On Deception-Based Protection Against Cryptographic Ransomware Ziya - PowerPoint PPT Presentation

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Genç, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019

Ransomware Threat 1

Ransomware Threat 1

Deception-Based Anti-Ransomware In the context of ransomware, Deception = Decoy Decoys are fjctitious fjles placed among user fjles supposed to be not written. Any write event on decoy fjles indicates ransomware activity. 2

Overview of Decoy File-Based Defense Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. 3

Overview of Decoy File-Based Defense Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. 3

Overview of Decoy File-Based Defense Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. 3

Overview of Decoy File-Based Defense Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. 3

Overview of Decoy File-Based Defense Advantages: Accurate Detection Real-Time Protection Low Overhead Requirements: Security: Mimicking the user. Usability: Not interfering the user. Question: How can we assess the effjciency of a decoy-fjle strategy? 3

Deception-Based Anti-Ransomware Systems CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read 4

Deception-Based Anti-Ransomware Systems CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read 4

Deception-Based Anti-Ransomware Systems CRYPTOSTOPPER Triggered on Write RWGUARD Behavioral Analysis API Hooking Decoy Files R-LOCKER Triggered on Read 4

Detecting Static Decoys through Heuristics 8: return GenuineList 16: 15: else 14: 13: 12: break 11: 10: Algorithm 1 ANTISTATIC: Collect fjles that are not hidden or fjlled with zero value. 9: 7: 5: 1: function COLLECT( path ) 2: 3: 4: if IsHidden ( f ) then 6: 5 ▷ Directory of fjles to scan. FileList ← EnumerateFiles ( path ) GenuineList ← ∅ for all f ∈ FileList do allNull ← True while not EOF do b ← f.ReadByte () if b ̸ = 0 then allNull ← False ▷ f might not be decoy, try next fjle. if allNull = True then GenuineList ← GenuineList ∪ { f } GenuineList ← GenuineList ∪ { f }

DEMO CRYPTOSTOPPER vs ANTISTATIC 6

Quality of a Decoy Generator (1) For CRYPTOSTOPPER, Pr immediately. For example, Pr It is the probability that A encrypts n other fjles before encrypting one in S . 7 Pr Let be A a ransomware, D the set of fjles generated by a decoy strategy g , F = D ∪ ¬ D , S ⊆ F a set of fjles, and n a natural number. [ | X g A ( S ) = n | ] [ ] | X g A ( D ) = 0 | = 1 indicates a good decoy fjle strategy, i.e., g fools A [ | X CS Alg 1 ( ¬ D ) > 0 | ] = 0.

Confoundedness Let be U a user and D the set of decoy fjle generated according to a strategy g , For example, Pr It is the probability that U accesses a fjle in S within a working session. (2) Pr 8 F = D ∪ ¬ D , and S ⊆ F a set of fjles. [ ] | Y g U ( S ) = 1 | [ ] | Y g U ( D ) = 1 | = 0 means that U never gets confused.

File Attributes on NTFS time stamps, fjle and the fjle record number. List of the attributes that make up the $ATTRIBUTE_LIST Attribute List The contents of the fjle. $DATA Data The fjle’s name. $FILE_NAME File Name last modifjed. including when the fjle was created or and so on; Table 1: Selected attributes for NTFS fjles. archive, read-only, as such attributes File $STANDARD_INFORMATION Information Standard Description Attribute Type Name Attribute 9

Distinguishing Decoys Using Statistical Methods 72 1 Rowe, “Measuring the Effectiveness of Honeypot Counter-Counterdeception”. (3) jk 10 Difference between systems i and j : (iv) last modifjcation time. Rowe 1 collected fjle attributes, including(i) fjle name; (ii) fjle size; (iii) fjle type; and For a fjle system i , let µ ik and σ ik denote the mean and standard error of metric k .    | µ ik − µ jk | + | σ ik − σ jk | ( 1 ) 35 ∑ s ij =  √ 2 σ k ik + σ 2 σ 2 k = 0

Monitoring User to Reveal Non-decoy Files 8: return Success 8: 7: 6: 5: 4: 3: 2: 1: function REPLACE Algorithm 2 Monitor User. return GenList Algorithm 3 Replace WriteFile . 11 1: function MONITOR 6: while true do 5: 4: 7: 2: 3: Exp ← FindProcess( Explorer ) PList ← EnumAllProcesses() for all p ∈ pList do InjectProcess( Exp , SpyModule ) GenList ← ∅ InjectProcess( p , InterceptMod ) wf ← GetFuncAddr(WriteFile) f ← Listen( SpyModule ) if wf ̸ = NULL then GenList ← GenList ∪ { f } Replace( wf , encFile )

Theoretical Limits of Decoys If Pr What if A employs a better strategy? If p is signifjcant, then U accesses decoy fjles which goes against usability. If p is negligible, A has still a good chance. Consider an adversary A , which can monitor the user activity. 12 If g is perfectly usable, then its confoundedness is null, i.e., Pr Let [ F ] U be fjles that U accesses and cares, i.e., would pay the ransom for [ F ] U . [ ] | Y g U ( D ) = 1 | = 0. If A observed [ F ] U , then A could simply choose among the fjles in [ F ] U . [ ] | Y g U ( D ) = 1 | = p > 0, which means that [ F ] U ∩ D ̸ = ∅ , Assume that A picks a target fjle in [ F ] U at random. A has | [ F ] U ∩¬ D | · p + ( 1 − p ) chance to pick up a good fjle. | [ F ] U |

Conclusions and Future Work Decoy-based anti-ransomware is a promising defense strategy. Experimental results show that more research is needed. Especially, on generating decoy fjles. Non-interference of decoy fjles should be examined. Research challenge: fjnd the right balance between security & usability. Being effective while not confusing the user. 13

On Deception-Based Protection Against Cryptographic Ransomware ziya.genc@uni.lu