RansomSpector: An introspection-based approach to detect crypto ransomware

Abstract

Crypto ransomware encrypts user files and then extorts a ransom for decryption, thus it brings a big threat to users. To address this problem, we propose RansomSpector, an introspection-based approach to detect crypto ransomware. Compared to previous solutions, our approach makes progress in two aspects. First, RansomSpector is based on the virtual machine introspection technique, and it resides in the hypervisor layer under the operating system (OS) where ransomware runs. Thus it is capable of analyzing OS-level ransomware and difficult to be bypassed by privilege escalation attacks. Second, RansomSpector monitors both the filesystem and network activities for ransomware detection, thus it achieves a higher precision and earlier warning than the approaches that only leverage the filesystem activities as the detecting basis. To validate our approach, we have implemented a prototype of RansomSpector, and collected 2,117 recent ransomware samples to evaluate it. The evaluation results indicate that our system effectively detects ransomware with a low performance overhead ( < 5% on average).