TY - JOUR
T1 - Shared file protection against unauthorised encryption using a Buffer-Based Signature Verification Method
AU - Mahboubi, Arash
AU - Camtepe, Seyit
AU - Ansari, Keyvan
AU - Pawłowski, Marcin
AU - Morawiecki, Paweł
AU - Aboutorab, Hamed
AU - Pieprzyk, Josef
AU - Duda, Jarek
N1 - Publisher Copyright:
© 2024 The Author(s)
PY - 2024/11
Y1 - 2024/11
N2 - Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.
AB - Understanding the attributes of critical data and implementing suitable security measures help organisations bolster their data-protection strategies and diminish the potential impacts of ransomware incidents. Unauthorised extraction and acquisition of data are the principal objectives of most cyber invasions. We underscore the severity of this issue using a recent attack by the Clop ransomware group, which exploited the MOVEit Transfer vulnerability and bypassed network-detection mechanisms to exfiltrate data via a Command and Control server. As a countermeasure, we propose a method called Buffer-Based Signature Verification (BBSV). This approach involves embedding 32-byte tags into files prior to their storage in the cloud, thus offering enhanced data protection. The BBSV method can be integrated into software like MOVEit Secure Managed File Transfer, thereby thwarting attempts by ransomware to exfiltrate data. Empirically tested using a BBSV prototype, our approach was able to successfully halt the encryption process for 80 ransomware instances from 70 ransomware families. BBSV not only stops the encryption but also prevents data exfiltration when data are moved or written from the original location by adversaries. We further develop a hypothetical exploit scenario in which an adversary manages to bypass the BBSV, illicitly transmits data to a Command and Control server, and then removes files from the original location. We construct an extended state space, in which each state represents a tuple that integrates user authentication and system components at the filesystem level.
KW - Coloured Petri net
KW - Data encryption
KW - Data protection
KW - Ransomware
KW - Signature embedding
KW - Storage-level signature validation
KW - Trusted Platform Module
UR - http://www.scopus.com/inward/record.url?scp=85203411904&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85203411904&partnerID=8YFLogxK
U2 - 10.1016/j.jisa.2024.103873
DO - 10.1016/j.jisa.2024.103873
M3 - Article
AN - SCOPUS:85203411904
SN - 2214-2134
VL - 86
JO - Journal of Information Security and Applications
JF - Journal of Information Security and Applications
M1 - 103873
ER -