Portal de Periódicos da CAPES

Large Scale Behavioral Analysis of Ransomware Attacks

2018; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-030-04224-0_19

1611-3349

Timothy R. McIntosh, Julian Jang‐Jaccard, Paul Watters,

Digital and Cyber Forensics

Ransomware is now the highest risk attack vector in cybersecurity. Reliable and accurate ransomware detection and removal solutions require a deep understanding of the techniques and strategies adopted by malicious code at the file system level. We conducted a large-scale analysis of more than 1.7 billion lines of I/O request packets (IRPs), and additional file system event logs, to gain deeper insights into malicious ransomware behaviors. Such behaviors include crypto-ransomware file system attacks achieved by either encrypting individual files or modifying the Master Boot Record (MBR). Our large-scale analysis shows that crypto-ransomware preferentially attacks certain file types; greedily performs file operations more frequently on more diverse types of files; randomizes novel filename generation for malicious executables; and exhibits a preference for alternating file access. We believe that these insights are vital to building the next generation of ransomware detection and removal solutions.