Exploiting ransomware paranoia for execution prevention

Abstract

Ransomware attacks cost businesses more than $75 billion-year, and it is predicted to cost $6 trillion-year by 2021. These numbers demonstrate the havoc produced by ransomware on a large number of sectors and urge security researches to tackle it. Several ransomware detection approaches have been proposed in the literature that interchange between static and dynamic analysis. Recently, ransomware attacks were shown to fingerprint the execution environment before they attack the system to counter dynamic analysis. In this thesis, we exploit the behavior of contemporary ransomware to prevent its attack on real systems and thus avoid the loss of any data. We explore a set of ransomware-generated artifacts that are launched to sniff the surrounding. Furthermore, we design, develop, and evaluate an approach that monitors the behavior of a program by intercepting the called Windows APIs. Consequently, we determine in real-time if the program is trying to inspect its surrounding before the attack, and abort it immediately prior to the initiation of any malicious encryption or locking. Through empirical evaluations using real and recent ransomware samples, we study how ransomware and benign programs inspect the environment. Additionally, we demonstrate how to prevent ransomware with a low false positive rate. We make the developed approach available to the research community at large through GitHub to strongly promote cyber security defense operations and for wide-scale evaluations and enhancements.