to defend against encryption ransomware
play

to Defend Against Encryption Ransomware Jian Huang Jun Xu - PowerPoint PPT Presentation

Jan 10, 2024 •22 likes •772 views

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

  1. FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang † ‡ Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi † † ‡

  2. Encryption Ransomware Is Becoming More Aggressive May 12, 2017 2

  3. Encryption Ransomware Is Becoming More Aggressive May 12, 2017 230,000+ computers 150+ countries $300-$600 per ransom 2

  4. What Is Encryption Ransomware ? Destroy Ask for payments Encrypt files original files to decrypt files 3

  5. What Is Encryption Ransomware ? 3

  6. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted 3

  7. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover user files 3

  8. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover user files 3

  9. What Is Encryption Ransomware ? A ransom notification: users files have been encrypted Pay ransom to recover More ransom user files required if the payment is delayed 3

  10. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  11. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 How long does it take for Mobef 7 16 Maktub 10 22 ransomware to finish the attack ? Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  12. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Ask for ransom quickly Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  13. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Maktub 10 22 Stampado 42 27 Cerber 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  14. Characteristics of Encryption Ransomware Family #Samples Attack Time (minutes) Backup Spoliation Petya 14 2 CTB-Locker 119 14 Jigsaw 5 16 Mobef 7 16 Many ransomware attempt Maktub 10 22 to delete backup files Stampado 42 27 Cerber ( and bypass User Access Control ) 29 37 Locky 344 43 7ev3n 16 44 TeslaCrypt 75 44 HydraCrypt 13 70 CryptoFortree 4 75 CrytoWall 799 75 4 Total 1477

  15. Why Existing Solutions Are Not Good Enough ? Malware detection 5

  16. Why Existing Solutions Are Not Good Enough ? Malware detection Damage has already happened when ransomware is detected 5

  17. Why Existing Solutions Are Not Good Enough ? Journaling & Malware detection log-structured FS 5

  18. Why Existing Solutions Are Not Good Enough ? Journaling & Malware detection log-structured FS Ransomware with kernel privilege can destroy data backups 5

  19. Why Existing Solutions Are Not Good Enough ? Journaling & Networked & Malware detection log-structured FS Cloud Storage 5

  20. Why Existing Solutions Are Not Good Enough ? Journaling & Networked & Malware detection log-structured FS Cloud Storage Increased storage cost & can be stopped by ransomware 5

  21. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash 6

  22. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash 6

  23. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Our Goal: defend against encryption ransomware without relying on software-based solutions & Disk Flash Translation Layer without explicit data backups NAND Flash 6

  24. Threat Model of Encryption Ransomware Application userspace kernel Block Driver read/write Block I/O Interface Disk Flash Translation Layer NAND Flash Hard Disk Drive Flash-based SSD 6

  25. Flash Performs Better Than Hard Disk Drive No Seek Latency 40 x lower latency 7

  26. Flash Performs Better Than Hard Disk Drive No Seek Increased Latency Parallelism Dozens of 40 x lower latency parallel chips 7

  27. Flash Performs Better Than Hard Disk Drive No Seek Increased Became Latency Parallelism Commodity Dozens of 40 x lower latency Less than $ 0.2 /GB parallel chips 7

  28. Flash Performs Better Than Hard Disk Drive No Seek Increased Became Latency Parallelism Commodity Dozens of 40 x lower latency Less than $ 0.2 /GB parallel chips Significant improvements on Flash 7

  29. How Flash Is Used Today ? Application File System Flash-based Disk 8

  30. How Flash Is Used Today ? Application File System Flash Translation Layer Flash 8

  31. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update A 8

  32. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write A 8

  33. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write A A B 8

  34. How Flash Is Used Today ? Application File System Flash Translation Layer Flash Out-of-Place Update Write Garbage Collection A A B 8

  35. FlashGuard: Leveraging Intrinsic Flash Properties Application userspace kernel Block Driver read/write Block I/O Interface Flash-based SSD Flash Translation Layer Flash 9

  36. FlashGuard: Leveraging Intrinsic Flash Properties Application userspace kernel Block Driver read/write Block I/O Interface Flash Translation Layer Flash 9

  37. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A Overwrite on SSD 10

  38. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A A B Overwrite on SSD 10

  39. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite A A A B Overwrite on SSD Overwrite on HDD 10

  40. Retaining Data in SSDs without Hardware Modification Overwrite a block Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD 10

  41. Retaining Data in SSDs without Hardware Modification Retaining all the invalid pages Overwrite a block (stale data) is expensive Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD 10

  42. Retaining Data in SSDs without Hardware Modification Retaining all the invalid pages Overwrite a block (stale data) is expensive Overwrite Overwrite A A B A B Overwrite on SSD Overwrite on HDD Only retain the invalid pages caused by encryption ransomware 10

  43. FlashGuard: A Ransomware-Aware SSD File Read Encrypt Overwrite File Read Encrypt Write new files Delete/Overwrite 11

  44. FlashGuard: A Ransomware-Aware SSD Read Overwrite File Read Encrypt Overwrite Read File Overwrite Read Encrypt Write new files Delete/Overwrite 11

  45. FlashGuard: A Ransomware-Aware SSD Read Overwrite File Read Encrypt Overwrite Read File Overwrite Read Encrypt Write new files Delete/Overwrite FlashGuard only retains invalid pages that have been read for a certain period of time 11

  46. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% 60% 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  47. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% 60% 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  48. FlashGuard: A Ransomware-Aware SSD Read Write Read-Overwrite 100% Ratio of different IO operations 80% The data size is 60% relatively small (a few GBs) 40% 20% 0% University computers ( 20 days) Enterprise servers ( 6-10 days) 11

  49. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit The logical page address mapped to the physical page 12

  50. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Previous physical page address for tracking all invalid pages 12

  51. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Check how long the page has been retained 12

  52. Tracking Invalid Data with Out-of-Band Metadata Data OOB Metadata Flash Page LPA P-PPA Timestamp RIP Flash Block 4 Bytes 4 Bytes 4 Bytes 1 bit Identify whether this page is a retained invalid page 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation

RD FYP 1 WORKSHOP 3 RD Proposal Presentation How to defend your proposal like professional Dr Dr. Reyas What is proposal presentation or proposal defend To defend your final year project work a) Comply with Bachelor or Diploma

436 views • 33 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE

DUTY TO DEFEND BY JOHN R. CRAWFORD NO DUTY TO DEFEND WHEN INSURED FAILS TO GIVE TIMELY NOTICE Food Market Merchandising vs. Scottsdale Indemnity , 857 F.3d 783 (8 th Cir. 2017) Facts of Food Market January 13, 2014: former employer Robert

908 views • 19 slides
Precious metal recovery from nanowaste for sustainable nanotechnology: Current challenges and

Precious metal recovery from nanowaste for sustainable nanotechnology: Current challenges and

Precious metal recovery from nanowaste for sustainable nanotechnology: Current challenges and life cycle considerations Dr. Peter Vikesland Dr. Sean McGinnis Paramjeet Pati pvikes@vt.edu smcginn@vt.edu

1.01k views • 50 slides
and Criminal Justice Overview Substance Abuse and Mental Health Services Administration (SAMHSA)

and Criminal Justice Overview Substance Abuse and Mental Health Services Administration (SAMHSA)

SOAR (SSI/SSDI Outreach, Access, and Recovery) and Criminal Justice Overview Substance Abuse and Mental Health Services Administration (SAMHSA) SOAR Technical Assistance Center Policy Research Associates, Inc. May 22-25, 2019 Disclaimer The

580 views • 38 slides
Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from

Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from

Aries: A Transaction Recovery Method Slides modified by Rachel Pottinger from slides from Database Management Systems by Ramakrishnan and Gehrke ACID Properties A tomicity: Either all actions in the Xact occur, or none occur. C

871 views • 28 slides
Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,*

Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,*

Exploring Implicit Memory for Painless Password Recovery Tamara Denning ,* Kevin Bowers,* Marten van Dijk,* Ari Juels* *RSA Laboratories University of Washington Talk Goals Novel authentication concept is not implausible. Future

299 views • 12 slides
Force Stafford Act Recovery Funding Prepare + Prevent + Respond + Recover + Mitigate Stafford

Force Stafford Act Recovery Funding Prepare + Prevent + Respond + Recover + Mitigate Stafford

1 Prepare + Prevent + Respond + Recover + Mitigate Restore Louisiana Task Force Stafford Act Recovery Funding Prepare + Prevent + Respond + Recover + Mitigate Stafford Act Programs Individual Assistance (IA) Program Public Assistance

551 views • 11 slides
Multi-cancer mutual exclusivity analysis of genomic alterations Giovanni Ciriello Computational

Multi-cancer mutual exclusivity analysis of genomic alterations Giovanni Ciriello Computational

Multi-cancer mutual exclusivity analysis of genomic alterations Giovanni Ciriello Computational Biology - MSKCC TCGA Annual Symposium Washington DC, 2011 Mutually exclusive alterations in Cancer Recurrent genomic alterations target specific

425 views • 19 slides
The Real Time Image Guided HDR Brachytherapy for Prostate Cancer. Treatment Planning Bashar

The Real Time Image Guided HDR Brachytherapy for Prostate Cancer. Treatment Planning Bashar

The Real Time Image Guided HDR Brachytherapy for Prostate Cancer. Treatment Planning Bashar Al-Qaisieh Treatment Planning Objectives: Delivery of prescription dose to target volume and minimise dose to nearby normal tissues

773 views • 36 slides
Extractive Evidence Based Medicine Summarisation Based on Sentence-Specific Statistics Abeed

Extractive Evidence Based Medicine Summarisation Based on Sentence-Specific Statistics Abeed

Extractive Evidence Based Medicine Summarisation Based on Sentence-Specific Statistics Abeed Sarker 1 a 1 ecile Paris 2 Diego Moll C 1 Centre for Language Technology, Macquarie University, Sydney 2 CSIRO ICT Centre, Sydney CBMS 2012, Rome

314 views • 28 slides

More recommend