Differential Area Analysis for Ransomware: Attacks, Countermeasures, and Limitations

TL;DR

This work investigates Differential Area Analysis (DAA), a header-entropy-based ransomware detector, and demonstrates that malicious header manipulations can degrade DAA’s performance. It presents three header-edit attacks and three corresponding countermeasures (2F, 3F, 4F), showing that the countermeasures rescue detection accuracy on attack data from about 64% back up to ~92%, while incurring modest time overhead. On the original dataset, the mitigations maintain strong detection but with slightly reduced metrics and some variability across file types. The study highlights that entropy remains a valuable signal when its analysis is broadened to multiple random fragments, though practical deployment requires addressing limitations and edge cases, such as certain file types and upstream defenses.

Abstract

Crypto-ransomware attacks have been a growing threat over the last few years. The goal of every ransomware strain is encrypting user data, such that attackers can later demand users a ransom for unlocking their data. To maximise their earning chances, attackers equip their ransomware with strong encryption which produce files with high entropy values. Davies et al. proposed Differential Area Analysis (DAA), a technique that analyses files headers to differentiate compressed, regularly encrypted, and ransomware-encrypted files. In this paper, first we propose three different attacks to perform malicious header manipulation and bypass DAA detection. Then, we propose three countermeasures, namely 2-Fragments (2F), 3-Fragments (3F), and 4-Fragments (4F), which can be applied equally against each of the three attacks we propose. We conduct a number of experiments to analyse the ability of our countermeasures to detect ransomware-encrypted files, whether implementing our proposed attacks or not. Last, we test the robustness of our own countermeasures by analysing the performance, in terms of files per second analysed and resilience to extensive injection of low-entropy data. Our results show that our detection countermeasures are viable and deployable alternatives to DAA.

Figures (12)

• Figure 1: On the left, in the green box, the first 256 bytes of a legitimate PDF file. On the right, in the blue box, the first 256 bytes of a pseudo-random file.
• Figure 2: The green curve shows the entropy analysis of a legitimate PDF file, performed in incremental steps, as done by Davies et al. davies. The blue curve shows the result of the same process performed on a pseudo-random file, similar to the ones produced by ransomware. The grey area between the two lines is the differential area, as proposed by Davies et al. with their DAA approach.
• Figure 3: DAA classification accuracy results, applied to the original dataset and the attack dataset that we created.
• Figure 4: Example entropy values for a random file, a ransomware-encrypted file, and three ransomware-encrypted files with low-H modification, rep-bytes modification, and com-seq modification, respectively.
• Figure 5: Some byte fragments of length 80 inside a normal PDF file that may be chosen by the 3F algorithm: the header fragment (blue one), and the two random fragments (red and green ones).