Ransomware is a rapidly evolving type of malware designed to encrypt user files on a device, making them inaccessible in order to exact a ransom. Ransomware attacks resulted in billions of dollars in damages in recent years and are expected to cause hundreds of billions more in the next decade. With current state-of-the-art process-based detectors being heavily susceptible to evasion attacks, no comprehensive solution to this problem is available today. This paper presents Minerva, a new approach to ransomware detection. Unlike current methods focused on identifying ransomware based on process-level behavioral modeling, Minerva detects ransomware by building behavioral profiles of files based on all the operations they receive in a time window. Minerva addresses some of the critical challenges associated with process-based approaches, specifically their vulnerability to complex evasion attacks. Our evaluation of Minerva demonstrates its effectiveness in detecting ransomware attacks, including those that are able to bypass existing defenses. Our results show that Minerva identifies ransomware activity with an average accuracy of 99.45% and an average recall of 99.66%, with 99.97% of ransomware detected within 1 second.

翻译：勒索软件是一种快速演变的恶意软件类型，旨在加密用户设备上的文件，使其无法访问以勒索赎金。近年来，勒索软件攻击造成了数十亿美元的损失，预计在未来十年还将造成数千亿美元的损失。由于当前最先进的基于进程的检测器极易受到逃避攻击的影响，目前尚无针对该问题的全面解决方案。本文提出Minerva，一种新的勒索软件检测方法。与当前侧重于基于进程级行为建模识别勒索软件的方法不同，Minerva通过基于文件在时间窗口内接收的所有操作建立其行为特征来检测勒索软件。Minerva解决了基于进程方法相关的一些关键挑战，特别是其对复杂逃避攻击的脆弱性。我们对Minerva的评估证明了其在检测勒索软件攻击（包括那些能够绕过现有防御的攻击）方面的有效性。结果表明，Minerva识别勒索软件活动的平均准确率为99.45%，平均召回率为99.66%，其中99.97%的勒索软件在1秒内被检测到。