Ransomware Encrypted Your Files but You Restored Them from Network Traffic

In a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families.

Reference: Eduardo Berrueta, Daniel Morato, Eduardo Magaña and Mikel Izal, "Ransomware Encrypted Your Files but You Restored Them from Network Traffic," 2018 2nd Cyber Security in Networking Conference (CSNet), Paris, 2018, pp. 1-7.

A Survey on Detection Techniques for Cryptographic Ransomware

Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.

Reference: Eduardo Berrueta, Daniel Morato, Eduardo Magaña and Mikel Izal, "A Survey on Detection Techniques for Cryptographic Ransomware," in IEEE Access, vol. 7, pp. 144925-144944, 2019.

Open Repository for the Evaluation of Ransomware Detection Tools

Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.

Reference: Eduardo Berrueta, Daniel Morato, Eduardo Magaña and Mikel Izal, "Open Repository for the Evaluation of Ransomware Detection Tools," in IEEE Access.

Crypto-ransomware detection using machine learning models in file-sharing network scenario with encrypted traffic

The dataset is available here

Ransomware is considered as a significant threat for most enterprises since past few years. In scenarios wherein users can access all files on a shared server, one infected host is capable of locking the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis, even in the case of encrypted traffic. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different families and more than 2500 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in the training phase (zero-days). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected.

Reference: Eduardo Berrueta, Daniel Morato, Eduardo Magaña and Mikel Izal, Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic, Expert Systems with Applications, Volume 209, 2022, 118299, ISSN 0957-4174.

A Chronological Evolution Model for Crypto-Ransomware Detection based on Encrypted File-Sharing Traffic

In review process.

The dataset is available here

New variants of ransomware are detected increasingly frequently, which has become a formidable threat to enterprises and fostered the development of malware detection tools that focus on the special behaviour of such ransomwares. In this study, we present a novel detection tool that employs deep learning techniques to detect crypto-ransomware activity based on the file-sharing traffic generated when a ransomware accesses files from a shared server. The tool was trained using the crypto-ransomware variants discovered before a certain date. Moreover, the detection capabilities of the tool were evaluated when facing any crypto-ransomware or only those discovered after the training date. Subsequently, the model is retrained including the samples from the newly discovered crypto-ransomware binary. Then, it is re-evaluated to check its improved capabilities. This chronological model evaluation is repeated for all ransomware binaries available in a public repository covering a 6-year period. The training and testing datasets, as well as the trained machine learning models, were uploaded to a public repository to facilitate future comparability.

Reference: Daniel Morato, Eduardo Berrueta, Eduardo Magaña and Mikel Izal