Vig-WaR: Vigilantly Watching Ransomware for Robust Trapping and Containment

Abstract

The state-of-the-art ransomware detection tools are ineffective in detecting emerging attacks due to social engineering tricks and technical shortcomings. In order to neutralize ransomware attacks, a new framework called 'RTrap' was proposed in IEEE TIFS'23 that uses ML generated deceptive files to detect and contain ransomware. This paper introduces a novel attack named 'GonnaCharge' that is capable to bypass RTrap defense mechanism and successfully encrypt user files. It achieves this by identifying the generated decoy files used by RTrap and selectively encrypting the remaining files in the target directory, leaving the decoy file untouched. Further, to overcome the vulnerability of RTrap, we propose a countermeasure called enhanced RTrap named 'Vig-WaR' which introduces a lightweight iNode (index node) watcher to monitor the files in the directory. The iNode-watcher executes an automated response after the detection promptly and thus improves the effectiveness of the Vig-WaR in detecting and mitigating ransomware attacks in a timely manner. The experimental findings reveal that Vig-WaR has capability to detect the specified ransomware, resulting in an average of 35 file loss per 5000 legitimate user files with the average detection time of 530 ms and average stopping time of 98 ms. © 2024 IEEE.