Visible to the public CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

TitleCryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
Publication TypeConference Paper
Year of Publication2016
AuthorsScaife, N., Carter, H., Traynor, P., Butler, K. R. B.
Conference Name2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS)
ISBN Number978-1-5090-1483-5
Keywordsantivirus, Arrays, behavior indicators, behavioral analysis, composability, cryptography, CryptoLock, data protection, early-warning detection system, Encryption, Entropy, file decryption, Human Behavior, Intrusion detection, Intrusion Detection Systems, invasive software, Malware, Metrics, Monitoring, pubcrawl, ransomware, ransomware attacks, ransomware behavior analysis, Resiliency, user data, user file encryption

Ransomware is a growing threat that encrypts auser's files and holds the decryption key until a ransom ispaid by the victim. This type of malware is responsible fortens of millions of dollars in extortion annually. Worse still, developing new variants is trivial, facilitating the evasion of manyantivirus and intrusion detection systems. In this work, we presentCryptoDrop, an early-warning detection system that alerts a userduring suspicious file activity. Using a set of behavior indicators, CryptoDrop can halt a process that appears to be tampering witha large amount of the user's data. Furthermore, by combininga set of indicators common to ransomware, the system can beparameterized for rapid detection with low false positives. Ourexperimental analysis of CryptoDrop stops ransomware fromexecuting with a median loss of only 10 files (out of nearly5,100 available files). Our results show that careful analysis ofransomware behavior can produce an effective detection systemthat significantly mitigates the amount of victim data loss.

Citation Keyscaife_cryptolock_2016