On Deception-Based Protection Against Cryptographic Ransomware

Interdisciplinary Research Group in Socio-technical Cybersecurity

On Deception-Based Protection Against Cryptographic Ransomware

Ziya Alper Genç, Gabriele Lenzini, Daniele Sgandurra
Abstract:
In order to detect malicious file system activity, some commercial and academic anti-ransomware solutions implement deception-based techniques, specifically by placing decoy files among user files. While this approach raises the bar against current ransomware, as any access to a decoy file is a sign of malicious activity, the robustness of decoy strategies has not been formally analyzed and fully tested. In this paper, we analyze existing decoy strategies and discuss how they are effective in countering current ransomware by defining a set of metrics to measure their robustness. To demonstrate how ransomware can identify existing deception-based detection strategies, we have implemented a proof-of-concept anti-decoy ransomware that successfully bypasses decoys by using a decision engine with few rules. Finally, we discuss existing issues in decoy-based strategies and propose practical solutions to mitigate them.
Authors:
Ziya Alper Genç, Gabriele Lenzini, Daniele Sgandurra
Publication date:
2019
Published in:
Lecture Notes in Computer Science
Reference:
Genç, Z. A., Lenzini, G., & Sgandurra, D. (2019, June). On Deception-Based Protection Against Cryptographic Ransomware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 219-239). Springer, Cham.

Get in touch with us

SnT – Interdisciplinary Centre for Security, Reliability and Trust
29, Avenue J.F Kennedy L-1855 Luxembourg
info-irisc-lab@uni.lu