung, David Mohaisen, Sungjin Lee, and DaeHun Nyang. 2021. SSD-Assisted Ransomware Detection and Data Recovery Techniques. IEEE Trans. Computers, Vol. 70, 10 (2021), 1762--1776.Google Scholar
- Daniel P Bovet and Marco Cesati. 2005. Understanding the Linux Kernel: from I/O ports to process management. "O'Reilly Media, Inc.".Google Scholar
- Bo Chen, Shijie Jia, Luning Xia, and Peng Liu. 2016. Sanitizing data is not enough! Towards sanitizing structural artifacts in flash media. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 496--507.Google ScholarDigital Library
- Fabrizio Cicala and Elisa Bertino. 2022. Analysis of Encryption Key Generation in Modern Crypto Ransomware. IEEE Trans. Dependable Secur. Comput., Vol. 19, 2 (2022), 1239--1253.Google Scholar
- CNN. 2021. Ransomware is a national security risk. https://tinyurl.com/4he7utk9.Google Scholar
- Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. 2016. ShieldFS: A Self-Healing, Ransomware-Aware Filesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 336--347.Google Scholar
- Intel Corporation. 2022a. Intel® 64 and IA-32 Architectures Software Developer's Manual (2022). https://tinyurl.com/mt58w3a9.Google Scholar
- The MITRE Corporation. 2022b. Access Token Manipulation. https://attack.mitre.org/techniques/T1134/.Google Scholar
- Fabio De Gaspari, Dorjan Hitaj, Giulio Pagnotta, Lorenzo De Carli, and Luigi V Mancini. 2020. Encod: Distinguishing compressed and encrypted file fragments. In Network and System Security: 14th International Conference, NSS 2020. 42--62.Google ScholarDigital Library
- Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE symposium on security and privacy. IEEE, 297--312.Google ScholarDigital Library
- FBI. 2022. Ransomware. https://tinyurl.com/2rnmxrzn.Google Scholar
- Yangchun Fu and Zhiqiang Lin. 2013. Space Traveling across VM: Automatically Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Transactions on Information and System Security, Vol. 16, 2 (2013), 586--600.Google ScholarDigital Library
- Tal Garfinkel, Mendel Rosenblum, et al. 2003. A virtual machine introspection based architecture for intrusion detection. In NDSS, Vol. 3. 191--206.Google Scholar
- GlobalStats. 2021. Desktop Windows Version Market Share Worldwide - June 2021. https://tinyurl.com/4zrfxp9j.Google Scholar
- GoogleCode. 2011. OpenNFM. https://code.google.com/p/opennfm/.Google Scholar
- Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C Snoeren, and Damon McCoy. 2018. Tracking ransomware end-to-end. In 2018 IEEE Symposium on Security and Privacy (SP). 618--631.Google ScholarCross Ref
- Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moinuddin K Qureshi. 2017. FlashGuard: Leveraging intrinsic flash properties to defend against encryption ransomware. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2231--2244.Google ScholarDigital Library
- IBM. 2022. IBM Spectrum Scale with TRIM-supporting NVMe SSDs. https://shorturl.at/hzCHS.Google Scholar
- Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E Porter, and Radu Sion. 2014. Sok: Introspections on trust and the semantic gap. In 2014 IEEE symposium on security and privacy. IEEE, 605--620.Google ScholarDigital Library
- Shijie Jia, Luning Xia, Bo Chen, and Peng Liu. 2017. Deftl: Implementing plausibly deniable encryption in flash translation layer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2217--2229.Google ScholarDigital Library
- The kernel development community. 2021. Processes and threads. https://linux-kernel-labs.github.io/refs/heads/master/lectures/processes.html.Google Scholar
- kernel.org. 2022. Inline Data. https://tinyurl.com/ynrd68ju.Google Scholar
- Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX Security Symposium (USENIX Security 16). 757--772.Google ScholarDigital Library
- Amin Kharraz and Engin Kirda. 2017. Redemption: Real-time protection against ransomware at end-hosts. In Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017. 98--119.Google Scholar
- Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the gordian knot: A look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 12th International Conference, DIMVA 2015. 3--24.Google Scholar
- Kingston. 2021. What is SSD encryption and how does it work? https://www.kingston.com/en/blog/data-security/how-ssd-encryption-works.Google Scholar
- Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. 2017. Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 599--611.Google ScholarDigital Library
- Kenichi Kourai and Shigeru Chiba. 2005. Hyperspector: Virtual distributed monitoring environments for secure intrusion detection. In Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments. 197--207.Google ScholarDigital Library
- Robert Love. 2013. Linux system programming: talking directly to the kernel and C library. "O'Reilly Media, Inc.".Google Scholar
- Timothy McIntosh, ASM Kayes, Yi-Ping Phoebe Chen, Alex Ng, and Paul Watters. 2021. Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), Vol. 54, 9 (2021), 1--36.Google ScholarDigital Library
- Shagufta Mehnaz, Anand Mudgerikar, and Elisa Bertino. 2018. Rwguard: A real-time detection system against cryptographic ransomware. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018. 114--136.Google Scholar
- Trend Micro. 2017. Erebus Linux Ransomware: Impact to Servers and Countermeasures. https://tinyurl.com/3tjtcjw6.Google Scholar
- Microsoft. 2021a. Access Tokens. https://tinyurl.com/5vnyhhh7.Google Scholar
- Microsoft. 2021b. DISKSPD. https://github.com/microsoft/diskspd.Google Scholar
- Microsoft. 2021c. Processes and Threads. https://tinyurl.com/3sa395yy.Google Scholar
- Microsoft. 2022a. Enable virtualization-based protection of code integrity. https://tinyurl.com/3dx9u2r4.Google Scholar
- Microsoft. 2022b. FILE_OBJECT structure. https://tinyurl.com/5356jbuy.Google Scholar
- Microsoft. 2022c. Virtualization-based Security. https://tinyurl.com/4eeh6fhd.Google Scholar
- Donghyun Min, Yungwoo Ko, Ryan Walker, Junghee Lee, and Youngjae Kim. 2022. A Content-Based Ransomware Detection and Backup Solid-State Drive for Ransomware Defense. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst., Vol. 41, 7 (2022), 2038--2051.Google ScholarCross Ref
- Routa Moussaileb, Nora Cuppens, Jean-Louis Lanet, and Hélène Le Bouder. 2021. A survey on windows-based ransomware taxonomy and detection mechanisms. ACM Computing Surveys (CSUR), Vol. 54, 6 (2021), 1--36.Google ScholarDigital Library
- NBC News. 2022. Costa Rica, 'under assault' is a troubling test case on ransomware attacks. https://tinyurl.com/5n9338ye.Google Scholar
- Olimex. 2019. LPC-H3131. https://tinyurl.com/38fwkekd.Google Scholar
- Jisung Park, Youngdon Jung, Jonghoon Won, Minji Kang, Sungjin Lee, and Jihong Kim. 2019. RansomBlocker: A low-overhead ransomware-proof SSD. In Proceedings of the 56th Annual Design Automation Conference 2019. 1--6.Google ScholarDigital Library
- Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-based system call tracing for virtual machines. In Proceedings of the 2011 International Conference on Advances in Information and Computer Security. 96--112.Google ScholarCross Ref
- Joel Reardon, Srdjan Capkun, and David A Basin. 2012. Data node encrypted file system: Efficient secure deletion for flash memory. In USENIX Security Symposium. 333--348.Google Scholar
- Benjamin Reidys, Peng Liu, and Jian Huang. 2022. RSSD: defend against ransomware with hardware-isolated network-storage codesign and post-attack analysis. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 726--739.Google ScholarDigital Library
- SAMSUNG. 2019. K9K8G08U1M datasheet. https://tinyurl.com/jcm3uswa.Google Scholar
- Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin R. B. Butler. 2016. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 303--312.Google Scholar
- Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, et al. 2009. Bitvisor: a thin hypervisor for enforcing i/o device security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. 121--130.Google ScholarDigital Library
- Fei Tang, Boyang Ma, Jinku Li, Fengwei Zhang, Jipeng Su, and Jianfeng Ma. 2020. RansomSpector: An introspection-based approach to detect crypto ransomware. Computers & Security, Vol. 97 (2020), 101997.Google ScholarDigital Library
- AutoIt Team. 2018. AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting (2018). https://www.autoitscript.com/site/autoit/.Google Scholar
- TheWashingtonPost. 2021. Ransomware is a national security threat and a big business - and it's wreaking havoc. https://tinyurl.com/357vxevm.Google Scholar
- Linus Torvalds. 2022. syscall_wrapper.h. https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/syscall_wrapper.h.Google Scholar
- VirusShare. 2021. VirusShare.com - Because Sharing is Caring. https://virusshare.com/.Google Scholar
- VirusTotal. 2021. Analyze suspicious files and URLs to detect types of malware. https://www.virustotal.com.Google Scholar
- Peiying Wang, Shijie Jia, Bo Chen, Luning Xia, and Peng Liu. 2019. Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. 327--338.Google ScholarDigital Library
- P. Yosifovich, D.A. Solomon, and A. Ionescu. 2017. Windows Internals, Part 1.Google Scholar
- zaqoQLF. 2022. ransomware-python. https://github.com/zaqoQLF/ransomware-python.Google Scholar
Index Terms
- Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data Recovery
Recommendations
A method for decrypting data infected with Hive ransomware
AbstractAmong the many types of malicious software currently circulating, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not ...
Highlights- We analyzed the detailed encryption process of the Hive ransomware.
- We found a ...
Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsHypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...
Comments