Search papers, labs, and topics across Lattice.
This paper introduces a hybrid detection framework for crypto-ransomware that operates within integrated file server and client environments, addressing the limitations of traditional endpoint detection systems. By leveraging a novel Region of Interest (RoI) technique to analyze network traffic and extract Indicators of Compromise (IoCs), the framework enhances existing security tools and trains a machine learning model to effectively identify evasive ransomware variants. The proposed method achieves an impressive detection precision of 99.64% with a 0% false negative rate, enabling early detection of ransomware intrusions before substantial damage occurs.
Achieving 99.64% detection precision with zero false negatives, this framework redefines ransomware detection in shared storage environments.
Most corporate workplace environments enforce policies and technical controls that limit the storage of sensitive data on client endpoints. Consequently, ransomware operators have evolved variants that expand their attack surface from local systems to network drives and shared storage resources. As traditional endpoint detection mechanisms focus primarily on local system behaviour, a compromised client can impact remote file servers, such as by encrypting shared data, without directly triggering behavioural changes on the servers themselves. In this paper, we propose a hybrid detection framework for detecting crypto-ransomware intrusion within integrated file server and client environments. The framework is based on a new technique referred to as Region of Interest (RoI) to analyse network traffic and extract Indicators of Compromise (IoCs). The IoC repository serves as an additional ruleset to enhance existing security tools such as EDRs and IDSs, while RoI-derived features are used to train an ML model to detect highly evasive variants. This study incorporates a broader set of ransomwares families and carefully selected benign behaviors based on domain expertise, ensuring coverage of common user actions that could interfere with ransomware detection. Beyond IoCs, which operate in a signature-based manner, our machine learning module achieves a detection precision of 99.64%, with a 0% false negative rate (FNR) and a minimal false positive rate (FPR). Furthermore, the proposed method enables early detection, identifying ransomware intrusions before significant damage occurs, achieving an accuracy of 99.44%.