CanCal: Towards Real-time and Lightweight Ransomware Detection and Response in Industrial Environments

TL;DR

CanCal addresses the need for real-time, scalable ransomware defense in industrial settings by integrating lightweight, selective monitoring with decoy files and ransom-note semantics, paired with a multi-granularity behavior detector trained via a gradient-boosted tree ensemble. The framework reduces overhead and alert fatigue while maintaining high detection rates, achieving a test-time TPR of 99.65% and an ultralow FPR, with inference times around 30 ms and response within 3 seconds. It has been deployed commercially across millions of endpoints, thwarting dozens of real-world attacks and blocking both known and zero-day variants in practice. These results demonstrate CanCal’s practicality and robustness for protecting critical industrial infrastructure against evolving ransomware threats.

Abstract

Ransomware attacks have emerged as one of the most significant cybersecurity threats. Despite numerous proposed detection and defense methods, existing approaches face two fundamental limitations in large-scale industrial applications: intolerable system overheads and notorious alert fatigue. To address these challenges, we propose CanCal, a real-time and lightweight ransomware detection system. Specifically, CanCal selectively filters suspicious processes by the monitoring layers and then performs in-depth behavioral analysis to isolate ransomware activities from benign operations, minimizing alert fatigue while ensuring lightweight computational and storage overhead. The experimental results on a large-scale industrial environment~(1,761 ransomware, ~3 million events, continuous test over 5 months) indicate that CanCal is as effective as state-of-the-art techniques while enabling rapid inference within 30ms and real-time response within a maximum of 3 seconds. CanCal dramatically reduces average CPU utilization by 91.04% (from 6.7% to 0.6%) and peak CPU utilization by 76.69% (from 26.6% to 6.2%), while avoiding 76.50% (from 3,192 to 750) of the inspection efforts from security analysts. By the time of this writing, CanCal has been integrated into a commercial product and successfully deployed on 3.32 million endpoints for over a year. From March 2023 to April 2024, CanCal successfully detected and thwarted 61 ransomware attacks, demonstrating the effectiveness of CanCal in combating sophisticated ransomware threats in real-world scenarios.

Figures (9)

• Figure 1: Overall architecture of CanCal.
• Figure 2: An example of the ransom note.
• Figure 3: Sliding window of trigram method. It extracts three consecutive text words in the ransom note.
• Figure 4: An overview of the behavioral engine with multi-granularity features. The engine includes five main modules: (1) Behavior log collection module: records the process activities; (2) Behavior graph construction module: converts the behavioral operations into a two-part "instruction-parameter" behavior graph; (3) Behavior pattern encoding module: encodes each behavioral operation into an embedded representation; (4) Expert knowledge feature module: extracts features based on expert experience; (5) Classifier module: performs ransomware classification using the decision tree algorithm.
• Figure 5: There are six distinct encryption modes, each characterized by different I/O access modes and encryption suffix names: (1) The attacker creates an encrypted file with the same suffix name and overwrites the original file. (2) This mode is distinguished from Mode#1 by creating encrypted files with random suffixes. (3) The attacker creates an encrypted file with the same suffix name and deletes the original file. (4) This mode is distinguished from Mode#3 by creating encrypted files with random suffix names. (5) The attacker creates an encrypted file with the same suffix name and smashes the original file. (6) This mode is distinguished from Mode#5 by creating encrypted files with random suffix names.