On Deception-Based Protection Against Cryptographic Ransomware Ziya - - PowerPoint PPT Presentation

On Deception-Based Protection Against Cryptographic Ransomware

Ziya Alper Genç, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019

Ransomware Threat

1

Ransomware Threat

1

Deception-Based Anti-Ransomware

In the context of ransomware, Deception = Decoy Decoys are fjctitious fjles placed among user fjles supposed to be not written. Any write event on decoy fjles indicates ransomware activity.

2

Overview of Decoy File-Based Defense

Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user.

3

Overview of Decoy File-Based Defense

Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user.

3

Overview of Decoy File-Based Defense

Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user.

3

Overview of Decoy File-Based Defense

Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user.

3

Overview of Decoy File-Based Defense

Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. Question: How can we assess the effjciency

• f a decoy-fjle strategy?

3

Deception-Based Anti-Ransomware Systems

CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read

4

Deception-Based Anti-Ransomware Systems

CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read

4

Deception-Based Anti-Ransomware Systems

CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read

4

Detecting Static Decoys through Heuristics

Algorithm 1 ANTISTATIC: Collect fjles that are not hidden or fjlled with zero value.

1: function COLLECT(path) ▷ Directory of fjles to scan. 2: FileList ← EnumerateFiles(path) 3: GenuineList ← ∅ 4: for all f ∈ FileList do 5: if IsHidden(f) then 6: allNull ← True 7: while not EOF do 8: b ← f.ReadByte() 9: if b ̸= 0 then 10: allNull ← False 11: break ▷ f might not be decoy, try next fjle. 12: if allNull = True then 13: GenuineList ← GenuineList ∪ {f} 14: else 15: GenuineList ← GenuineList ∪ {f} 16: return GenuineList

5

DEMO

CRYPTOSTOPPER vs ANTISTATIC

6

Quality of a Decoy Generator

Let be A a ransomware, D the set of fjles generated by a decoy strategy g, F = D ∪ ¬D, S ⊆ F a set of fjles, and n a natural number. Pr [ |Xg

A (S) = n|

] (1) It is the probability that A encrypts n other fjles before encrypting one in S. For example, Pr [ |Xg

A (D) = 0|

] = 1 indicates a good decoy fjle strategy, i.e., g fools A immediately. For CRYPTOSTOPPER, Pr [ |XCS

Alg1(¬D) > 0|

] = 0.

7

Confoundedness

Let be U a user and D the set of decoy fjle generated according to a strategy g, F = D ∪ ¬D, and S ⊆ F a set of fjles. Pr [ |Y g

U (S) = 1|

] (2) It is the probability that U accesses a fjle in S within a working session. For example, Pr [ |Y g

U (D) = 1|

] = 0 means that U never gets confused.

8

File Attributes on NTFS

Table 1: Selected attributes for NTFS fjles.

Attribute Attribute Type Name Description Standard Information $STANDARD_INFORMATION File attributes such as read-only, archive, and so on; time stamps, including when the fjle was created or last modifjed. File Name $FILE_NAME The fjle’s name. Data $DATA The contents of the fjle. Attribute List $ATTRIBUTE_LIST List of the attributes that make up the fjle and the fjle record number.

9

Distinguishing Decoys Using Statistical Methods

Rowe1 collected fjle attributes, including(i) fjle name; (ii) fjle size; (iii) fjle type; and (iv) last modifjcation time. For a fjle system i, let µik and σik denote the mean and standard error of metric k. Difference between systems i and j: sij = ( 1 72 ) 35 ∑

k=0

  |µik − µjk| √ σ2

ik + σ2 jk

+ |σik − σjk| 2σk   (3)

1Rowe, “Measuring the Effectiveness of Honeypot Counter-Counterdeception”.

10

Monitoring User to Reveal Non-decoy Files

Algorithm 2 Monitor User.

1: function MONITOR 2:

Exp ← FindProcess(Explorer)

3:

InjectProcess(Exp, SpyModule)

4:

GenList ← ∅

5:

while true do

6:

f ← Listen(SpyModule)

7:

GenList ← GenList ∪ {f}

8:

return GenList Algorithm 3 Replace WriteFile.

1: function REPLACE 2:

PList ← EnumAllProcesses()

3:

for all p ∈ pList do

4:

InjectProcess(p, InterceptMod)

5:

wf ← GetFuncAddr(WriteFile)

6:

if wf ̸= NULL then

7:

Replace(wf, encFile)

8:

return Success

11

Theoretical Limits of Decoys

Consider an adversary A, which can monitor the user activity. Let [F]U be fjles that U accesses and cares, i.e., would pay the ransom for [F]U. If g is perfectly usable, then its confoundedness is null, i.e., Pr [ |Y g

U (D) = 1|

] = 0. If A observed [F]U, then A could simply choose among the fjles in [F]U. If Pr [ |Y g

U (D) = 1|

] = p > 0, which means that [F]U ∩ D ̸= ∅, Assume that A picks a target fjle in [F]U at random. A has |[F]U∩¬D|

|[F]U|

· p + (1 − p) chance to pick up a good fjle. If p is negligible, A has still a good chance. If p is signifjcant, then U accesses decoy fjles which goes against usability. What if A employs a better strategy?

12

Conclusions and Future Work

Decoy-based anti-ransomware is a promising defense strategy. Experimental results show that more research is needed. Especially, on generating decoy fjles. Non-interference of decoy fjles should be examined. Research challenge: fjnd the right balance between security & usability. Being effective while not confusing the user.

13

On Deception-Based Protection Against Cryptographic Ransomware

ziya.genc@uni.lu