Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations-Reference-Cited by-同舟云学术

Entropy Sharing in Ransomware: Bypassing Entropy-Based Detection of Cryptographic Operations

Published:2024-02-23 Issue:5 Volume:24 Page:1446
ISSN:1424-8220
Container-title:Sensors
language:en
Short-container-title:Sensors

Author:

Bang Jiseok¹^ORCID,Kim Jeong Nyeo²^ORCID,Lee Seungkwang¹^ORCID

Affiliation:

1. Department of Cyber Security, Dankook University, Yongin 16890, Republic of Korea

2. Cyber Security Research Division, Electronics and Telecommunications Research Institute (ETRI), Daejeon 34129, Republic of Korea

Abstract

This study presents a groundbreaking approach to the ever-evolving challenge of ransomware detection. A lot of detection methods predominantly rely on pinpointing high-entropy blocks, which is a hallmark of the encryption techniques commonly employed in ransomware. These blocks, typically difficult to recover, serve as key indicators of malicious activity. So far, many neutralization techniques have been introduced so that ransomware utilizing standard encryption can effectively bypass these entropy-based detection systems. However, these have limited capabilities or require relatively high computational costs. To address these problems, we introduce a new concept entropy sharing. This method can be seamlessly integrated with every type of cryptographic algorithm and is also composed of lightweight operations, masking the high-entropy blocks undetectable. In addition, the proposed method cannot be easily nullified, contrary to simple encoding methods, without knowing the order of shares. Our findings demonstrate that entropy sharing can effectively bypass entropy-based detection systems. Ransomware utilizing such attack methods can cause significant damage, as they are difficult to detect through conventional detection methods.

Funder

Korea Research Institute for defense Technology planning and advancemen

Publisher

MDPI AG

Link

https://www.mdpi.com/1424-8220/24/5/1446/pdf

Reference42 articles.

1. Rcryptect: Real-time detection of cryptographic function in the user-space filesystem;Lee;Comput. Secur.,2022

2. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions;Oz;ACM Comput. Surv.,2022

3. Automatic detection of DGA-enabled malware using SDN and traffic behavioral modeling;Ahmed;IEEE Trans. Netw. Sci. Eng.,2022

4. Bos, H., Monrose, F., and Blanc, G. (2015, January 2–4). HelDroid: Dissecting and Detecting Mobile Ransomware. Proceedings of the 18th International Symposium, RAID 2015, Kyoto, Japan.

5. Cuppens, F., Cuppens, N., Lanet, J.L., and Legay, A. (2016, January 5–7). Ransomware and the Legacy Crypto API. Proceedings of the 11th International Conference, CRiSIS 2016, Roscoff, France.