ranDecepter: Real-time Identification and Deterrence of Ransomware Attacks

TL;DR

ranDecepter is a real-time cyber deception system that detects ransomware, isolates it, and depletes attacker resources by feeding false information, demonstrating perfect accuracy and significant resource exhaustion in tests.

Contribution

The paper introduces ranDecepter, a novel real-time ransomware detection and deception framework that actively misleads attackers and depletes their resources, a new approach in cyber defense.

Findings

100% accuracy in ransomware identification

No false positives during evaluation

Depletes attacker resources with over 9 million entries generated

Abstract

Ransomware (RW) presents a significant and widespread threat in the digital landscape, necessitating effective countermeasures. Active cyber deception is a promising strategy to thwart RW and limiting its propagation by misleading it with false information and revealing its true behaviors. Furthermore, RW often acts as a communication conduit between attackers and defenders, allowing deception to return false data to attackers and deplete their resources. This paper introduces ranDecepter, a novel approach that combines active cyber deception with real-time analysis to enhance defenses against RW attacks. The ranDecepter identifies RW in real-time and isolates it within a deceptive environment, autonomously identifying critical elements in the RW code to create a loop mechanism. By repeatedly restarting the malware and transmitting counterfeit encryption information and secret keys to the attacker, it forces the attacker to store these fabricated details for each victim, thereby depleting their resources. Our comprehensive evaluation of ranDecepter, conducted using 1,134 real-world malware samples and twelve benign applications, demonstrates a remarkable 100% accuracy in RW identification, with no false positives and minimal impact on response times. Furthermore, within 24-hours, ranDecepter generates up to 9,223K entries in the attacker's database using 50 agents, showcasing its potential to undermine attacker resources.