Graduate School and Research Center in Digital Sciences

Cutting the gordian knot: A look under the hood of ransomware attacks

Kharraz, Amin; Robertson, William; Balzarotti, Davide; Bilge, Leyla; Kirda, Engin

DIMVA 2015, 12th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 9-10, 2015, Milan, Italy

In this paper, we present the results of a long-term study of ransomware attacks that have been observed in the wild between 2006 and 2014. We also provide a holistic view on how ransomware attacks have evolved during this period by analyzing 1,359 samples that belong to 15 different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that stopping advanced ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks

Document Doi Bibtex

Title:Cutting the gordian knot: A look under the hood of ransomware attacks
Keywords:Malware, Ransomware, Malicious Activities, Underground Economy, Bitcoin
Department:Digital Security
Eurecom ref:4548
Copyright: © 2015 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
Bibtex: @inproceedings{EURECOM+4548, doi = {}, year = {2015}, title = {{C}utting the gordian knot: {A} look under the hood of ransomware attacks}, author = {{K}harraz, {A}min and {R}obertson, {W}illiam and {B}alzarotti, {D}avide and {B}ilge, {L}eyla and {K}irda, {E}ngin}, booktitle = {{DIMVA} 2015, 12th {C}onference on {D}etection of {I}ntrusions and {M}alware \& {V}ulnerability {A}ssessment, {J}uly 9-10, 2015, {M}ilan, {I}taly }, address = {{M}ilan, {ITALY}}, month = {07}, url = {} }
See also: