Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Crypto-Ransomware and Their Defenses: In-depth Behavioral Characterization, Discussion of Deployability, and New Insights

Wenjia Song, Sanjula Karanam, Ya Xiao, Jingyuan Qi, Nathan Dautenhahn, Na Meng, Elena Ferrari, Danfeng, Yao

TL;DR

This study reviews 117 published ransomware defense works, categorize them by the level they are implemented, and discusses the deployability, and presents a possible future detection direction with a consistency analysis and API-contrast-based refinement.

Abstract

Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Crypto-Ransomware and Their Defenses: In-depth Behavioral Characterization, Discussion of Deployability, and New Insights

TL;DR

This study reviews 117 published ransomware defense works, categorize them by the level they are implemented, and discusses the deployability, and presents a possible future detection direction with a consistency analysis and API-contrast-based refinement.

Abstract

Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.
Paper Structure (31 sections, 10 equations, 6 figures, 18 tables)

This paper contains 31 sections, 10 equations, 6 figures, 18 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Existing Ransomware Defenses and Their Deployability
  4. Defenses at user mode level
  5. Defenses at kernel mode level
  6. Defenses at hardware level
  7. Evaluation of Commercial Defense
  8. Experimental Setup
  9. Crypto Decryptors
  10. Commercial Antivirus Software
  11. Commercial Malware Scanners
  12. Characterization of Ransomware API Usage
  13. Encryption and File Access Behaviors
  14. Experimental Setup 1
  15. Characterization Findings on Encryption Behaviors
  16. ...and 16 more sections

Figures (6)

  • Figure 1: API call statistics of executing ransomware samples (top) and benign software (bottom). The x-axis is the timestamp during execution and the y-axis shows the number of calls. If no call is made during a second, then it is not shown in the figures. Ransomware uses intensive crypto and file API calls during execution with a distinctive pattern. The same colors represent the same APIs across subfigures.
  • Figure 2: Example of LockBit code that dynamically resolves libraries.
  • Figure 3: Classification results using different methods and models. Each green dot (top row) represents a benign software sample and each orange dot (bottom row) represents a ransomware sample. The dotted blue line is a boundary for helping understand how well the separation is. The precision and recall shown in the figures are based on the chosen boundary and are in terms of the ransomware class.
  • Figure 4: Git's file API frequency (false positive)
  • Figure 5: API contrast scores of ransomware and benign samples.
  • ...and 1 more figures