Abstract
Unwanted data encryption, such as ransomware attacks, continues to be a
significant cybersecurity threat. Ransomware is a preferred weapon of
cybercriminals who target small to large organizations’ computer systems
and data centres. It is malicious software that infects a victim’s
computer system and encrypts all its valuable data files. The victim
needs to pay a ransom, often in cryptocurrency, in return for a
decryption key. Many solutions use methods, including the inspection of
file signatures, runtime process behaviors, API calls, and network
traffic, to detect ransomware code. However, unwanted data encryption is
still a top threat. This paper presents the first immunity solution,
called the digital immunity module (DIM). DIM focuses on protecting
valuable business-related data files from unwanted encryption rather
than detecting malicious codes or processes. We show that methods such
as file entropy and fuzzy hashing can be effectively used to sense
unwanted encryption on a protected file, triggering our novel source
coding method to paralyze the malicious manipulation of data such as
ransomware encryption. Specifically, maliciously encrypted data blocks
consume exponentially larger space and longer writing time on the
DIM-protected file system. As a result, DIM creates enough time for
system/human intervention and forensics analysis. Unlike the existing
solutions, DIM protects the data regardless of ransomware families and
variants. Additionally, DIM can defend against simultaneously active
multiple ransomware, including the most recent hard to detect and stop
fileless ones. We tested our solution on 39 ransomware families,
including the most recent ransomware attacks. DIM successfully defended
our sample file dataset (1335 pdf, jpg, and tiff files) against those
ransomware attacks with zero file loss.