Applying staged event-driven access control to combat ransomware

Abstract

The advancement of modern Operating Systems (OSs), and the popularity of personal computing devices with Internet connectivity, have facilitated the proliferation of ransomware attacks. Ransomware has evolved from executable programs encrypting user files, to novel attack vectors including fileless command scripts, information exfiltration and human-operated ransomware. Many anti-ransomware studies have been published, but many of them assumed newer ransomware variants only performed file encryption, were similar to existing variants, and often did not consider those novel attack vectors. We have defined an updated ransomware threat model to include those novel attack vectors, and redefined false positives and false negatives in the context of ransomware mitigation. We proposed to apply both program-centric and user-centric access control to combat ransomware, but only delegate access control decisions that users are capable of making to users, while enforcing non-negotiable access control decisions by OS and software developers. We have designed a Staged Event-Driven Access Control (SEDAC) approach to incorporate both program-centric and user-centric access control measures, and demonstrated a prototype on Windows OS. Our prototype was able to intercept more types of ransomware attack vectors than existing proposals. We hope to convince OS and software architects to incorporate our design to better combat ransomware.