{"title":"Early mitigation of CPU-optimized ransomware using monitoring encryption instructions","authors":"Shuhei Enomoto, Hiroki Kuzuno, Hiroshi Yamada, Yoshiaki Shiraishi, Masakatu Morii","doi":"10.1007/s10207-024-00892-2","DOIUrl":null,"url":null,"abstract":"<p>Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"2 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-07-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00892-2","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.
勒索软件攻击对信息系统构成重大威胁。包括云基础设施即服务在内的服务器主机是勒索软件开发者的主要目标。为解决这一问题,杀毒软件等安全机制已被证明是有效的。此外,有关勒索软件检测的研究主张在勒索软件运行时采用基于行为的查找机制。为了应对不断发展的检测,勒索软件开发者现在正在调整一种针对 CPU 架构的优化设计(CPU 优化勒索软件)。这种变种可以快速加密文件,有可能躲过依赖固定时间间隔扫描文件的传统防病毒方法的检测。在勒索软件检测研究中,CPU 优化勒索软件可能会加密大量文件,直到检测到恶意活动。本研究提出了一种名为 "CryptoSniffer "的早期缓解机制,该机制专门用于对抗针对服务器主机的CPU优化勒索软件攻击。CryptoSniffer 主要针对 CPU 优化勒索软件滥用 CPU 架构特定加密指令进行快速文件加密的问题。这可以通过捕获用户进程中的密文来实现,并通过仔细检查打算写入的内容来挫败文件加密。为了证明 CryptoSniffer 的功效,我们在最新的 Linux 内核中实现了该机制,并对其安全性和性能进行了系统评估。实验结果表明,CryptoSniffer 能成功阻止现实世界中经过 CPU 优化的勒索软件,其性能开销也非常适合实际应用。
期刊介绍:
The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation.
Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.