techniques and solutions for addressing ransomware attacks...very recently, wannacry ransomware, the...
TRANSCRIPT
Ph.D. Thesis Proposal
Techniques and Solutions for AddressingRansomware Attacks
Amin Kharraz
College of Computer and Information Science
Northeastern University
Ph.D. Committee
Engin Kirda Advisor, Northeastern University
William Robertson Advisor, Northeastern University
Manuel Egele External Member, Boston University
Long Lu Northeastern University – Stony Brook University
July 2017
Abstract
Ransomware is a form of extortion-based attack that locks the victim’s digital resources and requests
money to release them. Although the concept of ransomware is not new (i.e., such attacks date back
at least as far as the 1980s), this type of malware has recently experienced a resurgence in popularity.
In fact, over the last few years, a number of high-profile ransomware attacks were reported. Very
recently, WannaCry ransomware infected thousands of vulnerable machines around the world, and
substantially disrupted critical services such as British healthcare system. Given the size and variety of
threats we are facing today, having solutions to effectively detect and analyze unknown ransomware
attacks seems necessary.
In this thesis, we argue that it is possible to extend existing defense mechanisms, and protect user data
from a large number of ransomware attacks with zero data loss. To support this claim, in the first
part of the thesis, we perform an evolutionary-based analysis to understand the destructive behavior
of ransomware attacks. We show that by monitoring the interaction of malicious processes with the
operating system, it is possible to design practical defense mechanisms that could stop even very
successful cryptographic ransomware attacks. In the second part, we propose a novel dynamic analysis
system, called Unveil, that is designed to analyze ransomware attacks, and model their interactions.
In the third and the last part, we propose an end-point framework, called Redemption, to protect user
data from ransomware attacks. We present an operating system-independent design, and also provide
implementation details which show that such lightweight solutions could be integrated into existing
operating systems while achieving zero data loss in a large number of successful ransomware attacks.
Contents
1 Introduction 1
1.1 Focus of this Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 An Analysis on Current Ransomware Attacks 4
2.1 Ransomware Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Developing the Monitoring Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Characterization and Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 A Dynamic Analysis Approach to Detecting Ransomware 6
3.1 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Analysis and Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Detecting Zero-Day Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4 Protecting End-Points from Ransomware Attacks 14
4.1 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.3 Analysis on Labeled Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5 Future Work and Timeline 18
5.1 Evaluating the Redemption Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
II
1 Introduction
Malware attacks continue to remain one of the most popular attack vectors in the wild [60, 47].
Among all classes of malware, ransomware has recently become very popular among malware au-
thors [9, 16, 20, 26]. Ransomware is a kind of scareware that locks the victims’ computers until
they make a payment to re-gain access to their data. In fact, this class of malware is not a new
concept (such attacks have been in the wild since the last decade), but the growing number of high-
profile ransomware attacks has resulted in increasing concerns on how to defend against this class
of malware.
In 2016, several public and private sectors, including the healthcare industry, were impacted
by ransomware [13, 10, 66]. Lately, US officials have also expressed their concerns about ran-
somware [23, 30], and even asked the U.S. government to focus on fighting ransomware under
the Cybersecurity National Action Plan [30]. Very recently, WannaCry ransomware, the most re-
cent successful ransomware attack, impacted thousands of users around the world by exploiting the
EternalBlue vulnerability, encrypting user data, and demanding bitcoin payments in exchange for
unlocking files [48].
In response to the increasing number of ransomware attacks, users are often advised to create
backups of their critical data. Certainly, having a reliable data backup policy minimizes the potential
costs of being infected with ransomware, and is an important part of the IT management process.
However, the growing number of paying victims [11, 51, 24] suggests that technically unsophisticated
users – who are the main target of these attacks – do not follow these recommendations, and easily
become a paying victim of ransomware. Hence, ransomware authors continue to create new attacks
and evolve their creations as evidenced by the emergence of more sophisticated ransomware every
day [62, 8, 60, 53].
Unfortunately, many of the recent security reports about ransomware [19, 31, 32, 60, 61, 47]
mainly focus on the advancements in ransomware attacks and their levels of sophistication, rather
than providing some insights about effective defense techniques that should be adopted against
this threat. Furthermore, the current defense mechanisms to detect, analyze, and defend against
ransomware are not very different from the ones that are used to detect other types of evasive
malware. Perhaps, the main assumption here is that this class of malware employs all possible
evasion techniques, similar to other classes of malware, to bypass detection tools, reach end-users,
and successfully launch attacks. While we agree that this is a valid assumption, we claim that these
mechanisms cannot lead to the best defense mechanisms against ransomware, as evidenced by the
increasing number of very successful ransomware attacks in the wild.
1
1.1 Focus of this Work
In this thesis, we investigate the feasibility of developing solutions to detect and analyze ransomware
attacks. In fact, the thesis of this dissertation is that, unlike other malware, the nature of ransomware
attacks is not very broad, and protecting against a large number of ransomware attacks is possible.
We argue that ransomware attacks follow very similar patterns in order to be successful and force
victims to pay the ransom fee. For example, unlike other classes of malware that aims to be stealthy
to collect banking credentials or keystrokes without raising suspicion, ransomware notifies victims
that they are infected. Moreover, a successful ransomware usually needs to prevent user’s access to
his own data by performing encryption and/or deletion operations, and repeating these destructive
actions during an attack. This thesis aims to show that if we use these insights in the defense side,
and accurately model these behaviors, we can reliably detect a significant number of ransomware
attacks in the wild.
In the first part of this thesis, we perform an evolutionary-based analysis on ransomware attacks
to understand the main characteristics of these attacks. This work is motivated by our need to study
the core functionalities of these attacks from a filesystem perspective. To this end, we created a
dataset of ransomware samples that covers the majority of the existing ransomware families which
have been observed in the wild. We design and implement a kernel level module to closely monitor
the interaction of user mode processes with the filesystem. Our analysis shows that different classes
of ransomware attacks with multiple levels of sophistication share very similar characteristics from
a filesystem perspective due to the nature of these attacks.
In the second part of this thesis, we present a novel dynamic analysis system, called Unveil, that
is designed to analyze ransomware attacks and model their behaviors. In our approach, the system
automatically creates an artificial, realistic execution environment and monitors how ransomware
interacts with that environment. We evaluate Unveil using more than 148,000 distinct samples
belonging to different malware families. The evaluation of Unveil shows that our approach was
able to correctly detect 13,637 ransomware samples from multiple ransomware families in a real-
world data feed with zero false positives. Our analysis shows that Unveil can significantly enhance
the current anti-malware solutions with regard to ransomware.
In the third part of the thesis, we investigate the possibility of protecting user data from ran-
somware attacks at end-hosts with zero data loss. To this end, we propose a general framework,
called Redemption, to augment the operating system with ransomware protection capabilities. Re-
demption does not require performing any significant changes in the semantics of the underlying
filesystem functionality, or modifying the architecture of the operating systems.
2
1.2 Related Work
Malware attacks are important problems. They have been extensively investigated in security re-
search over the last couple of years. For example, a number of approaches have been proposed to
describe program behavior from analyzing byte patterns [42, 59, 57, 67] to transparently running
programs in malware analysis systems [6, 36, 35, 63]. Early steps to analyze and capture the main
intent of a program focused on analysis of control flow. Kruegel et al. [40] and Bruschi et al. [14]
showed that by modeling programs based on their instruction-level control flow, it is possible to
bypass some forms of obfuscation. Similarly, Christodorescu et al. [18] used instruction-level control
flow to design obfuscation-resilient detection systems. Later work focused on analyzing and detect-
ing malware using higher-level semantic characterizations of their runtime behavior derived from
sequences of system call invocations and OS resource accesses [37, 38, 17, 46, 58, 68].
In order to analyze the malicious behavior of malware samples, dynamic analysis tools have be-
come popular over the last few years. Most of these techniques depend on extracting system calls or
Windows API call traces using sandboxing techniques. For example, CWSandbox [65] and Norman
Sandbox [5] trace API calls, while Anubis [12] and Panorama [68] are examples of emulation-based
malware analysis systems that can perform data-flow analysis. More recently, BareCloud [36] has
been proposed which is a bare-metal analysis system to detect evasive malware samples.
A first report on specific ransomware families was made by Gazet where the author analyzed
three ransomware families including Krotten and Gpcode [25]. The recent resurgence of ransomware
attacks has attracted the attention of several researchers once more. Kharraz et al. [34] analyzed 15
ransomware families including desktop locker and cryptographic ransomware, and provided an
evolution-based study on ransomware attacks. The authors concluded that a significant number
of ransomware in the wild has a very similar strategy to attack user files, and can be recognized
from benign processes. In another work, Kharraz et al. [33] proposed Unveil, a dynamic analysis
system, that is specifically designed to assist reverse engineers to analyze the intrinsic behavior of
an arbitrary ransomware sample.
Scaife et al. [52] proposed CryptoDrop which is built upon the premise that the malicious process
aggressively encrypts user files. In the paper, as a limitation of CryptoDrop, the authors state that
the tool does not provide any recovery or minimal data loss guarantees. Their approach is able to detect
a ransomware attack after a median of ten file losses. Very recently, Continella et al. [21], and
Kolodenker et al. [39] proposed protection schemes to detect ransomware. Continella et al. [21]
proposed ShieldFS which has a similar goal to us. The authors also look at the filesystem layer to
find typical ransomware activity. While ShieldFS is a significant improvement over the status quo,
it would be desirable to complement it with a more generic approach which is also resistant to
unknown cryptographic functions. Unlike ShieldFS, the approach we proposed in Section4 does not
rely on cryptographic primitive identification.
3
Kolodenker et al. [39] proposed PayBreak which securely stores cryptographic encryption keys
in a key vault that is used to decrypt affected files after a ransomware attack. In fact, PayBreak
intercepts calls to functions that provide cryptographic operations, encrypts symmetric encryption
keys, and stores the results in the key vault. After a ransomware attack, the user can decrypt the
key vault with his private key and decrypt the files without making any payments. As mentioned
earlier, our proposed solution in Section 4 does not depend on any hooking technique to identify
cryptographic functions. Furthermore, the detection accuracy of the framework is not impacted by
the type of packer a ransomware family may use to evade common anti-malware systems. This
makes our proposed technique a more generic solution to the same problem space.
This dissertation proposal consists of the following sections:
In Section 2, we provide an overview of current ransomware attacks and the techniques they use. In
Section 3. we describe a dynamic analysis system that is specifically designed to detect and analyze
ransomware samples. Section 4 describes an end-point solution to protect the consistent state of
user data during a ransomware attack. In Section 5, we briefly explain our milestones, the proposed
research plan, and timeline to complete each task.
2 An Analysis on Current Ransomware Attacks
Given the significant growth of ransomware attacks [9, 16, 20, 26], it is very important to understand
how ransomware payloads are developed, how they evolved over time, and how the malicious
process attacks user data. Answering these questions allows us to develop models that look for
specific behaviors in ransomware attacks. Currently, most of the recent security reports about ran-
somware [62, 8, 60, 53] rely on ad-hoc procedures rather than a scientific assessment. In fact, these
reports mainly focus on the advancements in ransomware attacks and their levels of sophistica-
tion, rather than providing some insights about effective defense techniques that should be adopted
against this threat. As a first step, we investigate the key functionalities of ransomware attacks to
understand how these functionalities differ from other malware behaviors so that we can construct
accurate models to detect unknown ransomware attacks.
2.1 Ransomware Dataset
To build the ransomware dataset, we collected malware samples from multiple sources such as
Anubis, a public malware analysis system, and a set of public malware repositories [4, 2, 1] and
manually browsing through security forums [45, 3]. We collected 3,921 ransomware samples from
all these sources. However, after removing the samples that did not execute properly in our analysis
environment, our dataset contained a total of 1,359 active ransomware samples from 15 ransomware
families. To obtain accurate labels for these samples, we cross-checked the malware samples by au-
4
Table 1: The list of malware families used in our experiments.
Family Family Description Types of AttacksSamples Variants First Seen Most Recent Encypting Files Changing MBR Deleting Files Stealing Info
Reveton 244(17.95%) 14 2012 2014 ✓ ✓Cryptolocker 32 (2.35%) 4 2013 2014 ✓ ✓CryptoWall 11(0.8) 2 2014 2014 ✓Tobfy 122 (8.97%) 12 2010 2014 ✓Seftad 23 (1.69%) 4 2006 2010 ✓Winlock 308(22.66%) 27 2008 2013 ✓Loktrom 4 (0.29%) 2 2012 2013Calelk 9 (0.663%) 2 2009 2010Urausy 523 (38.48%) 16 2009 2014 ✓ ✓Krotten 17 (1.25%) 3 2008 2009 ✓BlueScreen 4 (0.29%) 1 2008 2009 ✓Kovter 8 (0.58%) 2 2013 2013 ✓Filecoder 9 (0.66%) 3 2012 2014 ✓ ✓GPcode 21 (1.54%) 4 2004 2008 ✓Weelsof 24 (1.76%) 3 2012 2013 ✓No. of Samples 1,359 - - - 73(5.37%) 23(1.69%) 484(35.61%) 44(3.23%)No. of Variants - 99 - - 13(13.13%) 4(4.04%) 29(21.33%) 6(6.06%)
tomatically submitting the list of MD5 hashes to VirusTotal. To be conservative on our ransomware
malware selection, we consider a malware to be ransomware if at least three AV engines recognized
it as belonging to this category. Table 1 represents the set of ransomware families we used in our
experiments.
2.2 Developing the Monitoring Tool
One of our first goals in this project is to describe how a malicious process interacts with the filesys-
tem when a machine is under a ransomware attack. To answer this question, we investigate the com-
mon characteristics of ransomware attacks from a filesystem perspective regardless of the technical
differences that these attacks might have (such as the infection and the key generation techniques).
In order to monitor filesystem activity, multiple approaches could be used. One classic approach
is to hook the SSDT table [28, 41] to monitor interesting function calls. In our analysis, we devel-
oped a minifilter driver [49] to capture all I/O requests that the I/O manager generates on behalf of
user-mode processes to access the filesystem.
To monitor the I/O requests, we define callback routines to precisely record any I/O and trans-
action activity on the files. For each filesystem request, we collect the process name, the process
ID, the parent process ID, the pre-operation and post-operation callback time, the IRP type, the ar-
guments and the result of the operation. Our minifilter driver is deployed in a privileged kernel
mode that has access to nearly all objects of the operating system. Furthermore, since we capture
the filesystem activity directly from Windows I/O manager in the kernel, there is a low chance that
malware authors develop code in the user mode that could bypass our monitor.
5
2.3 Characterization and Evolution
In this project, the characterization of ransomware attacks was based on 1,359 ransomware samples
among 15 families that have emerged over the last few years. Encryption and deletion operations
are two important components of most of recent ransomware attack as they allow the malicious
payload to prevent access to digital resources, and minimize the chance of regaining access to them.
We performed an analysis on these two operations by running malware samples in an isolated
environment, and monitoring the filesystem activity traces.
Our results show that a significant number of ransomware families share very similar character-
istics in the core part of the attacks, but still lack reliable destructive functions to successfully target
victims files. We also observed that suspicious filesystem activity of multiple types of destructive
ransomware families can be reliably extracted. More specifically, when looking at the execution
traces of malware programs, we observed that the way malicious processes generate requests to
access filesystem was significantly different from benign processes. We also observed that different
classes of ransomware attacks with multiple levels of sophistication share very similar character-
istics from filesystem perspective due to the nature of these attacks. Unlike recent discussions in
security community about ransomware attacks, our analysis suggests that implementing practical
defense mechanisms is still possible, if we effectively monitor the filesystem activity for example the
changes in Master File Table (MFT) or the types of I/O Request Packets (IRP) generated on behalf
of processes to access the filesystem.
3 A Dynamic Analysis Approach to Detecting Ransomware
Today, an important enabler for behavior-based malware detection is dynamic analysis. These sys-
tems execute a captured malware sample in a controlled environment, and record its behavior (e.g.,
system calls, API calls, and network traffic). Unfortunately, malware detection systems that focus on
stealthy malware behavior (e.g., suspicious operating system functionality for keylogging) might fail
to detect ransomware because this class of malicious code engages in activity that appears similar to
benign applications that use encryption or compression. Furthermore, these systems are currently
not well-suited for detecting the specific behaviors that ransomware engages in, as evidenced by
misclassifications of ransomware families by AV scanners [15, 55].
In this section, we propose a novel dynamic analysis system that is designed to analyze, and
model their behaviors. In our approach, the system automatically creates a realistic execution en-
vironment, and monitors how ransomware interacts with that environment. Closely monitoring
process interactions with the filesystem allows the system to precisely characterize cryptographic
ransomware behavior.
In parallel, the system tracks changes to the computers desktop that indicates ransomware-like
6
behavior. The key insight is that in order to be successful, ransomware will need to access and
tamper with a victim’s files or desktop. Our automated approach, called Unveil, allows the system
to analyze many malware samples at a large scale, and to reliably detect and flag those that exhibit
ransomware-like behavior. In addition, the system is able to provide insights into how the ran-
somware operates, and how to automatically differentiate between different classes of ransomware
3.1 System Design
In this section, we describe our techniques for detecting multiple classes of ransomware attacks.
Generating Arti�cial User Environments: Protecting malware analysis environments against
fingerprinting techniques is non-trivial in a real-world deployment. Sophisticated malware authors
exploit static features inside analysis systems (e.g., name of a computer) and launch reconnaissance-
based attacks [44] to fingerprint both public and private malware analysis systems.
The static features of analysis environments can be viewed as the Achilles’ heel of malware
analysis systems. One static feature that can have a significant impact on the effectiveness of the
malware analysis systems is the user data that can be effectively used to fingerprint the analysis
environment. That is, even on bare-metal environments where classic tricks such as virtualization
checks are not possible, an unrealistic looking user environment can be a telltale sign that the code
is running in a malware analysis system.
Intuitively, a possible approach to address such reconnaissance attacks is to build the user envi-
ronment in such a way that the user data is valid, real, and non-deterministic in each malware run.
These automatically-generated user environments serve as an “enticing target” to encourage ran-
somware to attack user data while at the same time preventing the possibility of being recognized
by adversaries. Before each run, Unveil automatically generates an artificial – yet realistic – user
environment for ransomware.
Filesystem Activity Monitor: Th first core component of Unveil is a filesystem monitor which
is used to collect filesystem activities during a cryptographic ransomware attack. The filesystem
monitor in Unveil has direct access to data buffers involved in I/O requests, giving the system
full visibility into all filesystem modifications. Figure 4 shows a high-level design of Unveil in the
Windows environment.
For all of the cryptographic ransomware samples that we studied, we empirically observed that
these samples issue I/O traces that exhibit distinctive, repetitive patterns. This is due to the fact
that these samples each use a single, specific strategy to deny access to user data. This attack
strategy is accurately reflected in the form of I/O access patterns that are repeated for each file when
performing the attack. Consequently, these I/O access patterns can be extracted as a distinctive I/O
7
Calculate Entropy
Identify Process
I/O Type
I/O Scheduler
FileSystem Driver
Physical Device
I/O Requests
I/O MonitorEXIT
file’s data Buffer
UNVEIL
User ModeKernel Mode
I/O MonitorENTER Record I/O
Request
Identify File OP
. . .
Process 1 Process 2 Process 3 Process N
read write delete write
I/O Access Monitor
Figure 1: Overview of the design of I/O access monitor in Unveil. The module monitors system-wide filesys-
tem accesses of user-mode processes. This allows Unveil to have full visibility into interactions with user files.
fingerprint for a particular family. We note that our approach mainly considers write or delete
requests. We elaborate on extracting I/O access patterns per file in Section 3.1.
For every read and write request to a file, Unveil computes the entropy of the corresponding
data buffer. Comparing the entropy of read and write requests to and from the same file offset serves
as an excellent indicator of cryptographic ransomware behavior. This is due to the common strategy
to read in the original file data, encrypt it, and overwrite the original data with the encrypted version.
The system uses Shannon entropy [43] for this computation.
Constructing Access Patterns: For each execution, after Unveil generates I/O access traces for
the sample, it sorts the I/O access requests based on file names and request timestamps. This allows
the system to extract the I/O access sequence for each file in a given run, and check which processes
accessed each file. The key idea is that after sorting the I/O access requests per file, repetition can
be observed in the way I/O requests are generated on behalf of the malicious process.
The particular detection criterion used by the system to detect ransomware samples is to identify
write and delete operations in I/O sequences in each malware run. In a successful ransomware
attack, the malicious process typically aims to encrypt, overwrite, or delete user files at some point
during the attack. In Unveil, these I/O request patterns raise an alarm, and are detected as suspi-
cious filesystem activity. We studied different cryptographic ransomware samples across different
ransomware families. Our analysis shows that although these attacks can be very different in their
attack strategies (e.g., evasion techniques, key generation, key management, connecting to C&C
8
overwrite
Open
Write
Close
read File x
Read
File x
Open
Read
Close
File x.locked
Open
Write
Close
encrypt delete File x
Open
Delete
Close
read File x
Open
Read
Close
File x.locked
Open
Write
Close
encrypt overwrite File x
Open
Read
Close
Write
(2)(1) (3)
Figure 2: Strategies differ across ransomware families with respect to I/O access patterns. (1) Attacker over-
writes the users’ file with an encrypted version; (2) Attacker reads, encrypts and deletes files without wiping
them from storage; (3) Attacker reads, creates a new encrypted version, and securely deletes the original files by
overwriting the content.
servers), they can be categorized into three main classes of attacks based on their access requests.
Figure 2 shows the high-level access patterns for multiple ransomware families we studied during
our experiments. For example, the access pattern shown to the left is indicative of Cryptolocker
variants that have varying key lengths and desktop locking techniques. However, its access pattern
remains constant with respect to family variants. We observed the same I/O activity for samples
in the CryptoWall family as well. While these families are identified as two different ransomware
families, since they use the same encryption functions to encrypt files (i.e., the Microsoft CryptoAPI),
they have similar I/O patterns when they attack user files.
As another example, in FileCoder family, the ransomware first creates a new file, reads data
from a victim’s file, generates an encrypted version of the original data, writes the encrypted data
buffer to the newly generated file, and simply unlinks the original user’s file (See Figure 2.2). In this
class of cryptographic ransomware, the malware does not wipe the original file’s data from the disk.
For attack approaches like this, victims have a high chance of recovering their data without paying
the ransom. In the third approach (Figure 2.3), however, the ransomware creates a new encrypted
file based on the original file’s data and then securely deletes the original file’s data using either
standard Windows APIs or custom overwriting implementations (e.g., such as CrypVault family).
Detecting Screen Lockers: The second core component of Unveil is aimed at detecting screen
locker ransomware. The key insight behind this component is that the attacker must display a
ransom note to the victim in order to receive a payment. In most cases, the message is prominently
displayed, covering a significant part, or all, of the display. As this ransom note is a virtual invariant
of ransomware attacks, Unveil aims to automatically detect the display of such notes.
9
The approach adopted by Unveil to detect screen locking ransomware is to monitor the desktop
of the victim machine, and to attempt to detect the display of a ransom note. Similar to Grier
et al. [27], we take automatic screenshots of the analysis desktop before and after the sample is
executed. The screenshots are captured from outside of the dynamic analysis environment to prevent
potential tampering by the malware. This series of screenshots is analyzed and compared using
image analysis methods to determine if a large part of the screen has suddenly changed between
captures. However, smaller changes in the image such as the location of the mouse pointer, current
date and time, new desktop icons, windows, and visual changes in the task bar should be rejected
as inconsequential.
In Unveil, we measure the structural similarity (SSIM) [64] of two screenshots – before and af-
ter sample execution – by comparing local patterns of pixel intensities in terms of both luminance
and contrast as well as the structure of the two images. Extracting structural information is based
on the observation that pixels have strong inter-dependencies – especially when they are spatially
close. These dependencies carry information about the structure of the objects in the image. After a
successful ransomware attack, the display of the ransom note often results in automatically identi-
fiable changes in the structural information of the screenshot (e.g., a large rectangular object covers
a large part of the desktop). Therefore, the similarity of the pre- and post-attack images decreases
significantly, and can be used as an indication of ransomware.
Unveil also extracts the text within the area where changes in the structure of the image has
occurred. The system extracts the text inside the selected area and searches for specific keywords
that are highly correlated with ransom notes (e.g.,<lock, encrypt, desktop, decryption, key>).
Given two screenshots X and Y, we define the overall similarity between the two screenshots X
and Y as the arithmetic mean of the similarity of the image contents. We define a similarity threshold
τsim such that Unveil considers the sample a potential screen locking ransomware. If the structural
similarity score between two images exceeds the threshold values. Unveil then extracts the text
within the image and searches for ransomware-related words within the modified area. Applying
the image similarity test with the best similarity threshold (see Section 3.2) gives us the highest recall
with 100% precision for the entire dataset.
3.2 Analysis and Findings
We evaluated Unveil detection accuracy by running two experiments. The goal of the first exper-
iment is to demonstrate that the system can detect known ransomware samples, while the goal of
the second experiment is to demonstrate that Unveil can detect previously unknown ransomware
samples. The Unveil prototype is built on top of Cuckoo Sandbox [22]. Cuckoo provides basic
services such as sample submission, managing multiple VMs, and performing simple human inter-
action tasks such as simulating user input during an analysis. However, in principle, Unveil could
10
Family Type Samples
Cryptolocker crypto 33 (1.5%)
CryptoWall crypto 42 (2.0%)
CTB-Locker crypto 77 (3.6%)
CrypVault crypto 21 (1.0%)
CoinVault crypto 17 (0.8%)
Filecoder crypto 19 (0.9%)
TeslaCrypt crypto 39 (1.8%)
Tox crypto 71 (3.3%)
VirLock locker 67 (3.2%)
Reveton locker 501 (23.6%)
Tobfy locker 357 (16.8%)
Urausy locker 877 (41.3%)
Total Samples - 2,121
Table 2: The list of ransomware families used in the first experiment.
be implemented using any dynamic analysis system (e.g., BitBlaze [7], VxStream Sandbox [54]).
As described in Section 3.1, user environments were generated for each run, filesystem I/O traces
were recorded, and pre- and post-execution screenshots were captured. After each execution, the
VM was rolled back to a clean state to prevent any interference across executions. Each sample was
executed in the analysis environment for 20 minutes. All experiments were performed according to
well-established experimental guidelines [56] for malware experiments.
Ground Truth (Labeled) Dataset: In this experiment, we collected ransomware samples from
public repositories [1, 4] and online forums that share malware samples [3, 45]. We also received
labeled ransomware samples from two well-known anti-malware companies. In total, we collected
3,156 recent samples. In order to make sure that those samples were indeed active ransomware, we
ran them in our test environment. We confirmed 2,121 samples to be active ransomware instances.
After each run, we checked the filesystem activity of each sample for any signs of attacks on user
data. If we did not see any malicious filesystem activity, we checked whether running the sample
displayed a ransom note.
Table 2 describes the ransomware families we used in this experiment. We note that the dataset
covers the majority of the current ransomware families in the wild. In addition to the labeled
ransomware dataset, we also created a dataset that consisted of non-ransomware samples. These
samples were submitted to the Anubis analysis platform [29], and consisted of a collection of benign
as well as malicious samples. We selected 149 benign executables including applications that have
ransomware-like behavior such as secure deletion, encryption, and compression. A short list of these
applications are provided in Table 3. We also tested 384 non-ransomware malware samples from 36
malware families to evaluate the false positive rate of Unveil.
11
We performed a precision-recall analysis to find the best similarity threshold τsim for desk-
top locking detection. The best threshold value to discriminate between similar and dissimilar
screenshots should be defined in such a way that Unveil is be able to detect screen locker ran-
somware while maintaining an optimal precision-recall rate. Our empirical analysis shows that with
τsim = 0.32 more than 97% of the ransomware samples across both screen locker and cryptographic
ransomware samples are detected with 100% precision. In the second experiment, we used this
similarity threshold to detect screen locker ransomware in a malware feed unknown to Unveil.
Application Main Capability Version
7-zip Compression 15.06
Winzip Compression 19.5
WinRAR Compression 5.21
DiskCryptor Encryption 1.1.846.118
AESCrypt Encryption —
Eraser Shredder 6.2.0.2969
SDelete Shredder 1.61
Table 3: The list of benign applications that generate similar I/O access patterns to ransomware.
3.3 Detecting Zero-Day Ransomware
The main goal of the second experiment is to evaluate the accuracy of Unveil when applied to a
large dataset of recent real-world malware samples. We then compared our detection results with
those reported by AV scanners in VirusTotal.
This dataset was acquired from the daily malware feed provided by Anubis [29] to security
researchers. The samples were collected from May 18th 2015 until February 12th 2016. The dataset
contained 148,223 distinct samples. Each sample was then submitted to Unveil to obtain I/O access
traces and pre-/post-execution desktop image dissimilarity scores.
Early Warning: One of the design goals of Unveil is to be able to automatically detect previously
unknown (i.e., zero-day) ransomware. In order to run this experiment, we did the following. Once
per day over the course of the experiment, we built a malware dataset that was concurrently sub-
mitted to Unveil and VirusTotal. If a sample was detected as ransomware by Unveil, we checked
the VirusTotal (VT) detection results. In cases where a ransomware sample was not detected by any
VT scanner, we reported it as a new detection.
In addition, we also measured the lag between a new detection by Unveil and a VT detection. To
that end, we created a dataset from the newly detected samples submitted on days {1, 2, . . . , n− 1, n}and re-submitted these samples to see whether the detection results changed. We considered the
12
0.0 0.2 0.4 0.6 0.8 1.00.00.10.20.30.40.50.60.7
Submission #1
0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.200.25
Submission #2
0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #3
0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #4
0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.20 Submission #5
0.0 0.2 0.4 0.6 0.8 1.00.000.050.100.150.200.25
Submission #6
Pollution Ratio
Dens
ity D
istr
ibut
ion
Figure 3: Evolution of VT scanner reports after six submissions. 72.2% of the samples detected by Unveil were
not detected by any of AV scanners in the first submission. After a few re-submissions, the detection results
do not change significantly. The detection results tend to be concentrated either towards small or very large
detection ratios. This means that a sample is either detected by a relatively small number of scanners, or almost
all of the scanners.
13
Evaluation Results
Total Samples 148,223
Detected Ransomware 13,637 (9.2%)
Detection Rate 96.3%
False Positives 0.0%
New Detection 9,872 (72.2%)
Table 4: Unveil detection results. 72.2% of the ransomware samples detected by Unveil were not detected by
any of AV scanners in VirusTotal at the time of the first submission. 7,572 (76.7%) of the newly detected samples
were destructive file locker ransomware samples.
result of all 55 VT scanners in this experiment. Since the number of scanners is relatively high,
we defined a VT detection ratio ρ as the ratio of the total number of scanners that identified the
sample as ransomware or malware to the total number of scanners checked by VT. ρ is therefore a
value on the interval [0,1] where zero means that the sample was not detected by any of the 55 VT
scanners, and 1 means that all scanners reported the sample as malware or ransomware. Since there
is no standard labeling scheme for malware in the AV industry, a scanner can label a sample using a
completely different name from another scanner. Consequently, to avoid biased results, we consider
the labeling of a sample using any name as a successful detection.
In our experiment, we submitted the detected samples every day to see how the VT detection ra-
tio ρ changes over time. The distribution of ρ for each submission is shown in Figure 3. Our analysis
shows that ρ does not significantly change after a small number of subsequent submissions. For the
first submission, 72.2% of the ransomware samples detected by Unveil were not detected by any
of the 55 VT scanners. After a few submissions, ρ does not change significantly, but generally was
concentrated either towards small or very large ratios. This means that after a few re-submissions,
either only a few scanners detected a sample, or almost all the scanners detected the sample.
The large scale experiment shows that Unveil outperforms all the public AV scanners in de-
tecting both superficial and technically sophisticated ransomware attacks. Among our findings was
also a new ransomware family that no AV scanners, including a modern industrial sandboxing
technology, had previously detected before we submitted it to VirusTotal.
4 Protecting End-Points from Ransomware Attacks
In response to the increasing number of ransomware attacks [9, 16, 20, 26], a desirable and comple-
mentary defense would be to augment the operating system with transparent techniques that would
make the operating system more resistant against ransomware-like behavior.
In this project, we introduce the concepts of a general framework, called Redemption, to protect
14
user data from ransomware attacks in a real-time fashion. Our goal is to define a practical solution
that can be used as an augmented service to the operating system without changing the semantics
of the underlying filesystem functionality.
Redemption is based on two main components: First, an abstract characterization of the behavior
of a large class of current ransomware attacks is constructed. More precisely, our technique applies
the results of a long-term dynamic analysis to binary objects to determine if a process matches the
abstract model. A process is labeled as malicious if it exhibits behaviors that match the abstract model.
Second, a high-performance, high-integrity mechanism that protects and restores all attacked files
by utilizing a transparent data buffer to redirect access requests while tracking the write contents.
4.1 System Design
In this section, we introduce the components of Redemption which are: (1) a lightweight kernel
module that intercepts process interactions, and (2) a user-mode daemon, called behavioral monitor
and notification module, that assigns a malice score to a process, and is used to notify the user about
the potential malicious behavior of a process.
Intercepting Access Requests. In order to implement a reliable dynamic access control mechanism
over user data, this part of the system should be implemented in the kernel, and be able to mediate
the access to the filesystem. The prototype redirects each write access request to the user files to a
protected area without changing the status of the original file.
Figure 4 presents an example that illustrates how access requests are processed. The system
introduces the following changes. (1) Redemption receives the request A from the application X to
access the file F at the time t, (2) if At requests access with write or delete privilege to the file F, and
the file F resides in a user defined path, the Redemption’s monitor is called, (3) Redemption creates
a corresponding file in the protected area, called reflected file, and handles the write requests. These
changes are periodically flushed to the storage to ensure that they are physically available on the
disk. The meta-data entry of the corresponding file is updated with the offset and length of the data
buffer in the I/O request after a successful data write at Step 3. (4) the malice score of the process
is updated, and is compared to a pre-configured threshold α. (5) the Redemption monitor sends a
notification to the display monitor to alert the user depending on the calculated malice score. (6) a
success/failure notification is generated, and is sent to the system service manager.
Malice Score Calculation (MSC) Function. The MSC function allows the system to identify the
suspicious process and notify the user when the process matches the abstract model. Given a process
X, we assign a malice score S to the process each time it requests privileged access to a user file.
If the malice score S exceeds a pre-defined malice threshold α, it means that the process exhibits
abnormal behaviors. In section 4.3, we provide more details on how we selected the malice score for
our experiments.
15
Redemption Monitor
1
2
6
5 4
3
1
2
Figure 4: Redemption mediates the access to the filesystem and redirects each write request on the user files to
a protected area without changing the status of the original file. Reading the user files, creating and writing on
new files follow the standard 2-step procedure since they do not introduce any risk with regard to ransomware
attacks on user data.
Behavioral Detection and Notification Module. We implemented this module as a user-mode
service. This was a conscious design choice similar to the design of most anti-malware solutions.
Note that Microsoft officially supports the concept of protected services, called Early Launch Anti-
Malware (ELAM), to allow anti-malware user-mode services to be launched as protected services.
In fact, after the service is launched as a protected service, Windows uses code integrity to only
allow trusted code to load into a protected service. Windows also protects these processes from
code injection and other attacks from admin processes [50]. If Redemption identifies the existence
of a malicious process, it automatically terminates the malicious process.
4.2 Dataset
The ground truth dataset consists of filesystem traces of manually confirmed ransomware samples as
well as more than 230 GB of data which contains the interaction of benign processes with filesystem
on multiple machines. We used this dataset to verify the effectiveness of Redemption, and to
determine the best threshold value to label a suspicious process.
4.3 Analysis on Labeled Data
The prototype of the Redemption supports all Windows platforms. In our experiments, we used
Windows 7 by simply attaching Redemption to the filesystem. The remainder of this section dis-
cusses how benign and malicious dataset were collected, and how we will conduct the experiments
to evaluate the effectiveness of our approach.
One of the design requirements of the system is to produce low false positives, and to minimize
16
Table 5: A list of Benign application and their
malice scores.
Program Min. Score Max. Score
Adobe Photoshop 0.032 0.088AESCrypt 0.37 0.72AxCrypt 0.31 0.75Adobe PDF reader 0.0 0.0Adobe PDF Pro 0.031 0.039Google Chrome 0.037 0.044Internet Explorer 0.035 0.045Matlab 0.038 0.92MS Words 0.041 0.089MS PowerPoint 0.025 0.102MS Excel 0.017 0.019VLC Player 0.0 0.0Vera Crypt 0.33 0.71WinRAR 0.0 0.16Windows Backup 0.0 0.0Windows paintit 0.029 0.083SDelete 0.283 0.638Skype 0.011 0.013Spotify 0.01 0.011Sumatra PDF 0.022 0.041Zip 0.0 0.16
Malice Score Median 0.027 0.0885
Table 6: A list of ransomware families and their
malice scores.
Family Samples Min. Score Max. Score Recovery
Cerber 33 0.41 0.73 5Cryptolocker 50 0.36 0.77 4CryptoWall3 39 0.4 0.79 6CryptXXX 46 0.49 0.71 3CTB-Locker 53 0.38 0.75 7CrypVault 36 0.53 0.73 3CoinVault 39 0.42 0.69 4Filecoder 54 0.52 0.66 5GpCode 45 0.52 0.76 2TeslaCrypt 37 0.43 0.79 4Virlock 29 0.51 0.72 3SilentCrypt 43 0.31 0.59 9
Samples 504 - - -Score Median - 0.43 0.73 -Recovery Median - - - 4
the number of unnecessary notifications to end-users. To this end, the system employs a threshold
value to determine when an end-user should be notified about the suspicious behavior of a process.
We tested a large set of benign as well as ransomware samples on a Redemption enabled ma-
chine. As depicted in Table 5 and Table 6, the median score of benign applications is significantly
lower than ransomware samples. For file encryption programs such as AxCrypt which are specifi-
cally designed to protect the privacy of the users, the original file is overwritten with random data
once the encrypted version is generated. In this case, Redemption reports the action as being ma-
licious – which, in fact, is a false positive. Unfortunately, such false positive cases are inevitable
since these programs are exhibiting the exact behavior that a typical ransomware exhibits. In such
cases, Redemption informs the end-user and asks for a manual confirmation. Given these corner
cases, we select the malice score as α = 0.12 where the system achieves the best detection and false
positive rates (FPs = 0.5% at a TP = 100%). This malice threshold is still significantly lower than the
minimum malice score of all the ransomware families in the dataset as provided in Table 6. The table
also shows the median file recovery rate. As depicted, Redemption detects a malicious process and
successfully recovers encrypted data after observing on average four files. Our experiment on the
dataset also showed that 7 GB storage is sufficiently large for the protected area in order to enforce
the data consistency policy.
17
5 Future Work and Timeline
5.1 Evaluating the Redemption Prototype
In Section 4, we proposed an end-point framework that protects user data from ransomware attacks.
Designing a reliable end-point solution that guarantees minimal data loss is non-trivial. A successful
implementation of the framework should achieve a high true positive rate and a low false positive
rate. Furthermore, it should not impose a noticeable performance impact, or require significant
changes to the way users interact with standard operating systems.
We showed that the system achieves good detection results when using 10-fold cross validation
on the labeled dataset. In addition to this experiment, we plan to test the system with ransomware
samples that are not used in the model learning process. In this experiment, we plan to evaluate the
detection accuracy of the system in a real-world setting where the trained model has not necessarily
observed all types of attacks in this specific class of malware.
We also plan to measure the potential performance impacts of the system when it is deployed
on end-user machines. In fact, we plan to test which operations are more expensive when system
is deployed, and whether the incurred overhead makes the system inefficient. The goal of this
experiment is to test how the system works under heavy reads and writes. Furthermore, we would
like to measure how many files should be maintained in the protected area when Redemption is
actively monitoring the filesystem activity.
5.2 Timeline
Table 7 is the proposed timeline to complete our research:
Table 7: The proposed timeline to complete the research
To-do tasks Completion Date (end of)
Large Scale Evaluation July 2017
Usability Tests July 2017
Filesystem Benchmarks August 2017
Dissertation Defense August 2017
References
[1] Minotaur Analysis - Malware Repository. minotauranalysis.com.
[2] VX Vault - Online Repository of Malware Samples. vxvault.siri-urz.net.
18
[3] Malware Tips - Your Security Advisor. http://malwaretips.com/forums/virus-exchange.
104/.
[4] MalwareBlackList - Online Repository of Malicious URLs. http://www.malwareblacklist.
com.
[5] Norman Sandbox. http://www.norman.com/.
[6] Proof-of-concept Automated Baremetal Malware Analysis Framework. https://code.google.
com/p/nvmtrace/.
[7] BitBlaze Malware Analysis Service. http://bitblaze.cs.berkeley.edu/, 2016.
[8] Anand Ajjan. Ransomware: Next-Generation Fake Antivirus. http://www.sophos.com/en-us/
medialibrary/PDFs/technicalpapers/SophosRansomwareFakeAntivirus.pdf, 2013.
[9] Alex Hern. Major sites including New York Times and BBC hit by ran-
somware malvertising. https://www.theguardian.com/technology/2016/mar/16/
major-sites-new-york-times-bbc-ransomware-malvertising, 2016.
[10] Alex Hern. Ransomware threat on the rise as almost 40 percent of bussi-
nesses attacked. https://www.theguardian.com/technology/2016/aug/03/
ransomware-threat-on-the-rise-as-40-of-businesses-attacked, 2016.
[11] Andrew Dalton. Hospital paid 17K ransom to hackers of its computer net-
work. http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/
hospital-paid-17k-ransom-hackers-its-computer-network, 2016.
[12] Ulrich Bayer, Christopher Kruegel, and Engin Kirda. TTAnalyze: A Tool for Analyzing Mal-
ware. In Proceedings of the European Institute for Computer Antivirus Research Annual Conference,
April 2006.
[13] BBC News. University pays 20,000 Dollars to ransomware hackers. http://www.bbc.com/news/
technology-36478650, 2016.
[14] Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detecting self-mutating malware
using control-flow graph matching. In Detection of Intrusions and Malware & Vulnerability Assess-
ment, pages 129–143. Springer, 2006.
[15] Catalin Cimpanu. Breaking Bad Ransomware Completely Un-
detected by VirusTotal. http://http://news.softpedia.com/news/
breaking-bad-ransomware-goes-completely-undetected-by-virustotal-493265.shtml,
2015.
19
[16] Chris Francescani. Ransomware Hackers Blackmail U.S. Police Departments. http://
www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html,
2016.
[17] Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining specifications of mali-
cious behavior. In Proceedings of the 1st India software engineering conference, pages 5–14. ACM,
2008.
[18] Mihai Christodorescu, Somesh Jha, Sanjit A Seshia, Dawn Song, and Randal E Bryant.
Semantics-aware malware detection. In Security and Privacy, 2005 IEEE Symposium on, pages
32–46. IEEE, 2005.
[19] Cisco, Inc. Ransomware on Steroids: Cryptowall 2.0. http://blogs.cisco.com/security/
talos/cryptowall-2, 2015.
[20] Connor Mannion. Three U.S. Hospitals Hit in String of
Ransomware Attacks. http://www.nbcnews.com/tech/security/
three-u-s-hospitals-hit-string-ransomware-attacks-n544366, 2016.
[21] Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro
Barenghi, Stefano Zanero, and Federico Maggi. Shieldfs: a self-healing, ransomware-aware
filesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications, pages
336–347. ACM, 2016.
[22] Cuckoo Foundation. Cuckoo Sandbox: Automated Malware Analysis. www.cuckoosandbox.
org, 2015.
[23] Dan Whitcomb. California lawmakers take step toward outlawing ransomware. http://www.
reuters.com/article/us-california-ransomware-idUSKCN0X92PA, 2016.
[24] Dell SecureWorks. University of Calgary paid 20K in ransomware attack. http://www.cbc.ca/
news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979, 2016.
[25] Alexandre Gazet. Comparative analysis of various ransomware virii. Journal in Computer Virol-
ogy, 6(1):77–90, February 2010.
[26] Grefgory Wolf. 8 High Profile Ransomware Attacks You
May Not Have Heard Of. https://www.linkedin.com/pulse/
8-high-profile-ransomware-attacks-you-may-have-heard-gregory-wolf, 2016.
[27] Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J Dietrich, Kirill Levchenko,
Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manu-
20
facturing compromise: the emergence of exploit-as-a-service. In Proceedings of the 2012 ACM
conference on Computer and communications security, pages 821–832, 2012.
[28] Greg Hoglund and Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley
Professional, 2005.
[29] International Secure System Lab. Anubis - Malware Analysis for Unknown Binaries. https:
//anubis.iseclab.org/, 2015.
[30] Jerry Zremski. New York Senator Seeks to Combat Ransomware. http://www.govtech.com/
security/New-York-Senator-Seeks-to-Combat-Ransomware.html, 2016.
[31] John Miller, Matt Allen, Christopher Glyer, Ian Ahl, Nick Carr. Petya Ransomware Spread-
ing Via EternalBlue Exploit. https://www.fireeye.com/blog/threat-research/2017/06/
petya-ransomware-spreading-via-eternalblue-exploit.html, 2017.
[32] Kevin Savage, Peter Coogan, Hon Lau. the Evolution of Ransomware. http:
//www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
the-evolution-of-ransomware.pdf, 2015.
[33] Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. UNVEIL:
A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX Security Sym-
posium, 2016.
[34] Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting
the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Conference on Detection
of Intrusions and Malware & Vulnerability Assessment (DIMVA), 07 2015.
[35] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barebox: efficient malware analysis
on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference, pages
403–412. ACM, 2011.
[36] Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. Barecloud: Bare-metal analysis-based
evasive malware detection. In 23rd USENIX Security Symposium (USENIX Security 14), pages
287–301. USENIX Association, 2014.
[37] Engin Kirda, Christopher Kruegel, Greg Banks, Giovanni Vigna, and Richard Kemmerer.
Behavior-based spyware detection. In Usenix Security, volume 6, 2006.
[38] Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong
Zhou, and XiaoFeng Wang. Effective and efficient malware detection at the end host. In USENIX
security symposium, pages 351–366, 2009.
21
[39] Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. Paybreak: Defense
against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Com-
puter and Communications Security, ASIA CCS ’17, pages 599–611, New York, NY, USA, 2017.
ACM.
[40] Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. Poly-
morphic worm detection using structural information of executables. In Recent Advances in
Intrusion Detection, pages 207–226. Springer, 2006.
[41] Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda.
Accessminer: Using system-centric models for malware protection. In Proceedings of the 17th
ACM Conference on Computer and Communications Security, CCS ’10, pages 399–412. ACM, 2010.
[42] Wei-Jen Li, Ke Wang, Salvatore J Stolfo, and Benjamin Herzog. Fileprints: Identifying file types
by n-gram analysis. In Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth
Annual IEEE SMC, pages 64–71. IEEE, 2005.
[43] Jianhua Lin. Divergence measures based on the shannon entropy. IEEE Transactions on Informa-
tion theory, 37:145–151, 1991.
[44] Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. Detecting environment-
sensitive malware. In Recent Advances in Intrusion Detection, pages 338–357. Springer, 2011.
[45] Malware Don’t Need Coffee. Guess who’s back again ? Cryptowall 3.0. http://malware.
dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html, 2015.
[46] Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C Mitchell. A
layered architecture for detecting malicious behaviors. In Recent Advances in Intrusion Detection,
pages 78–97. Springer, 2008.
[47] McAfee Labs. McAfee Labs 2017 Threat Predictions Report. https://www.mcafee.com/us/
resources/reports/rp-threats-predictions-2017.pdf, 2017.
[48] Michael Mimoso. Leaked NSA Exploit Spreading Ransomware WorldWide. https://
threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/, 2017.
[49] Microsoft, Inc. File System Minifilter Drivers. https://msdn.microsoft.com/en-us/library/
windows/hardware/ff540402%28v=vs.85%29.aspx, 2014.
[50] Microsoft, Inc. Protecting Anti-Malware Services. https://msdn.microsoft.com/en-us/
library/windows/desktop/dn313124(v=vs.85).aspx, 2016.
[51] Ms. Smith. Kansas Heart Hospital hit with ransomware; attackers de-
mand two ransoms. http://www.networkworld.com/article/3073495/security/
22
kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.
html, 2016.
[52] Patrick Traynor Nolen Scaife, Henry Carter and Kevin Butler. CryptoLock (and Drop It): Stop-
ping Ransomware Attacks on User Data. In In IEEE International Conference on Distributed Com-
puting Systems (ICDCS), 2016.
[53] Gavin O’Gorman and Geoff McDonald. Ransomware: A Growing Menance. http://www.
symantec.com/connect/blogs/ransomware-growing-menace, 2012.
[54] Payload Security Inc,. Payload Security. https://www.hybrid-analysis.com, 2016.
[55] REAQTA Inc,. HyraCrypt Ransomware. https://reaqta.com/2016/02/hydracrypt-
ransomware/, 2016.
[56] Christian Rossow, Christian J Dietrich, Chris Grier, Christian Kreibich, Vern Paxson, Norbert
Pohlmann, Herbert Bos, and Maarten Van Steen. Prudent practices for designing malware
experiments: Status quo and outlook. In Security and Privacy (SP), 2012 IEEE Symposium on,
pages 65–79. IEEE, 2012.
[57] Matthew G Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J Stolfo. Data mining methods
for detection of new malicious executables. In Security and Privacy, 2001. S&P 2001. Proceedings.
2001 IEEE Symposium on, pages 38–49. IEEE, 2001.
[58] Elizabeth Stinson and John C Mitchell. Characterizing bots remote control behavior. In Detection
of Intrusions and Malware, and Vulnerability Assessment, pages 89–108. Springer, 2007.
[59] Andrew H Sung, Jianyun Xu, Patrick Chavez, and Srinivas Mukkamala. Static analyzer of
vicious executables (save). In Computer Security Applications Conference, 2004. 20th Annual, pages
326–334. IEEE, 2004.
[60] Symantec, Inc. Internet Security Threat Report. http://www.symantec.com/security_
response/publications/threatreport.jsp, 2017.
[61] Tom Spring. Second Global Ransomware Outbreak Under Way. https://threatpost.com/
second-global-ransomware-outbreak-under-way/126549/, 2017.
[62] TrendLabs. An Onslaught of Online Banking Malware and Ransomware. http:
//apac.trendmicro.com/cloud-content/apac/pdfs/security-intelligence/reports/
rpt-cashing-in-on-digital-information.pdf, 2013.
[63] Amit Vasudevan and Ramesh Yerraballi. Cobra: Fine-grained malware analysis using stealth
localized-executions. In Security and Privacy, 2006 IEEE Symposium on, 2006.
23
[64] Zhou Wang, Alan C Bovik, Hamid R Sheikh, and Eero P Simoncelli. Image quality assessment:
from error visibility to structural similarity. Image Processing, IEEE Transactions on, 13(4):600–612,
2004.
[65] Carsten Willems, Thorsten Holz, and Felix Freiling. Toward automated dynamic malware anal-
ysis using cwsandbox. IEEE Security and Privacy, 5(2):32–39, March 2007.
[66] WIRED Magazine. Why Hospitals Are the Perfect Targets for Ransomware. https://www.
wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/, 2016.
[67] J-Y Xu, Andrew H Sung, Patrick Chavez, and Srinivas Mukkamala. Polymorphic malicious
executable scanner by api sequence analysis. In Hybrid Intelligent Systems, 2004. HIS’04. Fourth
International Conference on, pages 378–383. IEEE, 2004.
[68] Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: cap-
turing system-wide information flow for malware detection and analysis. In Proceedings of the
14th ACM conference on Computer and communications security, pages 116–127. ACM, 2007.
24