Abstract.
In this paper, we present the results of a long-term study of ransomware
attacks that have been observed in the wild between 2006 and 2014. We also
provide a holistic view on how ransomware attacks have evolved during this
period by analyzing 1,359 samples that belong to 15 different ransomware
families. Our results show that, despite a continuous improvement in the
encryption, deletion, and communication techniques in the main ransomware
families, the number of families with sophisticated destructive capabilities
remains quite small. In fact, our analysis reveals that in a large number of
samples, the malware simply locks the victim’s computer desktop or attempts to
encrypt or delete the victim’s files using only superficial techniques. Our
analysis also suggests that stopping advanced ransomware attacks is not as
complex as it has been previously reported. For example, we show that by
monitoring abnormal file system activity, it is possible to design a practical
defense system that could stop a large number of ransomware attacks, even those
using sophisticated encryption capabilities. A close examination on the file
system activities of multiple ransomware samples suggests that by looking at
I/O requests and protecting Master File Table (MFT) in the NTFS file system, it
is possible to detect and prevent a significant number of zero-day ransomware
attacks.