Crypto-ransomware attacks have been a growing threat over the last few years. The goal of every ransomware strain is encrypting user data, such that attackers can later demand users a ransom for unlocking their data. To maximise their earning chances, attackers equip their ransomware with strong encryption which produce files with high entropy values. Davies et al. proposed Differential Area Analysis (DAA), a technique that analyses files headers to differentiate compressed, regularly encrypted, and ransomware-encrypted files. In this paper, first we propose three different attacks to perform malicious header manipulation and bypass DAA detection. Then, we propose three countermeasures, namely 2-Fragments (2F), 3-Fragments (3F), and 4-Fragments (4F), which can be applied equally against each of the three attacks we propose. We conduct a number of experiments to analyse the ability of our countermeasures to detect ransomware-encrypted files, whether implementing our proposed attacks or not. Last, we test the robustness of our own countermeasures by analysing the performance, in terms of files per second analysed and resilience to extensive injection of low-entropy data. Our results show that our detection countermeasures are viable and deployable alternatives to DAA.

翻译：近年来，加密勒索软件攻击已成为日益严重的威胁。每种勒索软件变种的目标都是加密用户数据，以便攻击者随后向用户索要赎金以解锁数据。为了最大化获利机会，攻击者为其勒索软件配备强加密算法，导致生成的文件具有高熵值。Davies等人提出了差分区域分析（DAA）技术，该技术通过分析文件头部以区分压缩文件、常规加密文件与勒索软件加密文件。本文首先提出三种不同的攻击方法，通过恶意篡改文件头部来绕过DAA检测。随后，我们提出三类相应的对策——即2-碎片（2F）、3-碎片（3F）和4-碎片（4F）检测法——可同等适用于应对上述三种攻击。通过多项实验，我们分析了这些对策在检测勒索软件加密文件方面的能力（无论是否实施我们提出的攻击）。最后，我们测试了自身对策的鲁棒性，评估了其每秒分析文件数性能以及对大量低熵数据注入的抵御能力。结果表明，我们的检测对策是DAA的可行且可部署的替代方案。