Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features

TL;DR

This paper introduces a hypervisor-based detection method for double extortion ransomware that leverages low-level storage, memory, and network features, enhancing detection of data exfiltration phases.

Contribution

It presents a novel detection approach using hypervisor-level features and Kitsune NIDS to improve ransomware exfiltration detection accuracy.

Findings

Improved macro F score by 0.166 in detecting data exfiltration.

Utilized hypervisor-based features for enhanced ransomware detection.

Discussed limitations and future directions for the method.

Abstract

Double extortion ransomware attacks have become mainstream since many organizations adopt more robust and resilient data backup strategies against conventional crypto-ransomware. This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks. We then present a novel detection method using low-level storage and memory behavioral features and network traffic features obtained from a thin hypervisor to establish a defense-in-depth strategy for when attackers compromise OS-level protection. We employed the lightweight \emph{Kitsune} Network Intrusion Detection System (NIDS)'s network feature to detect the data exfiltration phase in double extortion ransomware attacks. Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate. Lastly, we discuss the limitations of the presented method and future work.