Visible to the public Detecting Ransomware with Honeypot Techniques

TitleDetecting Ransomware with Honeypot Techniques
Publication TypeConference Paper
Year of Publication2016
AuthorsMoore, C.
Conference Name2016 Cybersecurity and Cyberforensics Conference (CCC)
Date Publishedaug
ISBN Number978-1-5090-2657-9
Keywordsactivity, bogus computer resources, composability, computer security, Computers, cryptography, cyber security, decoy computers, detect, Electronic mail, EventSentry, file screening service, file servers, honeypot, honeypot techniques, Human Behavior, illicit access detection, invasive software, Malware, malware form, Metrics, Microsoft file server resource manager feature, Monitoring, Network, network administrators, pubcrawl, ransomware, ransomware activity detection, ransomware attacks, ransomware detection, Resiliency, Servers, social engineering methods, Windows security logs, witness tripwire files
Abstract

Attacks of Ransomware are increasing, this form of malware bypasses many technical solutions by leveraging social engineering methods. This means established methods of perimeter defence need to be supplemented with additional systems. Honeypots are bogus computer resources deployed by network administrators to act as decoy computers and detect any illicit access. This study investigated whether a honeypot folder could be created and monitored for changes. The investigations determined a suitable method to detect changes to this area. This research investigated methods to implement a honeypot to detect ransomware activity, and selected two options, the File Screening service of the Microsoft File Server Resource Manager feature and EventSentry to manipulate the Windows Security logs. The research developed a staged response to attacks to the system along with thresholds when there were triggered. The research ascertained that witness tripwire files offer limited value as there is no way to influence the malware to access the area containing the monitored files.

URLhttp://ieeexplore.ieee.org/document/7600214/
DOI10.1109/CCC.2016.14
Citation Keymoore_detecting_2016