Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks
Arash Mahboubi, Hamed Aboutorab, Seyit Camtepe, Hang Thanh Bui, Khanh Luong, Keyvan Ansari, Shenlu Wang, Bazara Barry
TL;DR
This work analyzes how ransomware adversaries dynamically evolve encryption strategies to evade storage-level defenses, focusing on entropy-based signals, partial and intermittent encryption, and memory-mapped I/O. It proposes online incremental learning, instantiated via a DeltaFile Guard integrated with a FUSE file system, to differentiate encrypted versus normal data in real time. Empirical results show Hoeffding Tree performs exceptionally with traditional encryption tactics, while Random Forest with warm-start excels at intermittent encryption, underscoring the need for task-tailored online methods. The study suggests a hybrid defense framework targeting endpoints and cloud storage with adaptive, low-resource online learning to mitigate evolving ransomware threats.
Abstract
In the rapidly evolving landscape of cybersecurity threats, ransomware represents a significant challenge. Attackers increasingly employ sophisticated encryption methods, such as entropy reduction through Base64 encoding, and partial or intermittent encryption to evade traditional detection methods. This study explores the dynamic battle between adversaries who continuously refine encryption strategies and defenders developing advanced countermeasures to protect vulnerable data. We investigate the application of online incremental machine learning algorithms designed to predict file encryption activities despite adversaries evolving obfuscation techniques. Our analysis utilizes an extensive dataset of 32.6 GB, comprising 11,928 files across multiple formats, including Microsoft Word documents (doc), PowerPoint presentations (ppt), Excel spreadsheets (xlsx), image formats (jpg, jpeg, png, tif, gif), PDFs (pdf), audio (mp3), and video (mp4) files. These files were encrypted by 75 distinct ransomware families, facilitating a robust empirical evaluation of machine learning classifiers effectiveness against diverse encryption tactics. Results highlight the Hoeffding Tree algorithms superior incremental learning capability, particularly effective in detecting traditional and AES-Base64 encryption methods employed to lower entropy. Conversely, the Random Forest classifier with warm-start functionality excels at identifying intermittent encryption methods, demonstrating the necessity of tailored machine learning solutions to counter sophisticated ransomware strategies.
