Crypto-Ransomware and Their Defenses: In-depth Behavioral Characterization, Discussion of Deployability, and New Insights

TL;DR

This paper reviews 117 ransomware defenses, analyzes their deployability and runtime behaviors, and offers insights and future directions for practical, effective ransomware detection methods.

Contribution

It provides a comprehensive categorization of defenses, quantitative analysis of ransomware behaviors, and evaluates commercial solutions to identify security gaps and improve deployability.

Findings

API-based solutions are easier to deploy.

Runtime behaviors of ransomware can inform detection.

Commercial defenses have identifiable security gaps.

Abstract

Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.