Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

RansomGuard: a framework for proactive detection and mitigation of cryptographic windows ransomware

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Ransomware, a widespread form of malware, has caused significant damage to enterprises and individuals. By encrypting the victims’ system resources and demanding a ransom to decrypt these, it aims to get financial gain. High-profile ransomware attacks possess the potential to devastate businesses, disrupt critical infrastructure, compromise sensitive data, and pose significant threats to human lives. In this research an innovative framework RansomGuard is proposed, which utilizes a static detector as well as a dynamic machine learning component to analyze events captured and gathered directly from the Windows kernel. RansomGuard utilizes Event Tracing for Windows (ETW) logs from Windows kernel providers to establish correlations in file access patterns and system processes, allowing it to pinpoint potentially malicious activities. It incorporates entropy analysis to detect potential file encryption for swift attack identification, thereby enhancing the overall security posture of Windows systems. To assess its effectiveness, the proposed framework was rigorously evaluated against 22 distinct ransomware families and the trained model was able to successfully detect even unknown ransomware strains that were not part of its initial training dataset. Experimental results demonstrate the robustness and adaptability of the proposed RansomGuard framework that achieved up to 99.87% accuracy while maintaining an exceptionally low false positive rate and is effective in combating various ransomware threats.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Algorithm 1
Fig. 3
Fig. 4
Fig. 5
Algorithm 2
Fig. 6
Algorithm 3
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data availability

Data in this research paper will be shared upon request made to the corresponding author.

References

  1. Checkpoint. 2023—The Year of Mega Ransomware Attacks (2024) URL https://blog.checkpoint.com/research/check-point-research-2023-the-year-of-mega-ransomware-attacks-with-unprecedented-impact-on-global-organizations/

  2. IBM. Cost of a data breach 2023 | IBM (2024). https://www.ibm.com/reports/data-breach

  3. Aldauiji, F., Batarfi, O., Bayousef, M.: Utilizing cyber threat hunting techniques to find ransomware attacks: a survey of the state of the art. IEEE Access 10, 61695–61706 (2022). https://doi.org/10.1109/ACCESS.2022.3181278

    Article  Google Scholar 

  4. Razaulla, S., Fachkha, C., Markarian, C., Gawanmeh, A., Mansoor, W., Fung, B.C., Assi, C.: the age of ransomware: a survey on the evolution, taxonomy, and research directions. IEEE Access 11, 40698–40723 (2023). https://doi.org/10.1109/ACCESS.2023.3268535

    Article  Google Scholar 

  5. Vasani, V., Bairwa, A.K., Joshi, S., Pljonkin, A., Kaur, M., Amoon, M.: Comprehensive analysis of advanced techniques and vital tools for detecting malware intrusion. Electronics 12(20), 4299 (2023). https://doi.org/10.3390/electronics12204299

    Article  Google Scholar 

  6. De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V.: The naked sun: malicious cooperation between benign-looking processes. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) Applied Cryptography and Network Security. Lecture Notes in Computer Science, pp. 254–274. Springer International Publishing, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_13

    Chapter  Google Scholar 

  7. Dalal, R., Goel, N., Darbari, R., Chauhan, O., Samal, S., Khari, M.: 0A comprehensive review on anomaly detection techniques for web data logging. In: Shamim Kaiser, M., Xie, J., Rathore, V.S. (eds.) Intelligent Strategies for ICT, pp. 211–230. Springer, Singapore (2024). https://doi.org/10.1007/978-981-97-1260-1_18

    Chapter  Google Scholar 

  8. Begovic, K., Al-Ali, A., Malluhi, Q.: Cryptographic ransomware encryption detection: survey. Comput. Secur. 132, 103349 (2023). https://doi.org/10.1016/j.cose.2023.103349

    Article  Google Scholar 

  9. lorihollasch. Filter Manager Concepts—Windows drivers (2023). https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts

  10. Raymond McIntosh, Timothy: RanDeter: using novel statistical and physical controls to deter ransomware attacks. Massey University (2018)

  11. Malik, S., Shanmugam, B., Kannorpatti, K., Azam, S.: Critical feature selection for machine learning approaches to detect ransomware. Int. J. Comput. Digit. Syst. 11(1), 1167–1176 (2022). https://doi.org/10.12785/ijcds/110195

    Article  Google Scholar 

  12. Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a Large-scale, automated approach to detecting ransomware. In 25th USENIX Security Symposium (USENIX Security 16). p. 17 (2016)

  13. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) Research in Attacks, Intrusions, and Defenses. Lecture Notes in Computer Science, pp. 98–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_5

    Chapter  Google Scholar 

  14. Gómez-Hernández, J.A., Álvarez González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a Honeyfile-based approach. Comput. Secur. 73, 389–398 (2018). https://doi.org/10.1016/j.cose.2017.11.019

    Article  Google Scholar 

  15. Arabo, A., Dijoux, R., Poulain, T., Chevalier, G.: Detecting ransomware using process behavior analysis. Procedia Comput. Sci. 168, 289–296 (2020). https://doi.org/10.1016/j.procs.2020.02.249

    Article  Google Scholar 

  16. Ayub, M.A., Continella, A., Siraj, A.: An I/O request packet (IRP) driven effective ransomware detection scheme using artificial neural network. In 2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI), pp. 319–324. IEEE, Las Vegas (2020). https://doi.org/10.1109/IRI49571.2020.00053

  17. Ayub, M.A., Siraj, A., Filar, B., Gupta, M.: RWArmor: a static-informed dynamic analysis approach for early detection of cryptographic windows ransomware. Int J Inf Secur 23(1), 533–556 (2024). https://doi.org/10.1007/s10207-023-00758-z

    Article  Google Scholar 

  18. Shaukat, S.K., Ribeiro, V.J.: RansomWall: a layered defense system against cryptographic ransomware attacks using machine learning. In 2018 10th International Conference on Communication Systems & Networks (COMSNETS), pp. 356–363. IEEE, Bengaluru (2018). https://doi.org/10.1109/COMSNETS.2018.8328219

  19. Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: ShieldFS: a self-healing, ransomware-aware filesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM, Los Angeles (2016). https://doi.org/10.1145/2991079.2991110

  20. Nalinipriya, G., Govarthini, V., Kayalvizhi, S., Christika, S., Vishvaja, J., Amara, K.R.: Royal: DefendR—an advanced security model using mini filter in unix multi-operating system. In 2022 8th International Conference on Smart Structures and Systems (ICSSS), pp. 1–6 (2022). https://doi.org/10.1109/ICSSS54381.2022.9782248

  21. Morris, J., Lin, D., Smith, M.: Marcellus: fight virus like a virus: a new defense method against file-encrypting ransomware (2021). http://arxiv.org/abs/2103.11014. arXiv:2103.11014 [cs]

  22. Bailluet, N., Le Bouder, H., Lubicz, D.: Ransomware detection using markov chain models over file headers. In Proceedings of the 18th International Conference on Security and Cryptography, pp. 403–411. SCITEPRESS—Science and Technology Publications (2021). https://doi.org/10.5220/0010513100002998

  23. Bottazzi, G., Italiano, G.F., Spera, D.: Preventing ransomware attacks through file system filter drivers. In Conference: Proceedings of the Second Italian Conference on Cyber Security (ITASEC18) At: Milan, p. 1 (2018)

  24. Alqahtani, A., Sheldon, F.T.: A survey of crypto ransomware attack detection methodologies: an evolving outlook. Sensors 22(5), 1837 (2022). https://doi.org/10.3390/s22051837

    Article  Google Scholar 

  25. Joshi, Y.S., Mahajan, H., Joshi, S.N., Gupta, K.P., Agarkar, A.A.: Signature-less ransomware detection and mitigation. J. Comput. Virol. Hacking Tech. 17(4), 299–306 (2021). https://doi.org/10.1007/s11416-021-00384-0

    Article  Google Scholar 

  26. Jung, S., Won, Y.: Ransomware detection method based on context-aware entropy analysis. Soft Comput. 22(20), 6731–6740 (2018). https://doi.org/10.1007/s00500-018-3257-z

    Article  Google Scholar 

  27. Pont, J., Arief, B., Hernandez-Castro, J.: Why current statistical approaches to ransomware detection fail. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds.) Information Security. Lecture Notes in Computer Science, pp. 199–216. Cham, Springer (2020). https://doi.org/10.1007/978-3-030-62974-8_12

    Chapter  Google Scholar 

  28. Morato Oses, D., Berrueta, E., Magaña, E., Izal, M.: A chronological evolution model for crypto-ransomware detection based on encrypted file-sharing traffic. SSRN Electronic Journal (2022). https://doi.org/10.2139/ssrn.4074557

  29. Berrueta, E., Morato, D., Magaña, E., Izal, M.: Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Syst. Appl. 209, 118299 (2022). https://doi.org/10.1016/j.eswa.2022.118299

    Article  Google Scholar 

  30. Xia, T., Sun, Y., Zhu, S., Rasheed, Z., Shafique, K.: Toward a network-assisted approach for effective ransomware detection. EAI Endorsed Trans. Secur. Saf. (2021). https://doi.org/10.4108/eai.28-1-2021.168506

    Article  Google Scholar 

  31. Hirano, M., Hodota, R., Kobayashi, R.: RanSAP: an open dataset of ransomware storage access patterns for training machine learning models. Forensic Sci. Int. Digit. Investig. 40, 301314 (2022). https://doi.org/10.1016/j.fsidi.2021.301314

    Article  Google Scholar 

  32. Tang, F., Ma, B., Li, J., Zhang, F., Su, J., Ma, J.: RansomSpector: an introspection-based approach to detect crypto ransomware. Comput. Secur. 97, 101997 (2020). https://doi.org/10.1016/j.cose.2020.101997

    Article  Google Scholar 

  33. Alraizza, A., Algarni, A.: Ransomware detection using machine learning: a survey. Big Data Cogn. Comput. 7(3), 143 (2023). https://doi.org/10.3390/bdcc7030143

    Article  Google Scholar 

  34. Dalal, R.: Different ways to achieve trust in MANET. Int. J. AdHoc Netw. Syst. 2, 53–64 (2012). https://doi.org/10.5121/ijans.2012.2206

    Article  Google Scholar 

  35. Dalal, R., Khari, M., Misra, S.: Speculative analysis of wireless network by bibliometrics tool. Wirel. Pers. Commun. 135(4), 2039–2059 (2024). https://doi.org/10.1007/s11277-024-11064-9

    Article  Google Scholar 

  36. Dalal, R., Khari, M., Anzola, J.P., García, V.: Proliferation of opportunistic routing: a systematic review. IEEE Access (2021). https://doi.org/10.1109/ACCESS.2021.3136927

    Article  Google Scholar 

  37. Thummapudi, K., Lama, P., Boppana, R.V.: Detection of ransomware attacks using processor and disk usage data. IEEE Access 11, 51395–51407 (2023). https://doi.org/10.1109/ACCESS.2023.3279819

    Article  Google Scholar 

  38. Ganfure, G.O., Wu, C.F., Chang, Y.H., Shih, W.K.: DeepWare: imaging performance counters with deep learning to detect ransomware. IEEE Trans. Comput. (2022). https://doi.org/10.1109/TC.2022.3173149

    Article  Google Scholar 

  39. Aurangzeb, S., Rais, R.N., Aleem, M., Islam, M.A., Iqbal, M.A.: On the classification of microsoft-windows ransomware using hardware profile. PeerJ Comput. Sci. (2021). https://doi.org/10.7717/peerj-cs.361

    Article  Google Scholar 

  40. Pundir, N., Tehranipoor, M., Rahman, F.: RanStop: a hardware-assisted runtime crypto-ransomware detection technique (2020). http://arxiv.org/abs/2011.12248. arXiv:2011.12248 [cs]

  41. MSDN. ETW framework conceptual tutorial—message analyzer (2020). https://learn.microsoft.com/en-us/message-analyzer/etw-framework-conceptual-tutorial

  42. Blake. Monitoring file mods through ETW and velociraptor (2024). https://bmcder.com/blog/event-tracing-for-windows-monitoring-file-and-process-interactions

  43. Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S.: Peeler: profiling kernel-level events to detect ransomware. In: Bertino, E., Shulman, H., Waidner, M. (eds.) Computer Security - ESORICS 2021. Lecture Notes in Computer Science, pp. 240–260. Cham, Springer (2021). https://doi.org/10.1007/978-3-030-88418-5_12

    Chapter  Google Scholar 

  44. Rana, S., Kumar, N., Handa, A., Shukla, S.K.: Automated windows behavioral tracing for malware analysis. Secur. Priv. 5(6), e253 (2022). https://doi.org/10.1002/spy2.253

    Article  Google Scholar 

  45. Mavroeidis, V., Jøsang, A.: Data-driven threat hunting using sysmon. In Proceedings of the 2nd International Conference on Cryptography, Security and Privacy, ICCSP, pp. 82–88. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3199478.3199490

  46. Moussaileb, R., Cuppens, N., Lanet, J.-L., Le Bouder, H.: A survey on windows-based ransomware taxonomy and detection mechanisms. ACM Comput. Surv. 54(6), 117 (2021). https://doi.org/10.1145/3453153

  47. Moussaileb, R., Cuppens, N., Lanet, J.L., Bouder, H.L.: Ransomware detection using the dynamic analysis and machine learning: a survey and research directions. Appl. Sci. 12(1), 172 (2022). https://doi.org/10.3390/app12010172

  48. Masid, A.G., Higuera, J.B., Higuera, J.R., Montalvo, J.A.: Application of the SAMA methodology to Ryuk malware. J. Comput. Virol. Hacking Tech. 19(2), 165–198 (2023). https://doi.org/10.1007/s11416-022-00434-1

    Article  Google Scholar 

  49. logman. logman (2023). https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/logman

  50. tracerpt. tracerpt (2023). https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/tracerpt

  51. perfview. microsoft/perfview (2024). https://github.com/microsoft/perfview. original-date: 2015-03-27T21:48:45Z

  52. krabsetw. microsoft/krabsetw (2024). https://github.com/microsoft/krabsetw. original-date: 2016-10-24T17:38:49Z

  53. SilkETW. mandiant/SilkETW (2024). https://github.com/mandiant/SilkETW. original-date: 2019-03-19T14:35:48Z

  54. Sealighter. pathtofile/Sealighter (2024). https://github.com/pathtofile/Sealighter. original-date: 2020-02-22T00:36:39Z

  55. pywintrace. fireeye/pywintrace (2024). https://github.com/fireeye/pywintrace. original-date: 2017-09-08T14:27:01Z

  56. UIforETW. google/UIforETW (2024). https://github.com/google/UIforETW. original-date: 2015-04-09T21:46:04Z

  57. MITRE. Process Injection: Process Hollowing, Sub-technique T1055.012 - Enterprise | MITRE ATT &CK® (2024). https://attack.mitre.org/techniques/T1055/012/

  58. Cen, M., Jiang, F., Qin, X., Jiang, Q., Doss, R.: Ransomware early detection: a survey. Comput. Netw. 239, 110138 (2024). https://doi.org/10.1016/j.comnet.2023.110138

    Article  Google Scholar 

  59. virustotal. VirusTotal - Home (2024). https://www.virustotal.com/gui/home/upload

  60. malwarebazaar. MalwareBazaar | Malware sample exchange (2024). https://bazaar.abuse.ch/

  61. Monaco. fabrimagic72/malware-samples (2024). https://github.com/fabrimagic72/malware-samples. original-date: 2017-04-27T13:13:15Z

  62. theZoo. ytisf/theZoo: A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public (2024). https://github.com/ytisf/theZoo

  63. NapierOne. simonrdavies/NapierOne (2024). https://github.com/simonrdavies/NapierOne. original-date: 2021-08-09T09:03:15Z

  64. Govdocs1. Govdocs1 - Digital Corpora (2010). https://digitalcorpora.org/corpora/file-corpora/files/

Download references

Funding

This research received no external funding.

Author information

Authors and Affiliations

  1. Department of Cyber Security, Faculty of Computing and AI, Air University, Islamabad, Pakistan

    M Adnan Alvi & Zunera Jalil

Authors
  1. M Adnan Alvi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zunera Jalil
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

M Adnan Alvi: Conceived the study, Conducted the literature review, developed the methodology, and erformed the data analysis. Drafted the initial manuscript and managed the project. Zunera Jalil: Supervised the study, assisted in data collection, and contributed to writing and reviewing the manuscript, provided critical feedback, and contributed to the final manuscript.

Corresponding author

Correspondence to M Adnan Alvi.

Ethics declarations

Conflict of interest

The authors declare that they have no conflicts of interest to report regarding the present study.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alvi, M.A., Jalil, Z. RansomGuard: a framework for proactive detection and mitigation of cryptographic windows ransomware. J Comput Virol Hack Tech 20, 867–884 (2024). https://doi.org/10.1007/s11416-024-00539-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-024-00539-9

Keywords

Search

Navigation