Exploiting Ransomware Paranoia for Execution Prevention

Exploiting Ransomware Paranoia for Execution Prevention
Slide Note
Embed
Share

This paper explores a novel approach to preventing ransomware execution by leveraging the paranoia inherent in ransomware creators. The focus is on suppressing ransomware execution, a technique not addressed by previous detection-based methods. By exploiting this unique angle, the proposed approach aims to enhance cybersecurity measures against ransomware threats.

  • Ransomware
  • Prevention
  • Execution
  • Cybersecurity
  • Paranoia
medidoc
medidoc Follow

Uploaded on Mar 14, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. EXPLOITING RANSOMWARE PARANOIA FOR EXECUTION PREVENTION Ali AlSabeh, Haidar Safa, Elias Bou-Harb, Jorge Crichigno Presented by: Ali AlSabeh IEEE International Conference on Communications 2020

  2. OVERVIEW Introduction Motivation Related Work Problem Statement Contribution Proposed Approach Evaluation and Results Conclusion and Future Work

  3. INTRODUCTION 3

  4. RANSOMWARE Increasingly devasting attack Locks and/or encrypts the victims machine Ask for a ransom to return encrypted data If you pay If you don t pay Pay and hope to get back your data Lose your data Count on backups 4

  5. MOTIVATION 5

  6. MOTIVATION 6

  7. RELATED WORK 7

  8. ANALYSIS TECHNIQUES Static analysis does not execute the sample and it is achieved by inspecting: Source code Assembly Executable file Dynamic analysis executes the sample in an isolated environment and records the generated activities such as: File access Memory access Registry access 8

  9. RANSOMWARE DETECTION TECHNIQUES BRIDEMAID Combination of static and dynamic analysis to detect ransomware in Android operating system UNVEIL Detects ransomware by creating an artificial, yet realistic execution environment that can detect file lockers and screen lockers NetConverse Detects ransomware from the generated network traffic using machine learning RansomFlare Combination of behavioral-based analysis and machine learning to detect ransomware 9

  10. PROBLEM STATEMENT 10

  11. PROBLEM STATEMENT The previous approaches devote their work to detect a ransomware from the behaviors it generates However, there is no prevention technique that suppresses the execution of ransomware In our paper, we work on preventing a contemporary ransomware sample from the environmental artifacts it executes prior to the attack. 11

  12. CONTRIBUTION 12

  13. CONTRIBUTION Exploring the behavior of contemporary ransomware by collecting relevant artifacts related to fingerprinting the execution environment Designing and developing a host-based approach which can detect and prevent contemporary ransomware through monitoring their paranoia Executing empirical evaluations using real ransomware datasets Training: 91% accuracy Testing: 84% accuracy 13

  14. PROPOSED APPROACH 14

  15. PROPOSED APPROACH GetWindowsDirectory EnumPrintersW EnumServicesStatusW C:\agent.py SystemBiosVersion 15

  16. DATASET COLLECTION The collected ransomware samples were from multiple sources The collected samples were inconsistent (file types, compatibility) and they lack metadata Using VirusTotal API, we did the following: Performed data cleaning to filter out incompatible samples w.r.t our execution environment Associated meta-data labels to map each ransomware sample to its corresponding family 16

  17. API MONITORING AND COLLECTING ENVIRONMENT ARTIFACTS To study the behavior of an application we monitored the called APIs using Microsoft Detour library The collected APIs were filtered to include the ones mainly related to environment fingerprinting 17

  18. MANAGING FALSE POSITIVES USING PRIORITIZED COLLECTED APIS To address false positives, the collected APIs were monitored against benign applications A rank is assigned to each API The more the API is called by evasive ransomware, the more its rank will be close to 10 Similarly, the more the API is called by benign applications, the less its rank will be 18

  19. MANAGING FALSE POSITIVES USING PRIORITIZED COLLECTED APIS Every monitored program will have a score that is initially zero and is incremented by the rank of each called API Once the score exceeds a threshold, the monitored program is killed 19

  20. EVALUATION AND RESULTS 20

  21. ENVIRONMENTAL SETUP Our approach is currently designed to operate solely on Windows operating system The approach was tested on virtual box running Windows 10 with 8 GB of RAM and 50 GB of hard disk space 117 ransomware samples from 30 different ransomware families (wannacry, cryptolocker, locky) 98 benign applications built-in Windows applications (notepad, chrome, Skype) Random applications marked as safe by Virus Total 21

  22. ENVIRONMENTAL SET UP 22

  23. TRAINING DATA During this phase, fingerprinting-related APIs were collected and ranked The scores of ransomware samples are relatively higher than that of benign samples Ransomware samples Benign samples 23

  24. THRESHOLD To differentiate between ransomware and benign samples, a threshold is set A threshold value of 21 has the best accuracy (91%) in the training data set This value is used as score limit in the testing phase 24

  25. TESTING DATA With zero-day ransomware samples, and a threshold value of 21, the accuracy was 84% False negative rate = 22% Due to the presence of non-evasive ransomware samples However, can be detect using a regular IDS Ransomware samples Benign samples 25

  26. CONCLUSION AND FUTURE WORK 26

  27. CONCLUSION We addressed evasive ransomware that perform environmental fingerprinting checks We explored fingerprinting artifacts on CPU, registries, memory We performed empirical evaluations and showed that our approach is capable of detecting and preventing evasive ransomware 27

  28. FUTURE WORK Conduct extensive evaluations on a broader set of samples and evasive APIs Explore deferring techniques to delay/suppress the execution of contemporary ransomware Enhance the developed prototype to make it more generic on various operating systems 28

  29. THANKS!

Related


Healthcare Executive's Guide to Ransomware Threats

Healthcare Executive's Guide to Ransomware Threats

basil
Progress in Prevention and Health Inequalities - Annual Report 2023-24

Progress in Prevention and Health Inequalities - Annual Report 2023-24

jimmy
DataSecurity Plus - Unified Data Visibility and Security Platform

DataSecurity Plus - Unified Data Visibility and Security Platform

abdiel
Comprehensive Guide to Penetration Testing Execution Standard (PTES)

Comprehensive Guide to Penetration Testing Execution Standard (PTES)

remus
The Neglected Provisions of Order XXI CPC, 1908

The Neglected Provisions of Order XXI CPC, 1908

sharon
Ransomware and Data Breaches in Public Libraries Analysis

Ransomware and Data Breaches in Public Libraries Analysis

cinder
Cybersecurity Solutions to Protect Against Ransomware Attacks

Cybersecurity Solutions to Protect Against Ransomware Attacks

Will1
Cognitive Behavioral Therapy for Psychosis: Concepts and Applications

Cognitive Behavioral Therapy for Psychosis: Concepts and Applications

maribel
Analysis of Ideology in Thomas Pynchon's

Analysis of Ideology in Thomas Pynchon's "The Crying of Lot 49

abdulka
Modes of Execution of Decree in Civil Law

Modes of Execution of Decree in Civil Law

jilh
Cannabis: Effects, Risks, and Harm Reduction

Cannabis: Effects, Risks, and Harm Reduction

hnur
Analyzing Themes and Devices in The Crucible for Modern Societal Reflections

Analyzing Themes and Devices in The Crucible for Modern Societal Reflections

faul_l
Secure and Efficient Multi-Variant Execution in Distributed Settings

Secure and Efficient Multi-Variant Execution in Distributed Settings

tyro_79
Crack Cocaine: Effects, Risks, and Usage

Crack Cocaine: Effects, Risks, and Usage

agu_pek
Protecting Your Business from Cybersecurity Threats

Protecting Your Business from Cybersecurity Threats

asia_413
Analyzing Paranoia and Its Psychological Effects in Macbeth

Analyzing Paranoia and Its Psychological Effects in Macbeth

mviva
The Impact of the Red Scare and McCarthyism on American Society

The Impact of the Red Scare and McCarthyism on American Society

quer_sna
Schizophrenia: Symptoms and Definitions

Schizophrenia: Symptoms and Definitions

duke_ven
Processes in Operating Systems - ECE344 Lecture 3 Summary

Processes in Operating Systems - ECE344 Lecture 3 Summary

kati_32
Assessment of HIV Prevention Programme Needs and Barriers in Ghana

Assessment of HIV Prevention Programme Needs and Barriers in Ghana

jou_h
InvisiSpec: Making Speculative Execution Invisible

InvisiSpec: Making Speculative Execution Invisible

tcoz
Stack Protection and Exploitation Techniques

Stack Protection and Exploitation Techniques

dsus

More Related Content