Ransomware is malware that uses encryption to hold a victim’s data hostage. The critical data of a user or organization is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to gain access. Ransomware is frequently designed to spread across a network and target database and file servers, effectively paralyzing an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals while causing significant damage and expense for businesses and government organizations.
Engineering researchers have developed a new approach for implementing ransomware detection techniques, allowing them to detect a wide range of ransomware far more quickly than previous systems.
Ransomware is a type of malware. When ransomware infiltrates a system, it encrypts the data, rendering it inaccessible to users. The ransomware authors then extort the operators of the affected systems, demanding money in exchange for granting them access to their own data.
Ransomware extortion is extremely costly, and cases of ransomware extortion are on the rise. The FBI reports receiving 3,729 ransomware complaints in 2021, with a total cost of more than $49 million. Furthermore, 649 of those complaints came from organizations classified as critical infrastructure.
There’s a machine-learning algorithm called XGBoost that is very good at detecting ransomware. However, when XGBoost is run as software in a system via a CPU or GPU, it is extremely slow.
Archit Gajjar
“Computing systems already use a variety of security tools that monitor incoming traffic to detect potential malware and prevent it from compromising the system,” Paul Franzon, co-author of a paper on the new ransomware detection approach, says. “The main challenge here is detecting ransomware in time to prevent it from infiltrating the system. Because ransomware starts encrypting files as soon as it enters the system.” At North Carolina State University, Franzon is the Cirrus Logic Distinguished Professor of Electrical and Computer Engineering.
“There’s a machine-learning algorithm called XGBoost that is very good at detecting ransomware,” explains Archit Gajjar, the paper’s first author and a Ph.D. student at NC State. “However, when XGBoost is run as software in a system via a CPU or GPU, it is extremely slow.” Attempts to incorporate XGBoost into hardware systems have been hampered by a lack of flexibility; they focus on very specific challenges, which makes monitoring for the full range of ransomware attacks difficult or impossible.
Asymmetric encryption is used by ransomware. This is cryptography that encrypts and decrypts a file using a pair of keys. The attacker generates a unique public-private pair of keys for the victim, with the private key used to decrypt files stored on the attacker’s server. The attacker only makes the victim’s private key available after the ransom is paid, though as seen in recent ransomware campaigns, this is not always the case. It is nearly impossible to decrypt the files being held for ransom without access to the private key.
“We’ve developed a hardware-based approach that allows XGBoost to monitor for a wide range of ransomware attacks, but is much faster than any of the software approaches,” Gajjar says.
The new approach is called FAXID, and in proof-of-concept testing, the researchers found it was just as accurate as software-based approaches at detecting ransomware. The big difference was speed. FAXID was up to 65.8 times faster than software running XGBoost on a CPU and up to 5.3 times faster than software running XGBoost on a GPU.
“Another advantage of FAXID is that it allows us to run problems in parallel,” Gajjar says. “You could devote all of the dedicated security hardware’s resources to ransomware detection, allowing you to detect ransomware faster. However, you could also allocate the computing power of the security hardware to different problems. For example, you could dedicate a certain percentage of the hardware to ransomware detection and another percentage to another challenge, such as fraud detection.”
“Our work on FAXID was funded by the Center for Advanced Electronics through Machine Learning (CAEML), which is a public-private partnership,” Franzon says. “The technology is already being made available to members of the center, and we know of at least one company that is making plans to implement it in their systems.”