Ransomware Protection through Data Transformation Monitoring

Technology #15775

Questions about this technology? Ask a Technology Manager

Download Printable PDF

Categories
Researchers
Patrick G. Traynor
Kevin Butler
Walter N Scaife
Henry Carter
Managed By
Richard Croley
Assistant Director 352-392-8929

Anti-Malware System Indicator Automatically Detects Malware Based on User Data Changes

This anti-ransomware system indicator monitors an end user’s data to automatically detect malware based on changes to that data. Data breaches occur when sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or otherwise used by an unauthorized user. Data breaches have severe legal, economic, social, and security implications. The annual cost of data breaches is estimated to exceed $2 trillion in 2019. As a result, the global cybersecurity market is estimated to grow to $170 billion by 2020. Available technologies are unable to consistently detect ransomware, resulting in the widespread loss of more than $18 million annually. Researchers at the University of Florida have developed a malware detection system for detecting ransomware, a malware that encrypts an end user’s files and holds the decryption key until a ransom is paid. This early-warning detection system alerts the end user to the large-scale changes to his/her files and automatically halts the process that appears to be tampering with large amounts of the user’s data. This anti-malware system has a low false-positive rate and is capable of rapid detection based on a set of ransomware-specific behavior indicators. This anti-malware system has the potential to meet the need for better cybersecurity tools and applications by working in conjunction with existing anti-malware programs to catch ransomware that has begun execution.

Application

Malware detection system and technique to combat ransomware’s ability to access user’s data

Advantages

  • Protects user data by monitoring for large-scale changes to the data, blocking changes that are indicative of a transformation from usable to unusable
  • Through process scoring and monitoring only data files, the system maintains a high accuracy against unknown ransomware samples, while limiting user involvement
  • Halted processes are unable to continue damaging the user’s data, preventing total loss and making ransom payments less likely
  • Works in conjunction with existing anti-malware program, providing a second chance to catch undetected malware, such as ransomware
  • Can also detect and block unauthorized encryption of data in use cases where encryption is undesired or only a specific implementation is approved

Technology

Ransomware represents one of the most visible threats to end users; due to its ability to evade many existing antivirus detection systems. The system monitors a user’s files and takes measurements as data is read and written, creating a reputation score for a process. When the reputation score exceeds a set threshold, the system automatically stops the process as a potential malware threat. The anti-malware system can work in conjunction with a first-defense anti-malware program, catching malware that went undetected by the first program. By recognizing ransomware’s key feature, this anti-malware system combats ransomware and prevents the malware from accessing end user’s data in its totality. Experimental results indicate that the anti-malware system detected and stopped 100 percent of 492 real-world ransomware samples, with as few as zero files lost and a median of 10 files lost.