Cloud Based Ransomware Detection through Extension White-Listing and Magic Bytes Analysis

Abstract

Cloud Computing is an emerging technology which the modern world is embracing with each passing day. Cloud Computing has become the need of the hour as many organizations have pushed their business resources online for better availability, security and extended features. Moreover, due to current pandemic situation, a drastic increase in cloud usage has been observed throughout the world. These cloud resources contain many critical data that is vulnerable to different cyber-attacks. Ransomware is a cyber-attack which takes over the victim’s device and either encrypts the data or locks the file. A reasonable amount is asked as ransom usually in bitcoins in return of a decryption key. In recent past, ransomware attacks have gained momentum as many government and private organizations have fall victim to ransomware attacks. The importance of data protection has forced the research community to device counter measures for protection of data and resources from threat actors exploiting the vulnerabilities and victim’s devices for nefarious gains. In this thesis, we have discussed various detection techniques proposed for early warning of ransomware attacks. For that purpose, ransomware samples of different ransomware families were extracted and executed on sandbag environment to study various effects of ransomware on file structure and its attributes. We critically analyzed the changes made by ransomware to derive our detection technique based on those changes. Our detection technique focuses on file extensions and file signatures (magic bytes) which was initially tested in Virtual Machine Sandbag Environment. We then deployed our detection model on AWS cloud EC2 virtual server and analyzed results and power consumption in terms of processing power and memory.