Ransom access memories: achieving practical ransomware protection in cloud with DeftPunk
AUTHORs: 
Zhongyu Wang, Yaheng Song, Erci Xu, Haonan Wu, Guangxun Tong, Shizhuo Sun, Haoran Li, Jincheng Liu, Lijun Ding, Rong Liu, Jiaji Zhu, Jiesheng WuAuthors Info & Claims
Zhongyu Wang, Yaheng Song, Erci Xu, Haonan Wu, Guangxun Tong, Shizhuo Sun, Haoran Li, Jincheng Liu, Lijun Ding, Rong Liu, Jiaji Zhu, Jiesheng WuAuthors Info & ClaimsArticle No.: 37, Pages 687 - 702
Abstract
In this paper, we focus on building a ransomware detection and recovery system for cloud block stores. We start by discussing the possibility of directly using existing methods or porting one to our scenario with modifications. These attempts, though failed, led us to identify the unique IO characteristics of ransomware, and further drove us to build DeftPunk, a block-level ransomware detection and recovery system. DeftPunk uses a two-layer classifier for fast and accurate detection, creates pre-/post-attack snapshots to avoid data loss, and leverages log-structured support for low overhead recovery. Our large-scale benchmark shows that DeftPunk can achieve nearly 100% recall across 13 types of ransomware and low runtime overhead.
References
[1]
NotPetya Technical Analysis by LogRhythm Labs. https://gallery.logrhythm.com/threat-intelligence-reports/notpetya-technical-analysis-logrhythm-labs-threat-intelligence-report.pdf, 2017.
[2]
2022 Cloud (In)Security Report. https://www.zscaler.com/blogs/security-research/2022-cloud-security-report, 2022.
[3]
AWS Backup Anomaly Detection for Amazon EBS Volumes. https://aws.amazon.com/cn/blogs/storage/aws-backup-anomaly-detection-for-amazon-ebs-volumes/, 2022.
[4]
Storage Anti-Ransom Solution. https://e.huawei.com/cn/solutions/storage/oceanprotect/ransomware, 2022.
[5]
2023 Ransomware Trends Report. https://www.veeam.com/ransomware-trends-report-2023, 2023.
[6]
2023 State of the Cloud Report. https://info.flexera.com/CM-REPORT-State-of-the-Cloud?lead_source=Website%20Visitor&id=Flexera.com-PR, 2023.
[7]
2023 ThreatLabz State of Ransomware. https://info.zscaler.com/resources-industry-reports-2023-threatlabz-ransomware-report-old, 2023.
[8]
A deep dive into Phobos ransomware. https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware, 2023.
[9]
AliCloud - Elastic Block Storage. https://www.alibabacloud.com/zh/product/disk, 2023.
[10]
Amazon Elastic Block Store. https://aws.amazon.com/cn/ebs, 2023.
[11]
Azure Disk Storage. https://azure.microsoft.com/zh-cn/products/storage/disks, 2023.
[12]
Babuk Ransomware: In-Depth Analysis, Detection, Mitigation, and Removal. https://www.sentinelone.com/anthology/babuk/, 2023.
[13]
Batched, Fileless, Highly Adversarial | Annual Report on Cloud Ransomware Attacks in 2022. https://developer.aliyun.com/article/1150967, 2023.
[14]
Cloud Ransomware | Understanding And Combating This Evolving Threat. https://www.sentinelone.com/cybersecurity-101/cloud-ransomware-understanding-and-combating-this-evolving-threat, 2023.
[15]
Dark - VoidCrypt (.dark) ransomware virus removal and decryption options. https://www.pcrisk.com/removal-guides/24606-dark-voidcrypt-ransomware, 2023.
[16]
GlobeImposter. https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter, 2023.
[17]
Google Cloud - Persistent Disk. https://cloud.google.com/persistent-disk?hl=zh-CN, 2023.
[18]
How to eliminate the Mallox ransomware from a computer? https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware, 2023.
[19]
How to remove Beijing ransomware. https://www.pcrisk.com/removal-guides/19222-beijing-ransomware, 2023.
[20]
How to remove Makop ransomware and prevent further file encryption? https://www.pcrisk.com/removal-guides/16848-makop-ransomware, 2023.
[21]
Kaspersky Anti-Ransomware Tool. https://www.kaspersky.com.cn/, 2023.
[22]
Loki Locker (.Loki or .Rainman) ransomware virus - removal and decryption options. https://www.pcrisk.com/removal-guides/21572-loki-locker-ransomware, 2023.
[23]
PhotoRec. https://www.cgsecurity.org/wiki/PhotoRec, 2023.
[24]
Ransomware Protection Solutions. https://www.fortinet.com/solutions/enterprise-midsize-business/ransomware-protection, 2023.
[25]
REvil / Sodinokibi: The Crown Prince of Ransomware. https://www.cybereason.com/blog/research/the-sodinokibi-ransomware-attack, 2023.
[26]
Securing Your Amazon Web Services Cloud Environment Against Ransomware. https://aws.amazon.com/cn/campaigns/disaster-recovery-form/, 2023.
[27]
The state of ransomware 2023. https://www.sophos.com/en-us/content/state-of-ransomware, 2023.
[28]
The 2023 Global Ransomware Report. https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2023-ransomware-global-research.pdf, 2023.
[29]
The 2023 SpyCloud Ransomware Defense Report. https://spycloud.com/resource/2023-ransomware-defense-report/, 2023.
[30]
WannaCry ransomware attack. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack, 2023.
[31]
Windows Defender. https://www.microsoft.com/en-us/windows/comprehensive-security, 2023.
[32]
H. Abdi. Coefficient of variation. Encyclopedia of research design, 1(5), 2010.
[33]
M. M. Ahmadian, H. R. Shahriari, and S. M. Ghaffarian. Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares. In 2015 12th International iranian society of cryptology conference on information security and cryptology (ISCISC), pages 79-84. IEEE, 2015.
[34]
S. Baek, Y. Jung, A. Mohaisen, S. Lee, and D. Nyang. SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pages 875-884, 2018.
[35]
S. Baek, Y. Jung, D. Mohaisen, S. Lee, and D. Nyang. SSD-assisted ransomware detection and data recovery techniques. IEEE Transactions on Computers (ToC), 70(10):1762-1776, 2020.
[36]
M. Belgiu and L. Drăguţ. Random forest in remote sensing: A review of applications and future directions. ISPRS journal of photogrammetry and remote sensing, 114:24-31, 2016.
[37]
B. Calder, J. Wang, A. Ogus, N. Nilakantan, A. Skjolsvold, S. McKelvie, Y. Xu, S. Srivastav, J. Wu, H. Simitci, et al. Windows Azure Storage: A Highly Available Cloud Storage Service with Strong Consistency. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP), pages 143-157, 2011.
[38]
T. Chen and C. Guestrin. Xgboost: A scalable tree boosting system. In Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining (KDD), pages 785-794, 2016.
[39]
G. Guo, H. Wang, D. Bell, Y. Bi, and K. Greer. Knn model-based approach in classification. In On The Move to Meaningful Internet Systems (CoopIS), pages 986-996, 2003.
[40]
M. Hirano, R. Hodota, and R. Kobayashi. RanSAP: An open dataset of ransomware storage access patterns for training machine learning models. Forensic Science International: Digital Investigation, 40:301314, 2022.
[41]
M. Hirano and R. Kobayashi. Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In 2019 sixth international conference on internet of things: Systems, Management and security (IOTSMS), pages 1-6. IEEE, 2019.
[42]
M. Hirano, T. Tsuzuki, S. Ikeda, N. Taka, K. Fujiwara, and R. Kobayashi. WaybackVisor: Hypervisor-based scalable live forensic architecture for timeline analysis. In Security, Privacy, and Anonymity in Computation, Communication, and Storage (SpaCCS), pages 219- 230, 2017.
[43]
J. Huang, J. Xu, X. Xing, P. Liu, and M. K. Qureshi. FlashGuard: Leveraging intrinsic flash properties to defend against encryption ransomware. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (CCS), pages 2231-2244, 2017.
[44]
G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.-Y. Liu. Lightgbm: A highly efficient gradient boosting decision tree. Advances in neural information processing systems (NIPS), 30, 2017.
[45]
A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX security symposium (USENIX Security), pages 757- 772, 2016.
[46]
A. Kharraz and E. Kirda. Redemption: Real-time protection against ransomware at end-hosts. In Research in Attacks, Intrusions, and Defenses (RAID 2017), pages 98-119, 2017.
[47]
C. Lee, D. Sim, J. Hwang, and S. Cho. F2FS: A new file system for flash storage. In 13th USENIX Conference on File and Storage Technologies (FAST), pages 273- 286, 2015.
[48]
Q. Li, Q. Xiang, Y. Wang, H. Song, R. Wen, W. Yao, Y. Dong, S. Zhao, S. Huang, Z. Zhu, et al. More Than Capacity: Performance-oriented Evolution of Pangu in Alibaba. In 21st USENIX Conference on File and Storage Technologies (FAST), pages 331-346, 2023.
[49]
M. K. McKusick and S. Quinlan. GFS: Evolution on Fast-forward: A discussion between Kirk McKusick and Sean Quinlan about the origin and evolution of the Google File System. Queue, 7(7):10-20, 2009.
[50]
S. Menard. Applied logistic regression analysis. Number 106. Sage, 2002.
[51]
A. J. Myles, R. N. Feudale, Y. Liu, N. A. Woody, and S. D. Brown. An introduction to decision tree modeling. Journal of Chemometrics: A Journal of the Chemometrics Society, 18(6):275-285, 2004.
[52]
L. Prokhorenkova, G. Gusev, A. Vorobev, A. V. Dorogush, and A. Gulin. CatBoost: unbiased boosting with categorical features. Advances in neural information processing systems (NIPS), 31, 2018.
[53]
B. Reidys, P. Liu, and J. Huang. RSSD: Defend against ransomware with hardware-isolated network-storage codesign and post-attack analysis. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 726-739, 2022.
[54]
N. Scaife, H. Carter, P. Traynor, and K. R. Butler. Cryptolock (and drop it): stopping ransomware attacks on user data. In 2016 IEEE 36th international conference on distributed computing systems (ICDCS), pages 303- 312, 2016.
[55]
K. Shvachko, H. Kuang, S. Radia, and R. Chansler. The Hadoop Distributed File System. In 2010 IEEE 26th symposium on mass storage systems and technologies (MSST), pages 1-10, 2010.
[56]
A. Wehrl. General properties of entropy. Reviews of Modern Physics, 50(2):221, 1978.
[57]
C.-Y. Yang and R. Sahita. Towards a Resilient Machine Learning Classifier-a Case Study of Ransomware Detection. arXiv preprint arXiv:2003.06428, 2020.
Index Terms
- Ransom access memories: achieving practical ransomware protection in cloud with DeftPunk
Index terms have been assigned to the content through auto-classification.
Recommendations
Access for sale: a new class of worm
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcodeThe damage inflicted by viruses and worms has been limited by the risks that come with the more lucrative payloads. The problem facing authors of self-reproducing malware is that monetizing each intrusion requires the author to risk communication with ...
Characterizing kernel malware behavior with kernel data access patterns
ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications SecurityCharacterizing malware behavior using its control flow faces several challenges, such as obfuscations in static analysis and the behavior variations in dynamic analysis. This paper introduces a new approach to characterizing kernel malware's behavior by ...
TPFS: A High-Performance Tiered File System for Persistent Memories and Disks
Emerging fast, byte-addressable persistent memory (PM) promises substantial storage performance gains compared with traditional disks. We present TPFS, a tiered file system that combines PM and slow disks to create a storage system with near-PM ...
Comments
Information & Contributors
Information
Published In
Copyright © 2024 The USENIX Association.
Sponsors
- Amazon
- ROBLOX
- databricks
- Microsoft
- Meta
Publisher
USENIX Association
United States
Publication History
Published: 10 July 2024
Qualifiers
- Research-article
- Research
- Refereed limited
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 07 Mar 2025