Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud

TL;DR

Rhea is a cloud-based system that detects sophisticated, privilege-escalated evasive ransomware by validating file formats rather than relying on traditional statistical or entropy-based methods.

Contribution

It introduces Format-Aware Validation leveraging file-format specifications to reliably detect evasive ransomware that bypasses existing detection techniques.

Findings

Rhea outperforms existing ransomware detection methods.

Effective against privilege-escalated evasive ransomware.

Reliable detection with minimal false positives.

Abstract

Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.