Fight Virus Like a Virus: A New Defense Method Against File-Encrypting Ransomware

TL;DR

This paper introduces a novel ransomware defense mechanism that uses data streams to mislead ransomware, allowing data recovery and attack mitigation on Windows systems.

Contribution

A new ransomware defense method leveraging Alternative Data Streams to deceive ransomware into attacking non-essential file parts.

Findings

Effective against various ransomware types

Demonstrates usability and efficiency

Successfully mitigates ransomware attacks

Abstract

Nowadays ransomware has become a new profitable form of attack. This type of malware acts as a form of extortion which encrypts the files in a victim's computer and forces the victim to pay the ransom to have the data recovered. Even companies and tech savvy people must use extensive resources to maintain backups for recovery or else they will lose valuable data, not mentioning average users. Unfortunately, not any recovery tool can effectively defend various types of ransomware. To address this challenge, we propose a novel ransomware defense mechanism that can be easily deployed in modern Windows system to recover the data and mitigate a ransomware attack. The uniqueness of our approach is to fight the virus like a virus. We leverage Alternative Data Streams which are sometimes used by malicious applications, to develop a data protection method that misleads the ransomware to attack only file 'shells' instead of the actual file content. We evaluated different file encrypting ransomware and demonstrate usability, efficiency and effectiveness of our approach.