research-article

Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data Recovery

Authors:

Jianfeng MaAuthors Info & Claims

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

Pages 341 - 355

https://doi.org/10.1145/3576915.3616665

Published: 21 November 2023 Publication History

Abstract

Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

References

[1]

Abdullah Alqahtani and Frederick T Sheldon. 2022. A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook. Sensors, Vol. 22, 5 (2022), 1837.

[2]

Kurniadi Asrigo, Lionel Litty, and David Lie. 2006. Using VMM-based sensors to monitor honeypots. In Proceedings of the 2nd international conference on Virtual execution environments. 13--23.

Digital Library

[3]

Jens Axboe. 2023. FIO. https://github.com/axboe/fio.

[4]

SungHa Baek, Youngdon Jung, Aziz Mohaisen, Sungjin Lee, and DaeHun Nyang. 2018. SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS). 875--884.

[5]

SungHa Baek, Youngdon Jung, David Mohaisen, Sungjin Lee, and DaeHun Nyang. 2021. SSD-Assisted Ransomware Detection and Data Recovery Techniques. IEEE Trans. Computers, Vol. 70, 10 (2021), 1762--1776.

[6]

Daniel P Bovet and Marco Cesati. 2005. Understanding the Linux Kernel: from I/O ports to process management. "O'Reilly Media, Inc.".

[7]

Bo Chen, Shijie Jia, Luning Xia, and Peng Liu. 2016. Sanitizing data is not enough! Towards sanitizing structural artifacts in flash media. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 496--507.

Digital Library

[8]

Fabrizio Cicala and Elisa Bertino. 2022. Analysis of Encryption Key Generation in Modern Crypto Ransomware. IEEE Trans. Dependable Secur. Comput., Vol. 19, 2 (2022), 1239--1253.

[9]

CNN. 2021. Ransomware is a national security risk. https://tinyurl.com/4he7utk9.

[10]

Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. 2016. ShieldFS: A Self-Healing, Ransomware-Aware Filesystem. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 336--347.

[11]

Intel Corporation. 2022a. Intel® 64 and IA-32 Architectures Software Developer's Manual (2022). https://tinyurl.com/mt58w3a9.

[12]

The MITRE Corporation. 2022b. Access Token Manipulation. https://attack.mitre.org/techniques/T1134/.

[13]

Fabio De Gaspari, Dorjan Hitaj, Giulio Pagnotta, Lorenzo De Carli, and Luigi V Mancini. 2020. Encod: Distinguishing compressed and encrypted file fragments. In Network and System Security: 14th International Conference, NSS 2020. 42--62.

Digital Library

[14]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE symposium on security and privacy. IEEE, 297--312.

Digital Library

[15]

FBI. 2022. Ransomware. https://tinyurl.com/2rnmxrzn.

[16]

Yangchun Fu and Zhiqiang Lin. 2013. Space Traveling across VM: Automatically Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Transactions on Information and System Security, Vol. 16, 2 (2013), 586--600.

Digital Library

[17]

Tal Garfinkel, Mendel Rosenblum, et al. 2003. A virtual machine introspection based architecture for intrusion detection. In NDSS, Vol. 3. 191--206.

[18]

GlobalStats. 2021. Desktop Windows Version Market Share Worldwide - June 2021. https://tinyurl.com/4zrfxp9j.

[19]

GoogleCode. 2011. OpenNFM. https://code.google.com/p/opennfm/.

[20]

Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C Snoeren, and Damon McCoy. 2018. Tracking ransomware end-to-end. In 2018 IEEE Symposium on Security and Privacy (SP). 618--631.

[21]

Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moinuddin K Qureshi. 2017. FlashGuard: Leveraging intrinsic flash properties to defend against encryption ransomware. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2231--2244.

Digital Library

[22]

IBM. 2022. IBM Spectrum Scale with TRIM-supporting NVMe SSDs. https://shorturl.at/hzCHS.

[23]

Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E Porter, and Radu Sion. 2014. Sok: Introspections on trust and the semantic gap. In 2014 IEEE symposium on security and privacy. IEEE, 605--620.

Digital Library

[24]

Shijie Jia, Luning Xia, Bo Chen, and Peng Liu. 2017. Deftl: Implementing plausibly deniable encryption in flash translation layer. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2217--2229.

Digital Library

[25]

The kernel development community. 2021. Processes and threads. https://linux-kernel-labs.github.io/refs/heads/master/lectures/processes.html.

[26]

kernel.org. 2022. Inline Data. https://tinyurl.com/ynrd68ju.

[27]

Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. In 25th USENIX Security Symposium (USENIX Security 16). 757--772.

Digital Library

[28]

Amin Kharraz and Engin Kirda. 2017. Redemption: Real-time protection against ransomware at end-hosts. In Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017. 98--119.

[29]

Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the gordian knot: A look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 12th International Conference, DIMVA 2015. 3--24.

[30]

Kingston. 2021. What is SSD encryption and how does it work? https://www.kingston.com/en/blog/data-security/how-ssd-encryption-works.

[31]

Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. 2017. Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 599--611.

Digital Library

[32]

Kenichi Kourai and Shigeru Chiba. 2005. Hyperspector: Virtual distributed monitoring environments for secure intrusion detection. In Proceedings of the 1st ACM/USENIX international conference on Virtual execution environments. 197--207.

Digital Library

[33]

Robert Love. 2013. Linux system programming: talking directly to the kernel and C library. "O'Reilly Media, Inc.".

[34]

Timothy McIntosh, ASM Kayes, Yi-Ping Phoebe Chen, Alex Ng, and Paul Watters. 2021. Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), Vol. 54, 9 (2021), 1--36.

Digital Library

[35]

Shagufta Mehnaz, Anand Mudgerikar, and Elisa Bertino. 2018. Rwguard: A real-time detection system against cryptographic ransomware. In Research in Attacks, Intrusions, and Defenses: 21st International Symposium, RAID 2018. 114--136.

[36]

Trend Micro. 2017. Erebus Linux Ransomware: Impact to Servers and Countermeasures. https://tinyurl.com/3tjtcjw6.

[37]

Microsoft. 2021a. Access Tokens. https://tinyurl.com/5vnyhhh7.

[38]

Microsoft. 2021b. DISKSPD. https://github.com/microsoft/diskspd.

[39]

Microsoft. 2021c. Processes and Threads. https://tinyurl.com/3sa395yy.

[40]

Microsoft. 2022a. Enable virtualization-based protection of code integrity. https://tinyurl.com/3dx9u2r4.

[41]

Microsoft. 2022b. FILE_OBJECT structure. https://tinyurl.com/5356jbuy.

[42]

Microsoft. 2022c. Virtualization-based Security. https://tinyurl.com/4eeh6fhd.

[43]

Donghyun Min, Yungwoo Ko, Ryan Walker, Junghee Lee, and Youngjae Kim. 2022. A Content-Based Ransomware Detection and Backup Solid-State Drive for Ransomware Defense. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst., Vol. 41, 7 (2022), 2038--2051.

[44]

Routa Moussaileb, Nora Cuppens, Jean-Louis Lanet, and Hélène Le Bouder. 2021. A survey on windows-based ransomware taxonomy and detection mechanisms. ACM Computing Surveys (CSUR), Vol. 54, 6 (2021), 1--36.

Digital Library

[45]

NBC News. 2022. Costa Rica, 'under assault' is a troubling test case on ransomware attacks. https://tinyurl.com/5n9338ye.

[46]

Olimex. 2019. LPC-H3131. https://tinyurl.com/38fwkekd.

[47]

Jisung Park, Youngdon Jung, Jonghoon Won, Minji Kang, Sungjin Lee, and Jihong Kim. 2019. RansomBlocker: A low-overhead ransomware-proof SSD. In Proceedings of the 56th Annual Design Automation Conference 2019. 1--6.

Digital Library

[48]

Jonas Pfoh, Christian Schneider, and Claudia Eckert. 2011. Nitro: Hardware-based system call tracing for virtual machines. In Proceedings of the 2011 International Conference on Advances in Information and Computer Security. 96--112.

[49]

Joel Reardon, Srdjan Capkun, and David A Basin. 2012. Data node encrypted file system: Efficient secure deletion for flash memory. In USENIX Security Symposium. 333--348.

[50]

Benjamin Reidys, Peng Liu, and Jian Huang. 2022. RSSD: defend against ransomware with hardware-isolated network-storage codesign and post-attack analysis. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 726--739.

Digital Library

[51]

SAMSUNG. 2019. K9K8G08U1M datasheet. https://tinyurl.com/jcm3uswa.

[52]

Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin R. B. Butler. 2016. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. In 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS). 303--312.

[53]

Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, et al. 2009. Bitvisor: a thin hypervisor for enforcing i/o device security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS international conference on Virtual execution environments. 121--130.

Digital Library

[54]

Fei Tang, Boyang Ma, Jinku Li, Fengwei Zhang, Jipeng Su, and Jianfeng Ma. 2020. RansomSpector: An introspection-based approach to detect crypto ransomware. Computers & Security, Vol. 97 (2020), 101997.

Digital Library

[55]

AutoIt Team. 2018. AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting (2018). https://www.autoitscript.com/site/autoit/.

[56]

TheWashingtonPost. 2021. Ransomware is a national security threat and a big business - and it's wreaking havoc. https://tinyurl.com/357vxevm.

[57]

Linus Torvalds. 2022. syscall_wrapper.h. https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/syscall_wrapper.h.

[58]

VirusShare. 2021. VirusShare.com - Because Sharing is Caring. https://virusshare.com/.

[59]

VirusTotal. 2021. Analyze suspicious files and URLs to detect types of malware. https://www.virustotal.com.

[60]

Peiying Wang, Shijie Jia, Bo Chen, Luning Xia, and Peng Liu. 2019. Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. 327--338.

Digital Library

[61]

P. Yosifovich, D.A. Solomon, and A. Ionescu. 2017. Windows Internals, Part 1.

[62]

zaqoQLF. 2022. ransomware-python. https://github.com/zaqoQLF/ransomware-python.

Cited By

Hou YGuo LZhou CXu YYin ZLi SSun CJiang YRoychoudhury APaiva AAbreu RStorey M(2024)An Empirical Study of Data Disruption by Ransomware AttacksProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639090(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639090

Index Terms

Travelling the Hypervisor and SSD: A Tag-Based Approach Against Crypto Ransomware with Fine-Grained Data Recovery
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

A method for decrypting data infected with Hive ransomware
Abstract
Among the many types of malicious software currently circulating, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, ...
Highlights
- We analyzed the detailed encryption process of the Hive ransomware.
- We found a vulnerability in the Hive ransomware.
- We recovered key table and decrypted the actual infected data.
Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Hypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Architectural support for hypervisor-secure virtualization
ASPLOS '12

Virtualization has become a standard part of many computer systems. A key part of virtualization is the all-powerful hypervisor which manages the physical platform and can access all of its resources, including memory assigned to the guest virtual ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

November 2023

3722 pages

ISBN:9798400700507

DOI:10.1145/3576915

General Chairs:
Weizhi Meng
Technical University of Denmark
,
Christian D. Jensen
Technical University of Denmark
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Engin Kirda
Khoury College of Computer Sciences

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Key R&D Program of Shaanxi Province of China
Shenzhen Science and Technology Program
National Natural Science Foundation of China
Foundation for Innovative Research Groups of the National Natural Science Foundation of China

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26 - 30, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
448
Total Downloads

Downloads (Last 12 months)448
Downloads (Last 6 weeks)38

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hou YGuo LZhou CXu YYin ZLi SSun CJiang YRoychoudhury APaiva AAbreu RStorey M(2024)An Empirical Study of Data Disruption by Ransomware AttacksProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639090(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639090

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents