RansomSOC: A More Effective Security Operations Center to
Detect and Respond to Ransomware Attacks Anthony Cheuk Tung Lai1,2+, Ping
Fan Ke3, Kelvin
Chan4, Siu Ming Yiu5+, Dongsun Kim6,
1VX Research Limited, Langham Place
Office Tower, 8 Argyle Street, Suite 2512, Hong Kong 2Hong Kong University of Science and Technology,
Clear Water Bay, Hong Kong 3Singapore Management University,
81 Victoria St, Singapore 188065, Singapore 4Microsoft Corporation,
One Microsoft Way, Redmond, Washington, 98052-6399,
USA 5University of Hong Kong,
Pok Fu Lam, Hong Kong 6Kyungpook National University,
80, Daehak-ro, Buk-gu, Daegu, Republic of Korea Abstract Ransomware remains a major threat for
organizations. Despite a lot of research done, existing solutions still have
at least two shortcomings. (I) Slow detection time: by the time we realize
that the system is under ransomware attack, almost all files have been
encrypted. (II) Without a ransomwareaware backup scheme: Most existing
systems, in particular those in SMEs (small and medium enterprises), do not
have a proper backup system. Even they have it, either it is not a
remote-site backup (i.e., files in the backup system may also be encrypted)
or it is not designed for ransomware attacks. In this paper, based on the
analysis of four popular ransomware families, we propose the design of a more
effective Security Operations Center (SOC) framework specific to ransomware
attack detection and response, called RansomSOC. The core ideas behind
RansomSOC are the followings. (a) A novel real-time emergency local data
backup scheme: we exploit a design flaw of ransomware and come up with a
scheme to enable a real-time emergency data backup of critical files even
after the attack starts, to keep the number of encrypted files as few as
possible. (b) Easy-to-detect ransomware honey files: Based on the change of
entropy values, we identified a set of file types to create honey files (in a
honeypot), which facilitate our detection module to quickly detect the
existence of a ransomware attack. Our experiments show that RansomSOC is able
to detect an attack within about 5 - 10 seconds after the attack starts. For
a 1GB folder, RansomSOC is able to backup more than 91% of the data even
after the attack starts. And over 95% of this data can be restored. Keywords: Ransomware,
Virus, Malware +: Corresponding author: Anthony Cheuk Tung Lai
and Siu Ming Yiu Journal of Internet Services and
Information Security (JISIS), 12(3): 63-75, August 2022 |