Table of Contents
Fetching ...

Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks

Arash Mahboubi, Hamed Aboutorab, Seyit Camtepe, Hang Thanh Bui, Khanh Luong, Keyvan Ansari, Shenlu Wang, Bazara Barry

TL;DR

This work analyzes how ransomware adversaries dynamically evolve encryption strategies to evade storage-level defenses, focusing on entropy-based signals, partial and intermittent encryption, and memory-mapped I/O. It proposes online incremental learning, instantiated via a DeltaFile Guard integrated with a FUSE file system, to differentiate encrypted versus normal data in real time. Empirical results show Hoeffding Tree performs exceptionally with traditional encryption tactics, while Random Forest with warm-start excels at intermittent encryption, underscoring the need for task-tailored online methods. The study suggests a hybrid defense framework targeting endpoints and cloud storage with adaptive, low-resource online learning to mitigate evolving ransomware threats.

Abstract

In the rapidly evolving landscape of cybersecurity threats, ransomware represents a significant challenge. Attackers increasingly employ sophisticated encryption methods, such as entropy reduction through Base64 encoding, and partial or intermittent encryption to evade traditional detection methods. This study explores the dynamic battle between adversaries who continuously refine encryption strategies and defenders developing advanced countermeasures to protect vulnerable data. We investigate the application of online incremental machine learning algorithms designed to predict file encryption activities despite adversaries evolving obfuscation techniques. Our analysis utilizes an extensive dataset of 32.6 GB, comprising 11,928 files across multiple formats, including Microsoft Word documents (doc), PowerPoint presentations (ppt), Excel spreadsheets (xlsx), image formats (jpg, jpeg, png, tif, gif), PDFs (pdf), audio (mp3), and video (mp4) files. These files were encrypted by 75 distinct ransomware families, facilitating a robust empirical evaluation of machine learning classifiers effectiveness against diverse encryption tactics. Results highlight the Hoeffding Tree algorithms superior incremental learning capability, particularly effective in detecting traditional and AES-Base64 encryption methods employed to lower entropy. Conversely, the Random Forest classifier with warm-start functionality excels at identifying intermittent encryption methods, demonstrating the necessity of tailored machine learning solutions to counter sophisticated ransomware strategies.

Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks

TL;DR

This work analyzes how ransomware adversaries dynamically evolve encryption strategies to evade storage-level defenses, focusing on entropy-based signals, partial and intermittent encryption, and memory-mapped I/O. It proposes online incremental learning, instantiated via a DeltaFile Guard integrated with a FUSE file system, to differentiate encrypted versus normal data in real time. Empirical results show Hoeffding Tree performs exceptionally with traditional encryption tactics, while Random Forest with warm-start excels at intermittent encryption, underscoring the need for task-tailored online methods. The study suggests a hybrid defense framework targeting endpoints and cloud storage with adaptive, low-resource online learning to mitigate evolving ransomware threats.

Abstract

In the rapidly evolving landscape of cybersecurity threats, ransomware represents a significant challenge. Attackers increasingly employ sophisticated encryption methods, such as entropy reduction through Base64 encoding, and partial or intermittent encryption to evade traditional detection methods. This study explores the dynamic battle between adversaries who continuously refine encryption strategies and defenders developing advanced countermeasures to protect vulnerable data. We investigate the application of online incremental machine learning algorithms designed to predict file encryption activities despite adversaries evolving obfuscation techniques. Our analysis utilizes an extensive dataset of 32.6 GB, comprising 11,928 files across multiple formats, including Microsoft Word documents (doc), PowerPoint presentations (ppt), Excel spreadsheets (xlsx), image formats (jpg, jpeg, png, tif, gif), PDFs (pdf), audio (mp3), and video (mp4) files. These files were encrypted by 75 distinct ransomware families, facilitating a robust empirical evaluation of machine learning classifiers effectiveness against diverse encryption tactics. Results highlight the Hoeffding Tree algorithms superior incremental learning capability, particularly effective in detecting traditional and AES-Base64 encryption methods employed to lower entropy. Conversely, the Random Forest classifier with warm-start functionality excels at identifying intermittent encryption methods, demonstrating the necessity of tailored machine learning solutions to counter sophisticated ransomware strategies.
Paper Structure (41 sections, 4 equations, 6 figures, 8 tables)

This paper contains 41 sections, 4 equations, 6 figures, 8 tables.

Figures (6)

  • Figure 1: Base64 encoding reduces the entropy from 7.99 to 5.99. Adversary seeking to minimize entropy, a sequential AES $\xrightarrow[]{}$ Base64 encoding approach is a tangible approach. However, this results in a $~33.38\%$ increase in the original file size.
  • Figure 2: Base64 encoding reduces the entropy from 7.99 to 5.99. However, in a sequential AES $\xrightarrow[]{}$ Base64 encoding approach, the Shannon entropy results fall in the range of 5.99 to 6.
  • Figure 3: Conceptualize diagram: DeltaFile Guard represents the utilization of online incremental learning within the FUSE file system.
  • Figure 4: Black Basta encrypts CSV files larger than 4 KB. The ransomware persistently encrypts 64-byte portions, maintaining a consistent interval of 128 bytes until reaching the end of the file. This is an example of how intermittent encryption impacts defender strategies that use I/O request packets.
  • Figure 5: The results of the Hoeffding Tree's performance on a dataset encrypted by CryptoFile ransomware involved analyzing the confusion matrix, precision, and recall across the first three batches.
  • ...and 1 more figures