Open Repository for the Evaluation of Ransomware Detection Tools

Eduardo Berrueta,Mikel Izal,Eduardo Magaña,Daniel Morato

doi:10.1109/access.2020.2984187

Eduardo Berrueta, Mikel Izal + Show 2 more

Open Access

https://doi.org/10.1109/access.2020.2984187

Copy DOI

Abstract

Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques.

Highlights

Ransomware is a type of malware that hijacks computers by locking them or by encrypting their files
Tools based on analysing file access operations can be tested, as the repository offers all the I/O operations executed by the ransomware samples
In this paper, we have presented a public repository containing the activity of more than 70 samples of ransomware, which were acquired while the ransomware was encrypting user files

Summary

INTRODUCTION

Ransomware is a type of malware that hijacks computers by locking them or by encrypting their files. In 2019, Symantec reported that enterprise infections were up by 12% in 2018 and accounted for 81% of all ransomware infections in that year [2] The importance of this type of malware encouraged the development of detection tools both in research and in cybersecurity enterprises. The ransomware samples must be run while the control servers are active, and all the activity information must be extracted to test any detection tool. These websites offer binaries of different types of malware (including ransomware), and they analyse the binary and some other aspects of the malware, such as the infection vector or the DNS queries None of these repositories provides the information needed for detection tools based on the dynamic behaviour of the malware. Tools based on analysing file access operations can be tested, as the repository offers all the I/O operations executed by the ransomware samples.

HISTORY AND CLASSIFICATION OF RANSOMWARE

POSSIBLE USES FOR THE DATA IN THE REPOSITORY

Findings

CONCLUSION