Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.
翻译:勒索软件变种日益将权限提升与间歇性加密、低熵加密及模仿攻击等复杂规避策略相结合。此类强大的勒索软件变种——权限提升型规避勒索软件(PEER)——能够通过篡改或混淆I/O痕迹,击败依赖I/O模式分析的现有解决方案。同时,随着加密数据量减小导致的采样噪声影响,传统基于统计内容的检测方法变得不可靠。本文提出Rhea,一种基于云端卸载的勒索软件防御系统,通过分析复制数据快照(即变异快照)实现检测。Rhea引入了格式感知验证技术,该技术通过验证文件格式的语法与语义正确性进行检测,而非依赖统计或基于熵的指标。通过将文件格式规范作为检测不变量,Rhea能够在攻击者权限提升的情况下,仍可靠识别细粒度且具有规避性的加密行为。实验评估表明,Rhea显著优于现有方法,证实了其应对现代勒索软件威胁的实际有效性。