Authors:
Luigi Catuogno
1
and
Clemente Galdi
2
Affiliations:
1
Dipartimento di Informatica, Università degli Studi di Salerno, Fisciano, Salerno, Italy
;
2
Dipartimento di Studi Politici e Sociali, Università degli Studi di Salerno, Fisciano, Salerno, Italy
Keyword(s):
Ransomware, Ransomware Detection, Ransomware Tracking, Malice Indicators, File System Hooking, Testbed.
Abstract:
Ransomware detection is gaining growing importance in the scientific literature because of widespread and economic impact of this type of malware. A successful ransomware detection system must identify a malicious behaviour as soon as possible while reducing false positive detection. To this end, different strategies have been explored. Recently, a promising approach has risen. It consists in looking for possible running ransomware by measuring the different activities every process does on the filesystem. Such measurements are represented with quantitative “indicators”. Indicators selection and their interpretation, is a critical and challenging task. In this paper we survey some of most representative file-system centered ransomware detectors and describe their chosen behavioural indicators and strategies used to measure them. Then we compare the different solutions and discuss pros, cons and open issues of every approach.