Crypto-ransomware aims at extorting money from users by encrypting their files and asking them to pay for the decryption key. We present Ranflood; a configurable drop-in solution that contrasts ransomware attacks with a deluge of decoy files at specific locations (e.g., sensitive folders of the user, the attack site), deceiving the attacker into encrypting sacrificial files. Ranflood further slows down the attack by contending with the malware access to IO and computation resources of the targeted machine. The aim is to buy time for the defence team to take action (e.g., manually shutting down an unresponsive machine). We show how the extensibility and modularity of Ranflood's software architecture (1) can accommodate a wide spectrum of flooding strategies, easing the process of improving its effectiveness also against future ransomware families and (2) strive to maximise the tool's efficiency by exploiting the highest level of parallelism afforded by the attacked machine

Ranflood: A mitigation tool based on the principles of data flooding against ransomware

Berardi, Davide;
2024-01-01

Abstract

Crypto-ransomware aims at extorting money from users by encrypting their files and asking them to pay for the decryption key. We present Ranflood; a configurable drop-in solution that contrasts ransomware attacks with a deluge of decoy files at specific locations (e.g., sensitive folders of the user, the attack site), deceiving the attacker into encrypting sacrificial files. Ranflood further slows down the attack by contending with the malware access to IO and computation resources of the targeted machine. The aim is to buy time for the defence team to take action (e.g., manually shutting down an unresponsive machine). We show how the extensibility and modularity of Ranflood's software architecture (1) can accommodate a wide spectrum of flooding strategies, easing the process of improving its effectiveness also against future ransomware families and (2) strive to maximise the tool's efficiency by exploiting the highest level of parallelism afforded by the attacked machine
2024
Ransomware
Dynamic honeypot
Moving Target Defence
Data Flooding Against Ransomware
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12606/10326
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
social impact