Visible to the public Exploiting Ransomware Paranoia For Execution Prevention

Submitted by aekwall on Tue, 08/31/2021 - 11:41am
TitleExploiting Ransomware Paranoia For Execution Prevention
Publication TypeConference Paper
Year of Publication2020
AuthorsAlSabeh, Ali, Safa, Haidar, Bou-Harb, Elias, Crichigno, Jorge
Conference NameICC 2020 - 2020 IEEE International Conference on Communications (ICC)
KeywordsAPI calls, composability, computer viruses, dynamic analysis, Encryption, Execution Prevention, Metrics, Monitoring, pubcrawl, ransomware, Resiliency
AbstractRansomware attacks cost businesses more than \$75 billion/year, and it is predicted to cost \$6 trillion/year by 2021. These numbers demonstrate the havoc produced by ransomware on a large number of sectors and urge security researches to tackle it. Several ransomware detection approaches have been proposed in the literature that interchange between static and dynamic analysis. Recently, ransomware attacks were shown to fingerprint the execution environment before they attack the system to counter dynamic analysis. In this paper, we exploit the behavior of contemporary ransomware to prevent its attack on real systems and thus avoid the loss of any data. We explore a set of ransomware-generated artifacts that are launched to sniff the surrounding. Furthermore, we design, develop, and evaluate an approach that monitors the behavior of a program by intercepting the called Windows APIs. Consequently, we determine in real-time if the program is trying to inspect its surrounding before the attack, and abort it immediately prior to the initiation of any malicious encryption or locking. Through empirical evaluations using real and recent ransomware samples, we study how ransomware and benign programs inspect the environment. Additionally, we demonstrate how to prevent ransomware with a low false positive rate. We make the developed approach available to the research community at large through GitHub to strongly promote cyber security defense operations and for wide-scale evaluations and enhancements.
DOI10.1109/ICC40277.2020.9149005
Citation Keyalsabeh_exploiting_2020
Groups: