Money that is paid in order to free someone who has been captured or - - PowerPoint PPT Presentation

money that is paid in order to free someone who has been
SMART_READER_LITE
LIVE PREVIEW

Money that is paid in order to free someone who has been captured or - - PowerPoint PPT Presentation

Apr 15, 2023 166 likes •339 views

Ransom : Money that is paid in order to free someone who has been captured or kidnapped. -Merriam-Webster Ransomware : A malware designed to block access to a computer system, files, screen, disk or etc. until the requested amount of money is

slide-1
SLIDE 1
slide-2
SLIDE 2

Ransom: Money that is paid in order to free someone who has been captured

  • r kidnapped.
  • Merriam-Webster

Ransomware: A malware designed to block access to a computer system, files, screen, disk or etc. until the requested amount of money is paid.

slide-3
SLIDE 3

First Ransomware Virus:

AIDS Trojan (1989)

Recent Years

 Locky  Cerber  CrypyXXX 3.0  Dogspectus

slide-4
SLIDE 4

Two major types:

  • Locker Ransomware (Computer locker)

Denies the access to computer or device

  • Crypto Ransomware (Data locker)

Denies the access to files or data

slide-5
SLIDE 5
  • Persistent desktop message
  • Indiscriminate encryption and deletion of the user’s private files.
  • Selective encryption and deletion of the user’s private files based on

certain attributes

slide-6
SLIDE 6
  • Detecting File Lockers
  • Detecting Screen Lockers
slide-7
SLIDE 7
  • Generating Artificial User Environments
  • Filesystem Activity Monitor

I/O Data Buffer Entropy . Constructing Access Patterns

slide-8
SLIDE 8

Different strategies on ransomware families

slide-9
SLIDE 9
  • Taking automatic screenshots to detect screen locking ransomware
  • Measuring the structural similarity by comparing local petterns of

two screenshots

  • Closing open windows for screenshots from persistent changes, to

avoid false positives

  • Extracting the text within the area
slide-10
SLIDE 10

Generating User Environments

  • Valid Content
  • File Path
  • Time Attributes
slide-11
SLIDE 11

Filesystem Activity Monitor

  • UNVEIL monitors filesystem I/O activity using the Windows

Filesystem Minifilter Driver

  • Monitoring and retrieving logs of entire system
  • UNVEIL’s monitor sets callback on all I/O request to the filesystem.
slide-12
SLIDE 12

Desktop Lock Monitor

  • Captures screenshots from outside of dynamic analysis environment
  • Converts the image to floating point data then calculates parameters
slide-13
SLIDE 13

Two experiments:

 To show the system can detect known ransomware samples  To show that UNVEIL can detect previously unknown

ransomware samples

slide-14
SLIDE 14

Experimental Setup

  • Build up a prototype on top of Cuckoo Sandbox
  • Use 56 VMs with Windows XP SP3
  • Multiple NTFS drives on each VM
  • Take anti-evasion measures against popular tricks
  • Permit controlled access to the internet
slide-15
SLIDE 15

Ground Truth (Labeled) Dataset

  • Filesystem Activity of Benign Application with Potential

Ransomware-like Behavior

  • Similarity Threshold
slide-16
SLIDE 16

Detecting Zero-Day Ransomware

  • Detecting Results

Evaluation of false positive Evaluation of false negative

  • Early Warning
slide-17
SLIDE 17

It’s always possible that attackers find ways to fingerprint the automatically generated user environment and avoid it. Malware might encrypt part of a file, not all of it, or it might make the file unreadable. Text extraction can be improved Ransomware may run at kernel level