Volume 12 - Issue 3
RansomSOC: A More Effective Security Operations Center to Detect and Respond to Ransomware Attacks
- Anthony Cheuk Tung Lai
VX Research Limited, Langham Place Office Tower, 8 Argyle Street, Suite 2512, Hong Kong, Hong Kong University of Science and Technology, Clear Water Bay, Hong Kong
anthonation@gmail.com
- Ping Fan Ke
Singapore Management University, 81 Victoria St, Singapore 188065, Singapore
pfke@smu.edu.sg
- Kelvin Chan
Microsoft Corporation, One Microsoft Way, Redmond, Washington, 98052-6399, USA
kelvin.chan@microsoft.com
- Siu Ming Yiu
University of Hong Kong, Pok Fu Lam, Hong Kong
smyiu@cs.hku.hk
- Dongsun Kim
Kyungpook National University, 80, Daehak-ro, Buk-gu, Daegu, Republic of Korea
darkrsw@knu.ac.kr
- Wai Kin Wong
Hong Kong University of Science and Technology, Clear Water Bay, Hong Kong
wkwongal@cse.ust.hk
- Shuai Wang
Hong Kong University of Science and Technology, Clear Water Bay, Hong Kong
shuaiw@cse.ust.hk
- Joseph Muppala
Hong Kong University of Science and Technology, Clear Water Bay, Hong Kong
muppala@cse.ust.hk
- Alan Ho
VX Research Limited, Langham Place Office Tower, 8 Argyle Street, Suite 2512, Hong Kong
alanh0@vxrl.hk
Keywords: Ransomware, Virus, Malware
Abstract
Ransomware remains a major threat for organizations. Despite a lot of research done, existing solutions
still have at least two shortcomings. (I) Slow detection time: by the time we realize that the
system is under ransomware attack, almost all files have been encrypted. (II) Without a ransomwareaware
backup scheme: Most existing systems, in particular those in SMEs (small and medium enterprises),
do not have a proper backup system. Even they have it, either it is not a remote-site backup
(i.e., files in the backup system may also be encrypted) or it is not designed for ransomware attacks.
In this paper, based on the analysis of four popular ransomware families, we propose the design of
a more effective Security Operations Center (SOC) framework specific to ransomware attack detection
and response, called RansomSOC. The core ideas behind RansomSOC are the followings. (a) A
novel real-time emergency local data backup scheme: we exploit a design flaw of ransomware and
come up with a scheme to enable a real-time emergency data backup of critical files even after the
attack starts, to keep the number of encrypted files as few as possible. (b) Easy-to-detect ransomware
honey files: Based on the change of entropy values, we identified a set of file types to create honey
files (in a honeypot), which facilitate our detection module to quickly detect the existence of a ransomware
attack. Our experiments show that RansomSOC is able to detect an attack within about 5 -
10 seconds after the attack starts. For a 1GB folder, RansomSOC is able to backup more than 91%
of the data even after the attack starts. And over 95% of this data can be restored.