In this paper, we utilize the cyber deception technology to help us protect critical systems through attack guidance, by drawing attackers away from these protected systems. To address this issue, we propose to utilize advanced defense schemes to protect important hosts under targeted ransomware attacks. However, because of the different characteristic of targeted ransomware attacks with less notable patterns, these traditional blocking-based defense systems become much less effective for these targeted attacks. Such a targeted ransomware attack usually has a clear command-and-control structure and aimed at resource exploitation and resource theft on these targets, while generating fairly limited noisy on hosts and networks which is hard to detect.Įxisting ransomware defense methods (designed for dealing with randomly-spread attacks) usually protect a host by blocking the spreading of ransomware attacks (in nearly real-time) based on the signatures generated by ransomware detection solutions. For instance, an attacker using Crysis ransomware first logs in a victim’s host and spreads itself via a brute force attack on the common Remote Desktop Protocol (RDP).
Kaspersky Security Bulletin indicated that targeted attacks have become one of the main propagation methods for several widespread ransomware families in 2017. Recently, more and more ransomware attacks aimed at specific targets. īecause traditional ransomware was typically spread randomly without specific targets via network scanning or host probing, they can be easily detected by monitoring of the abnormal behaviors in host activities such as file system operations and network traffic. Researcher predicts IoT ransomware attacks being likely to increase to around 25% to 30% of all ransomware cases. What is more, the lack of focus on security has left IoT (Internet of Things) devices vulnerable, which has been the target of 10% of all ransomware attacks. The number of such targeted ransomware attacks was doubled in January 2017, compared with in late 2016. In addition, specifically targeted ransomware like Crysis disrupted many small and large enterprises across the globe e.g., Trend Micro observed that the Crysis family specifically targeted businesses in Australia and New Zealand in September 2016. In May 2017, WannaCry spread across more than 150 countries and 200,000 computers in just a few days, and severely disrupted many businesses and personal systems. Symantec reported a 250% increase in new crypto ransomware families between 20. Recently, several wide-spread ransomware attacks have caused significant damages on a large number of user systems and businesses on the Internet. Ransomware was first emerged in late 1980s and has resurfaced since 2013. Furthermore, it also helps us trace back RDP-based ransomware attackers and ransomware makers in the practical applications. Our evaluations show that the proposed method can trap the adversary in the deception environment and significantly improve the efficiency of clue analysis. In particular, we developed various monitors in the proposed deception environment to gather traceable clues about attackers, and we further design an analysis system that automatically extracts and analyze the collected clues. To address this problem, we propose a systematic method to fight such specifically targeted ransomware by trapping attackers via a network deception environment and then using traceback techniques to identify attack sources. While various ransomware defense systems have been proposed to deal with traditional randomly-spread ransomware attacks (based on their unique high-noisy behaviors at hosts and on networks), none of them considered ransomware attacks precisely aiming at specific hosts, e.g., using the common Remote Desktop Protocol (RDP).
0 kommentar(er)
