RanDeter : using novel statistical and physical controls to deter ransomware attacks : a thesis presented in partial fulfillment of the requirements for the degree of Master of Information Sciences in Software Engineering at Massey University, Auckland, New Zealand
Crypto-Ransomware are a type of extortion-based malware that encrypt victims’
personal files with strong encryption algorithms and blackmail victims to pay ransom to
recover their files. The recurrent episodes of high-profile ransomware attacks like
WannaCry and Petya, particularly on healthcare, government agencies and big
corporates, have highlighted the immediate demand for effective defense mechanisms.
In this paper, RANDETER is introduced as a novel anti-crypto-ransomware solution
that deters ransomware activities, using novel statistical and physical controls inspired by
the police anti-terrorism practice. Police try to maintain public safety by maintaining a
constant presence to patrol key public areas, identifying suspects who exhibit out-ofordinary
characteristics, and restricting access to protected areas. Ransomware are in
many ways like terrorists; their attacks are unexpected, malicious and aim for the largest
number of victims. It is possible to try to detect and deter crypto-ransomware by
maintaining a constant surveillance on the potential victims – MBR and user files
especially documents and photos.
RANDETER is implemented as two compatible and complementary modules:
PARTITION GUARD and FILE PATROL. PARTITION GUARD blocks modifications to the area
of MBR on the booting disk. FILE PATROL checks all file activities of directories protected
by RANDETER against a list of Recognized Processed with Multi-Tier Security Rules.
Upon detection of violations of such rules, which may have been initiated by cryptoransomware
as judged by FILE PATROL, FILE PATROL will freeze access of the monitored
directories, terminate the offending processes, and resume access of those directories.
Our evaluation demonstrated that RANDETER could ensure less and often no
irrecoverable file damage by current ransomware families, while imposing less disk
performance overheads, compared to existing competitor anti-ransomware
implementations like CRYPTOLOCK, SHIELDFS and REDEMPTION. In addition, RANDETER
was shown to be resilient against masquerading attacks and ransomware polymorphism.