Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy With the Link File

Abstract

Ransomware is a growing threat and is building ecosystems in the form of ransomware as a service (RaaS). While there have been diverse efforts to detect and mitigate such threats, techniques to bypass such countermeasures have advanced considerably. Since detecting all evolving threats has become challenging, there is a growing interest in developing proactive countermeasures that can minimize the damage even in environments where ransomware has already been executed. In this study, we gained insights from an attacker's perspective by analyzing ransomware such as LockBit and derived a generic counterstrategy against features that are common in ransomware attacks. Our proposed method protects critical files from existing ransomware by applying a hiding strategy that poses a challenge to attackers in finding the target files. We also present best practices for implementing the strategy while considering both in terms of security and usability using the link file and improving the method through the addition of a linker and encrypted database to reduce the attack surface. By using real-world ransomware samples, our experiments show that the proposed method successfully protects valuable files against ransomware in a cost-effective manner.