WO2022002405A1 - Device and method for generating, using and optimizing a honeypot - Google Patents

Device and method for generating, using and optimizing a honeypot Download PDF

Info

Publication number
WO2022002405A1
WO2022002405A1 PCT/EP2020/068659 EP2020068659W WO2022002405A1 WO 2022002405 A1 WO2022002405 A1 WO 2022002405A1 EP 2020068659 W EP2020068659 W EP 2020068659W WO 2022002405 A1 WO2022002405 A1 WO 2022002405A1
Authority
WO
WIPO (PCT)
Prior art keywords
honeypot
ransomware
properties
backup
user system
Prior art date
Application number
PCT/EP2020/068659
Other languages
French (fr)
Inventor
Aviv Kuvent
Assaf Natanzon
Yaron MOR
Asaf Yeger
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2020/068659 priority Critical patent/WO2022002405A1/en
Priority to CN202080015668.7A priority patent/CN114175575B/en
Publication of WO2022002405A1 publication Critical patent/WO2022002405A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • the present disclosure relates to devices and methods for protecting a user system from ransomware.
  • the disclosure provides, to this end, a device for generating a honeypot for attracting ransomware, a device for using a honeypot for attracting ransomware, and a device for optimizing a honeypot for attracting and decrypting ransomware and corresponding methods.
  • Ransom malware or ransomware is a general term for various malicious software, which infects systems and encrypts data stored in the systems. Ransomware prevents users from accessing their data (usually by encrypting the data), and then demands a ransom payment from the users, in order to regain access (decrypt the encrypted data).
  • ransomware has become more prevalent. There are many different variations of ransomware.
  • One way to detect that a ransomware infects a system is by planting a honeypot.
  • a honeypot is a special file or a set of files, which is created to attract malicious agents trying to attack as early as possible in the time of a system infection.
  • honeypots are usually used for other types of malware, but not for ransomware.
  • honeypot for attracting ransomware is not a trivial task. Different types of ransomware may have different criteria for the order of the files being attacked. Further, the honeypots are usually planted without a specific pre-design or customization for a specific user system. Consequently, the odds that a planted honeypot will be the first file to be attacked during a ransomware infection is lowered, and thus the honeypot may be ineffective for the ransomware.
  • embodiments of the present disclosure aim to provide devices and methods for protecting user systems from ransomware.
  • An objective is to detect the ransomware quickly.
  • different types of ransomware should be detected to protect the user systems.
  • One aim is to optimize the decryption of ransomware when needed.
  • a first aspect of the disclosure provides a device for generating a honeypot for attracting ransomware, the device being configured to: obtain a first backup image of a user system at a first time point; create a first backup system based on the first backup image; run one or more ransomware kits on the first backup system; identify a first set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomware kits; identify a first set of properties of the first set of data structures; and generate the honeypot based on the first set of properties.
  • a backup system of the user system is created, and then infected with various types of ransomware.
  • a backup system of the user system is created, and then infected with various types of ransomware.
  • By monitoring this infected backup system it can be identified which files or applications are first attacked by each type of ransomware.
  • an artificial file or files, or an artificial application can be created, which is similar or identical to the identified files or applications.
  • This artificial file or artificial application is the “honeypot”, which can be used to trick the different types of ransomware into attacking the honeypot first before other system files.
  • the device is configured to: re-run the one or more ransomware kits on the first backup system; identify a second set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomwares; identify a second set of properties of the second set of data structures; and generate the honeypot based on the first set and the second set of properties.
  • multiple iterations of infecting the backup system with the ransomware may be performed, in order to ensure the same files/applications are consistently being the first ones to be attacked by the same type of ransomware each time.
  • the device is configured to: obtain a second backup image of the user system at a second time point; create a second backup system based on the second backup image; run one or more ransomware kits on the second backup system; identify a third set of data structures in the second backup system that are attacked within a determined time period by each ransomware kit; identify a third set of properties of the third set of data structures; and generate the honeypot based on the first set, the second set and the third set of properties.
  • the backup system may be recreated, perhaps from different backups of the original user system.
  • the honeypot may be generated based on simulation results from different backups.
  • the first set of properties includes a location and/or a format of each data structure in the first set of data structures.
  • the identified properties may be a location of a data structure, or a format of a data structure.
  • a file stored in a specific location may be the first one being encrypted by a specific ransomware.
  • the identified properties may also include other pieces of information about data structures.
  • the first set of data structures includes one or more files and/or one or more objects.
  • Embodiments of the disclosure may apply to all types of file systems.
  • embodiments of the disclosure may also apply to other data storage architectures such as object storage.
  • the honeypot comprises one or more artificial files, and/or one or more artificial applications.
  • the generated honeypot may be one or more files, or applications, with similar properties as the identified properties.
  • an artificial application may create an artificial instance of an Oracle database (DB), which can be simulated to appear “real” to one or more ransomwares in order to trick them into attacking this artificial application first.
  • DB Oracle database
  • a second aspect of the disclosure provides a device for using a honeypot for attracting ransomware, the device being configured to: insert the honeypot into a user system; monitor the honeypot to detect whether the honeypot is affected, in particular by ransomware; and take an action to preserve data of the user system, once it is detected that the honeypot is affected.
  • Embodiments of this disclosure further provide a device for using a honeypot for attracting ransomware.
  • the honeypot that is inserted into the user system may be the honeypot generated according to embodiments of this disclosure.
  • the honeypot After placing the honeypot in the user system, the honeypot may be monitored to identify whether a ransomware is infecting the user system. Since the honeypot is designed to attract the ransomware infection as early as possible, once it is detected that the honeypot is being changed, the device can immediately take actions to prevent or contain the ransomware infection.
  • the action comprises creating a snapshot of the user system.
  • An example of such an action might be immediately taking a snapshot of the entire user system, to preserve as many of the files in the system before they are encrypted by the ransomware.
  • the device is configured to obtain the honeypot, which is generated based on a set of properties, and insert the honeypot into the user system according to the set of properties.
  • the honeypot that is inserted into the user system may be the honeypot generated according to embodiments of this disclosure. That is, the honeypot is generated based on properties of some identified data structures.
  • the said properties may include a location of a data structure. It should be noted that, this indicates that a data structure stored in this particular location is easy to be attacked by the ransomware. Accordingly, the device may insert the honeypot into the same location as indicated in the properties, to trick the ransomware into attacking this honeypot first.
  • the honeypot comprises one or more artificial files, and/or one or more artificial applications.
  • the device is further configured to copy the one or more artificial files into the user system, and/or install the one or more artificial applications on the user system.
  • the device may insert the honeypot into the user system by copying the files into the user system.
  • the device may insert the honeypot into the user system by installing the applications on the user system.
  • a third aspect of the disclosure provides a device for optimizing a honeypot for attracting and decrypting ransomware, the device being configured to study attack patterns of one or more ransomware kits, and optimize the honeypot according to the attack patterns.
  • Embodiments of this disclosure further propose to optimize the honeypot, particularly in a way to better attract different types of ransomware.
  • the honeypot that is optimized may be the honeypot generated according to embodiments of this disclosure.
  • the honeypot in the user system is monitored during a learning phase of one or more types of ransomware. Accordingly, the device can adjust the honeypot to ensure that it continues to be an effective honeypot for the one or more types of ransomware on the user system.
  • the device is further configured to maintain a set of properties of the honeypot, and update the honeypot by modifying one or more properties of the set of properties.
  • the honeypot may be generated based on a set of properties.
  • the honeypot may be continuously adjusted by modifying one or more properties in the set of properties.
  • the device is further configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting one or more files that are encrypted by one or more ransomware kits.
  • a decryption tool may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption.
  • the pair of files may be used to deduce an encryption key from them, and then the encryption key can be used to decrypt other files.
  • the honeypot is designed to attract the ransomware infection as early as possible, it is possible to use the infected honeypot, i.e., the encrypted honeypot, and the honeypot, i.e., the unencrypted version, in the decryption procedure.
  • the device is further configured to provide the honeypot to one or more decryptors for decrypting the one or more files that are encrypted by the one or more ransomware kits.
  • decryption tools There may be more than one decryption tools are used for decrypting files that are affected by the ransomwares.
  • the honeypot may be provided to these decryption tools by the device.
  • the device is further configured to obtain and analyze a decryption result of the one or more decryptors, and modify the one or more properties of the honeypot, such that the decryption result of the one or more decryptors is optimized.
  • the device can tailor the honeypot to be optimal for use in relevant decryptors.
  • the device is further configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting as many files that are encrypted by the one or more ransomware kits as possible.
  • a file size of the honeypot is large enough to be useful when applying decryptors, in order to allow decryption of as many files as possible.
  • the device is further configured to store a copy of the honeypot in a safe location of a backup system of the user system, or regenerate the honeypot.
  • decryptors may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption.
  • an original version of the honeypot which is not affected by ransomware, is needed.
  • the device may keep a copy in a safe location in the backup system, or be able to reproduce it.
  • a fourth aspect of the disclosure provides a method for generating a honeypot for attracting ransomware, the method comprising: obtaining a first backup image of a user system at a first time point; creating a first backup system based on the first backup image; running one or more ransomware kits on the first backup system; identifying a first set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomware kits; identifying a first set of properties of the first set of data structures; and generating the honeypot based on the first set of properties.
  • the method of the fourth aspect and its implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
  • a fifth aspect of the disclosure provides a method for using a honeypot for attracting ransomware, the method comprising: inserting the honeypot into a user system; monitoring the honeypot to detect whether the honeypot is affected, in particular by ransomware; and taking an action to preserve data of the user system, once it is detected that the honeypot is affected.
  • the method of the fifth aspect and its implementation forms provide the same advantages and effects as described above for the device of the second aspect and its respective implementation forms.
  • a sixth aspect of the disclosure provides a method for optimizing a honeypot for attracting ransomware, the method comprising: studying attack patterns of one or more ransomware kits; and optimizing the honeypot according to the attack patterns.
  • a seventh aspect of the disclosure provides a computer program kit comprising a program code for carrying out, when implemented on a processor, the method according to the fourth aspect and its implementation forms, the fifth aspect and its implementation forms, and the sixth aspect and its implementation forms. It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities.
  • FIG. 1 shows a device for generating a honeypot for attracting ransomware according to an embodiment of the present disclosure.
  • FIG. 2 shows a system comprising the device according to an embodiment of the present disclosure.
  • FIG. 3 shows a user system and a backup system according to an embodiment of the present disclosure.
  • FIG. 4 shows a user system and a backup system according to an embodiment of the present disclosure.
  • FIG. 5 shows a user system and a backup system according to an embodiment of the present disclosure.
  • FIG. 6 shows a method according to an embodiment of the present disclosure.
  • FIG. 7 shows a method according to an embodiment of the present disclosure.
  • FIG. 8 shows a method according to an embodiment of the present disclosure.
  • Embodiments of this disclosure are based on the proposal to rely on a backup system to learn behavior of different ransomware on the protected system, and create a honeypot based on this.
  • a part of this disclosure focuses on how to use such specific pre-designed honeypot for attracting ransomware.
  • Another main focus of this disclosure is to optimize a honeypot, in order to quickly detect ransomware and to optimize a decryption operation where necessary.
  • the solution proposed in embodiments of this disclosure comprises three parts: Part 1 - creation of the honeypot:
  • FIG. 1 shows a device 100 according to an embodiment of the disclosure.
  • the device 100 may comprise processing circuitry (not shown) configured to perform, conduct or initiate the various operations of the device 100 described herein.
  • the processing circuitry may comprise hardware and software.
  • the hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry.
  • the digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable arrays (FPGAs), digital signal processors (DSPs), or multi-purpose processors.
  • the processing circuitry comprises one or more processors and a non- transitory memory connected to the one or more processors.
  • the non-transitory memory may carry executable program code which, when executed by the one or more processors, causes the device 100 to perform, conduct or initiate the operations or methods described herein.
  • the device 100 is adapted for generating a honeypot for attracting ransomware.
  • the device 100 is configured to obtain a first backup image 101 of a user system 301 at a first time point.
  • the device 100 is further configured to create a first backup system 102 based on the first backup image 101.
  • the device 100 is configured to run one or more ransomware kits on the first backup system 102.
  • the device 100 is configured to identify a first set of data structures 103 in the first backup system 102 that are attacked within a determined time period by the one or more ransomware kits.
  • the device 100 is configured to identify a first set of properties 104 of the first set of data structures 103.
  • the device 100 is configured to generate the honeypot 200 based on the first set of properties 104.
  • FIG. 2 shows a system 200 according to an embodiment of the disclosure.
  • the system 200 comprises a device 100.
  • the device 100 shown in FIG. 2 may be the device 100 shown in FIG. 1.
  • same elements in all figures are labeled with the same reference signs and function likewise.
  • the system 200 comprises three kinds of apparatuses, which may be as described below: a user system 201 : which can be directly accessed by the user, and comprising user data (also named as production system in implementations); a backup system 202: which is used to back up the data in the user system 201, and comprising backup images of the user data; a computing device (node): which can be accessed by the administrator of the whole system, and is configured to generate a honeypot 300, or use a honeypot 300, or optimize a honeypot 300, for attracting ransomware.
  • a user system 201 which can be directly accessed by the user, and comprising user data (also named as production system in implementations); a backup system 202: which is used to back up the data in the user system 201, and comprising backup images of the user data; a computing device (node): which can be accessed by the administrator of the whole system, and is configured to generate a honeypot 300, or use a honeypot 300, or optimize a honeypot 300
  • the computing device is the device 100 as shown in FIG. 1 or FIG. 2.
  • a production system or production device, is directly accessed by users, and is used to perform normal operations, thus it may also be referred to as a user system.
  • One or more user systems 201 locate in a production environment.
  • a backup system is used to back up the data in the user system.
  • the backup system 202 may be a backup server.
  • FIG. 3 shows a user system 201 and a backup system 202 according to an embodiment of the disclosure.
  • a backup is performed on a user system 201 at time TO, resulting in the first backup image 101.
  • a first backup system 102 is created based on the backup of time TO.
  • the device 100 obtains the first backup image 101, and creates the first backup system 102, such as by creating a set of virtual machines based on the backup of virtual machines in the user system 201 at time TO.
  • the device 100 may infect the first backup system 102 with various types of ransomware, as depicted in FIG. 4.
  • FIG. 4 shows the same user system 201 and backup system 202 as shown in FIG. 3.
  • the device 100 can identify which files or applications are first attacked by each ransomware.
  • this solution is not limited to a specific type of file system, it applies to all types of file systems.
  • this disclosure is not limited to file systems, it also can be applied to other data storage architectures including object storage.
  • the device 100 can identify the properties of these files or applications (location, format, etc.) and create an artificial file or files, or artificial identical application, i.e., the honeypot 300 as shown in FIG. 4, with similar properties.
  • the identified properties may also include other pieces of information about data structures.
  • the honeypot 300 may comprise one or more artificial files, and/or one or more artificial applications.
  • the device 100 may re-run the ransomware to ensure it first attack the honeypot 300.
  • An example of an artificial application is creating an artificial instance of an Oracle DB, which is simulated to appear “real” to the ransomware in order to trick it into attacking this artificial application first.
  • the device 100 may be configured to re-run the one or more ransomware kits on the first backup system 102; identify a second set of data structures in the first backup system 102 that are attacked within a determined time period by the one or more ransomwares; identify a second set of properties of the second set of data structures. Then, the device 100 may be further configured to generate the honeypot 300 based on the first set and the second set of properties.
  • the device 100 may be configured to obtain a second backup image of the user system 201 at a second time point; create a second backup system based on the second backup image; run one or more ransomware kits on the second backup system; identify a third set of data structures in the second backup system that are attacked within a determined time period by each ransomware kit; identify a third set of properties of the third set of data structures. Then, the device 100 may generate the honeypot 300 based on the first set, the second set and the third set of properties.
  • a honeypot 300 can be generated.
  • the honeypot 300 can be inserted into a user system 201 as shown in FIG. 5.
  • FIG. 5 shows the same user system 201 and backup system 202 as shown in FIG. 3 and FIG. 4.
  • a device may be configured to insert the honeypot 300 into the user system 201.
  • this device may be the device 100 as shown in FIG. 1 or FIG. 2. That is, it is possible that the same device generates the honeypot 300 and further uses it for attracting ransomware. However, it is also possible that a different device just obtains the honeypot 300 and uses it (without generating the honeypot 300).
  • the honeypot 300 may comprise one or more artificial files, and/or one or more artificial applications.
  • a device may be configured to copy the one or more artificial files into the user system 201, particularly to the relevant location in it.
  • the honeypot is an artificial application, according to an embodiment of the disclosure, the device may be configured to install it on the user system 201. Possibly, the device may populate the honeypot 300 with the same data used during the honeypot-leaming done in the first backup system 102.
  • the device may monitor the honeypot 300 to identify if a ransomware is infecting the user system 201. Since the honeypot 300 is controlled by the device, any changes to the honeypot 300 that are not initiated by the device or the user system 201 is suspicious. In addition, since the honeypot 300 is designed to attract the ransomware infection as early as possible, once it is detected that the honeypot 300 is being changed, the device can immediately take actions to prevent or contain the ransomware infection. An example of such action might be immediately taking snapshot of entire user system 201, to preserve as much of it before it is encrypted by the ransomware.
  • Monitoring the state of the honey pot 300 allows detecting malware attack as early as possible, and taking various measures in response, in order to stop the attack and decrypt the encrypted files (which are affected by the ransomware).
  • a device for optimizing a honeypot 300 for attracting and decrypting ransomware is proposed.
  • the device is configured to study attack patterns of one or more ransomware kits, and optimize the honeypot 300 according to the attack patterns.
  • this device may be the device 100 as shown in FIG. 1 or FIG. 2. That is, it is possible that the same device generates the honeypot 300 and further optimizes it. However, it is also possible that a device obtains a honeypot 300 from other devices, and optimizes it.
  • the honeypot 300 may be the honeypot 300 as shown in FIG. 1 or FIG. 5. That is, the honeypot 300 that is optimized may be the honeypot 300 generated according to embodiments of this disclosure.
  • the honeypot 300 in the user system 201 is monitored during a learning phase of one or more types of ransomware. Accordingly, the device can adjust the honeypot 300 to ensure that it continues to be an effective honeypot for the one or more ransomwares on the user system 201.
  • the honeypot 300 may be generated based on a set of properties.
  • the device may be further configured to maintain a set of properties of the honeypot 300, and update the honeypot 300 by modifying one or more properties of the set of properties. In this way, the honeypot 300 may be continuously adjusted by modifying one or more properties in the set of properties.
  • the honeypot may be adjusted in a manner such that the updated honeypot can be used for decrypting one or more files that are encrypted by one or more ransomware kits.
  • a decryption tool may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption.
  • the pair of files may be used to deduce an encryption key from them, and then the encryption key can be used to decrypt other files.
  • the honey pot 300 is designed to attract the ransomware infection as early as possible, it is possible to use the infected honeypot, i.e., the encrypted honeypot, and the honeypot, i.e., the unencrypted version, in the decryption procedure.
  • the honeypot 300 can serve an additional and important function, by controlling some properties of the honeypot files and their changes, the honeypot 300 can be tailored to be optimal for use in relevant decryptors. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest size of the honeypot may be desired. Therefore, the device can make sure that the honeypot file size is large enough to be useful when applying decryptors, in order to allow decryption of as many user files as possible. Since the device can control changes to the honeypot files, it can also more easily use them as input for decryptors.
  • the device may be further configured to obtain and analyze a decryption result of the one or more decryptors, and modify the one or more properties of the honeypot, such that the decryption result of the one or more decryptors is optimized.
  • the device may be further configured to provide the honeypot 300 to one or more decryptors for decrypting the one or more files that are encrypted by the one or more ransomware kits.
  • the device may be configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting as many files that are encrypted by the one or more ransomware kits as possible. For example, the device can make sure that a file size of the honeypot is large enough to be useful when applying decryptors, in order to allow decryption of as many files as possible.
  • decryptors may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption.
  • an original version of the honeypot which is not affected by ransomwares, is needed.
  • the device may keep a copy in a safe location in the backup system, or be able to reproduce it. That is, according to an embodiment of the disclosure, wherein the honeypot 300 is inserted in a user system 201, the device is further configured to store a copy of the honeypot 300 in a safe location of a backup system 202 of the user system 201, or regenerate the honeypot 300.
  • a honeypot 300 as discussed in previous embodiments can be an Oracle honeypot.
  • the user system 201 may contain several instances of Oracle DB, each with its own data schema, size, number of records, field names, and additional properties.
  • the user system 201 is backed up, and re-created inside the backup system 202 (using the backup).
  • the device 100 infects the re-created user system with a ransomware and monitors its state are (either by monitoring directly the files associated with each Oracle DB instance, to determine when the files become encrypted, or by attempting to access the Oracle DB instances and identifying that a failure to access is a result of ransomware encryption).
  • the device 100 may be the device 100 as shown in FIG. 1 or FIG. 2.
  • the ransomware encrypts the system in stages. Via the monitoring, the device 100 may identify which Oracle DB instance is the first to be encrypted. The device 100 can re-run this test several times (each time re-creating a user system, perhaps from different backups of the original user system), to increase the confidence in which Oracle DB instance is first encrypted.
  • the device 100 generates the honeypot 300 accordingly.
  • the device 100 creates a new, artificial, Oracle DB instance, and model it to be as similar as possible to the first Oracle DB instance which is attacked (e.g., by creating similar schema for it, populating it with similar number of records, giving its fields similar names, etc.).
  • the device 100 can re-run the ransomware again, and continue to adjust the honeypot 300 until it is the first (or among the first) DB instances encrypted.
  • this honeypot 300 can be planted in the user system 201 (by creating a DB instance there, and populating it with the same information as it is done while learning the ransomware).
  • the device 100 can monitor this Oracle DB instance in the user system 201 as monitoring the Oracle DB instance during the learning phase. As the user Oracle DB instances change over time, the device 100 can further adjust this honeypot 300 accordingly, to ensure that it continues to be an effective honeypot for this ransomware on this user system.
  • FIG. 6 shows a method 600 for generating a honeypot 300 for attracting ransomware according to an embodiment of present disclosure. In particular, the method 600 is performed by the device 100 as shown in FIG. 1 or FIG. 2.
  • the method 600 comprises a step 601 of obtaining a first backup image 101 of a user system 201 at a first time point; a step 602 of creating a first backup system 102 based on the first backup image 101; a step 603 of running one or more ransomware kits on the first backup system 102; a step 604 of identifying a first set of data structures 103 in the first backup system 102 that are attacked within a determined time period by the one or more ransomware kits; a step 605 of identifying a first set of properties 104 of the first set of data structures 103; and a step 606 of generating the honeypot 300 based on the first set of properties 104.
  • the method 600 may further comprise actions as described in aforementioned embodiments of the device 100.
  • FIG. 7 shows a method 700 for using a honeypot 300 for attracting ransomware according to an embodiment of present disclosure.
  • the method 700 may be performed by the device 100 as shown in FIG. 1 or FIG. 2.
  • the method 700 comprises a step 701 of inserting the honeypot 300 into a user system 201; a step 702 of monitoring the honeypot 300 to detect whether the honeypot 300 is affected, in particular by ransomware; and a step 703 of taking an action to preserve data of the user system 201, once it is detected that the honeypot 300 is affected.
  • FIG. 8 shows a method 800 for optimizing a honeypot 300 for attracting ransomware according to an embodiment of present disclosure.
  • the method 800 may be performed by the device 100 as shown in FIG. 1 or FIG. 2.
  • the method 800 comprises a step 801 of studying attack patterns of one or more ransomware kits; and a step 802 of optimizing the honeypot 300 according to the attack patterns.
  • the present disclosure further provides a computer program kit comprising a program code for carrying out, when implemented on a processor, the method 600 as shown in FIG. 6, or the method 700 as shown in FIG. 7, or the method 800 as shown in FIG. 8.
  • the computer program is included in a computer readable medium of a computer program kit.
  • the computer readable medium may comprise essentially any memory, such as a ROM (Read- Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive.

Abstract

The present disclosure provides a device for generating a honeypot for attracting ransomware, a device for using a honeypot for attracting ransomware, and a device for optimizing a honeypot for attracting and decrypting ransomware and corresponding methods. The device is configured to: obtain a first backup image of a user system at a first time point; create a first backup system based on the first backup image; run one or more ransomware kits on the first backup system; identify a first set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomware kits; identify a first set of properties of the first set of data structures; and generate the honeypot based on the first set of properties.

Description

DEVICE AND METHOD FOR GENERATING, USING AND OPTIMIZING A
HONEYPOT
TECHNICAL FIELD The present disclosure relates to devices and methods for protecting a user system from ransomware. The disclosure provides, to this end, a device for generating a honeypot for attracting ransomware, a device for using a honeypot for attracting ransomware, and a device for optimizing a honeypot for attracting and decrypting ransomware and corresponding methods.
BACKGROUND
Ransom malware, or ransomware is a general term for various malicious software, which infects systems and encrypts data stored in the systems. Ransomware prevents users from accessing their data (usually by encrypting the data), and then demands a ransom payment from the users, in order to regain access (decrypt the encrypted data).
In recent years, ransomware has become more prevalent. There are many different variations of ransomware. One way to detect that a ransomware infects a system is by planting a honeypot. A honeypot is a special file or a set of files, which is created to attract malicious agents trying to attack as early as possible in the time of a system infection. Nowadays, honeypots are usually used for other types of malware, but not for ransomware.
Creating an “ideal” honeypot for attracting ransomware is not a trivial task. Different types of ransomware may have different criteria for the order of the files being attacked. Further, the honeypots are usually planted without a specific pre-design or customization for a specific user system. Consequently, the odds that a planted honeypot will be the first file to be attacked during a ransomware infection is lowered, and thus the honeypot may be ineffective for the ransomware. SUMMARY
In view of the above-mentioned challenges, embodiments of the present disclosure aim to provide devices and methods for protecting user systems from ransomware. An objective is to detect the ransomware quickly. In particular, different types of ransomware should be detected to protect the user systems. One aim is to optimize the decryption of ransomware when needed.
The objective is achieved by the embodiments of the present disclosure provided in the enclosed independent claims. Advantageous implementations of the embodiments of the present disclosure are further defined in the dependent claims. A first aspect of the disclosure provides a device for generating a honeypot for attracting ransomware, the device being configured to: obtain a first backup image of a user system at a first time point; create a first backup system based on the first backup image; run one or more ransomware kits on the first backup system; identify a first set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomware kits; identify a first set of properties of the first set of data structures; and generate the honeypot based on the first set of properties.
It is thus proposed to rely on a backup system, in order to learn behaviors of different types of ransomware (i.e., different ransomware kits) on the protected system, and to create a honeypot based on this knowledge. In particular, a backup system of the user system is created, and then infected with various types of ransomware. By monitoring this infected backup system, it can be identified which files or applications are first attacked by each type of ransomware. After identifying the properties of these files or applications, an artificial file or files, or an artificial application can be created, which is similar or identical to the identified files or applications. This artificial file or artificial application is the “honeypot”, which can be used to trick the different types of ransomware into attacking the honeypot first before other system files.
In an implementation form of the first aspect, the device is configured to: re-run the one or more ransomware kits on the first backup system; identify a second set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomwares; identify a second set of properties of the second set of data structures; and generate the honeypot based on the first set and the second set of properties. Optionally, multiple iterations of infecting the backup system with the ransomware may be performed, in order to ensure the same files/applications are consistently being the first ones to be attacked by the same type of ransomware each time.
In an implementation form of the first aspect, the device is configured to: obtain a second backup image of the user system at a second time point; create a second backup system based on the second backup image; run one or more ransomware kits on the second backup system; identify a third set of data structures in the second backup system that are attacked within a determined time period by each ransomware kit; identify a third set of properties of the third set of data structures; and generate the honeypot based on the first set, the second set and the third set of properties.
In order to increase the confidence that the honeypot will be attacked by the ransomware first, the backup system may be recreated, perhaps from different backups of the original user system. The honeypot may be generated based on simulation results from different backups.
In an implementation form of the first aspect, the first set of properties includes a location and/or a format of each data structure in the first set of data structures.
Optionally, the identified properties may be a location of a data structure, or a format of a data structure. For instance, a file stored in a specific location may be the first one being encrypted by a specific ransomware. The identified properties may also include other pieces of information about data structures.
In an implementation form of the first aspect, the first set of data structures includes one or more files and/or one or more objects.
This disclosure is not limited to a specific type of user system. Embodiments of the disclosure may apply to all types of file systems. Optionally, embodiments of the disclosure may also apply to other data storage architectures such as object storage.
In an implementation form of the first aspect, the honeypot comprises one or more artificial files, and/or one or more artificial applications.
Possibly, the generated honeypot may be one or more files, or applications, with similar properties as the identified properties. For instance, an artificial application may create an artificial instance of an Oracle database (DB), which can be simulated to appear “real” to one or more ransomwares in order to trick them into attacking this artificial application first.
A second aspect of the disclosure provides a device for using a honeypot for attracting ransomware, the device being configured to: insert the honeypot into a user system; monitor the honeypot to detect whether the honeypot is affected, in particular by ransomware; and take an action to preserve data of the user system, once it is detected that the honeypot is affected.
Embodiments of this disclosure further provide a device for using a honeypot for attracting ransomware. In particular, the honeypot that is inserted into the user system may be the honeypot generated according to embodiments of this disclosure.
After placing the honeypot in the user system, the honeypot may be monitored to identify whether a ransomware is infecting the user system. Since the honeypot is designed to attract the ransomware infection as early as possible, once it is detected that the honeypot is being changed, the device can immediately take actions to prevent or contain the ransomware infection.
In an implementation form of the second aspect, the action comprises creating a snapshot of the user system.
An example of such an action might be immediately taking a snapshot of the entire user system, to preserve as many of the files in the system before they are encrypted by the ransomware.
In an implementation form of the second aspect, the device is configured to obtain the honeypot, which is generated based on a set of properties, and insert the honeypot into the user system according to the set of properties.
Notably, the honeypot that is inserted into the user system may be the honeypot generated according to embodiments of this disclosure. That is, the honeypot is generated based on properties of some identified data structures. In an example, the said properties may include a location of a data structure. It should be noted that, this indicates that a data structure stored in this particular location is easy to be attacked by the ransomware. Accordingly, the device may insert the honeypot into the same location as indicated in the properties, to trick the ransomware into attacking this honeypot first.
In an implementation form of the second aspect, the honeypot comprises one or more artificial files, and/or one or more artificial applications.
In an implementation form of the second aspect, the device is further configured to copy the one or more artificial files into the user system, and/or install the one or more artificial applications on the user system.
Optionally, when the honeypot comprises the one or more artificial files, the device may insert the honeypot into the user system by copying the files into the user system. Optionally, when the honeypot comprises the one or more artificial applications, the device may insert the honeypot into the user system by installing the applications on the user system.
A third aspect of the disclosure provides a device for optimizing a honeypot for attracting and decrypting ransomware, the device being configured to study attack patterns of one or more ransomware kits, and optimize the honeypot according to the attack patterns.
Embodiments of this disclosure further propose to optimize the honeypot, particularly in a way to better attract different types of ransomware. In particular, the honeypot that is optimized may be the honeypot generated according to embodiments of this disclosure. Notably, the honeypot in the user system is monitored during a learning phase of one or more types of ransomware. Accordingly, the device can adjust the honeypot to ensure that it continues to be an effective honeypot for the one or more types of ransomware on the user system.
In an implementation form of the third aspect, the device is further configured to maintain a set of properties of the honeypot, and update the honeypot by modifying one or more properties of the set of properties.
Notably, the honeypot may be generated based on a set of properties. Optionally, the honeypot may be continuously adjusted by modifying one or more properties in the set of properties. In an implementation form of the third aspect, the device is further configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting one or more files that are encrypted by one or more ransomware kits.
Typically, a decryption tool (a decryptor) may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption. The pair of files may be used to deduce an encryption key from them, and then the encryption key can be used to decrypt other files. Since the honeypot is designed to attract the ransomware infection as early as possible, it is possible to use the infected honeypot, i.e., the encrypted honeypot, and the honeypot, i.e., the unencrypted version, in the decryption procedure.
In an implementation form of the third aspect, the device is further configured to provide the honeypot to one or more decryptors for decrypting the one or more files that are encrypted by the one or more ransomware kits.
There may be more than one decryption tools are used for decrypting files that are affected by the ransomwares. The honeypot may be provided to these decryption tools by the device.
In an implementation form of the third aspect, the device is further configured to obtain and analyze a decryption result of the one or more decryptors, and modify the one or more properties of the honeypot, such that the decryption result of the one or more decryptors is optimized.
By controlling some properties of the honeypot and their changes, the device can tailor the honeypot to be optimal for use in relevant decryptors.
In an implementation form of the third aspect, the device is further configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting as many files that are encrypted by the one or more ransomware kits as possible.
For example, it can be made sure that a file size of the honeypot is large enough to be useful when applying decryptors, in order to allow decryption of as many files as possible.
In an implementation form of the third aspect, wherein the honeypot is inserted in a user system, the device is further configured to store a copy of the honeypot in a safe location of a backup system of the user system, or regenerate the honeypot. It is noted that decryptors may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption. Thus, an original version of the honeypot, which is not affected by ransomware, is needed. In order to be able to provide the unencrypted honeypot to the decryptors, the device may keep a copy in a safe location in the backup system, or be able to reproduce it.
A fourth aspect of the disclosure provides a method for generating a honeypot for attracting ransomware, the method comprising: obtaining a first backup image of a user system at a first time point; creating a first backup system based on the first backup image; running one or more ransomware kits on the first backup system; identifying a first set of data structures in the first backup system that are attacked within a determined time period by the one or more ransomware kits; identifying a first set of properties of the first set of data structures; and generating the honeypot based on the first set of properties.
The method of the fourth aspect and its implementation forms provide the same advantages and effects as described above for the device of the first aspect and its respective implementation forms.
A fifth aspect of the disclosure provides a method for using a honeypot for attracting ransomware, the method comprising: inserting the honeypot into a user system; monitoring the honeypot to detect whether the honeypot is affected, in particular by ransomware; and taking an action to preserve data of the user system, once it is detected that the honeypot is affected.
The method of the fifth aspect and its implementation forms provide the same advantages and effects as described above for the device of the second aspect and its respective implementation forms.
A sixth aspect of the disclosure provides a method for optimizing a honeypot for attracting ransomware, the method comprising: studying attack patterns of one or more ransomware kits; and optimizing the honeypot according to the attack patterns.
The method of the sixth aspect and its implementation forms provide the same advantages and effects as described above for the device of the third aspect and its respective implementation forms. A seventh aspect of the disclosure provides a computer program kit comprising a program code for carrying out, when implemented on a processor, the method according to the fourth aspect and its implementation forms, the fifth aspect and its implementation forms, and the sixth aspect and its implementation forms. It has to be noted that all devices, elements, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof.
BRIEF DESCRIPTION OF DRAWINGS
The above described aspects and implementation forms of the present disclosure will be explained in the following description of specific embodiments in relation to the enclosed drawings, in which
FIG. 1 shows a device for generating a honeypot for attracting ransomware according to an embodiment of the present disclosure.
FIG. 2 shows a system comprising the device according to an embodiment of the present disclosure. FIG. 3 shows a user system and a backup system according to an embodiment of the present disclosure.
FIG. 4 shows a user system and a backup system according to an embodiment of the present disclosure. FIG. 5 shows a user system and a backup system according to an embodiment of the present disclosure.
FIG. 6 shows a method according to an embodiment of the present disclosure.
FIG. 7 shows a method according to an embodiment of the present disclosure. FIG. 8 shows a method according to an embodiment of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
Embodiments of this disclosure are based on the proposal to rely on a backup system to learn behavior of different ransomware on the protected system, and create a honeypot based on this. A part of this disclosure focuses on how to use such specific pre-designed honeypot for attracting ransomware. Another main focus of this disclosure is to optimize a honeypot, in order to quickly detect ransomware and to optimize a decryption operation where necessary.
In general, the solution proposed in embodiments of this disclosure comprises three parts: Part 1 - creation of the honeypot:
FIG. 1 shows a device 100 according to an embodiment of the disclosure. The device 100 may comprise processing circuitry (not shown) configured to perform, conduct or initiate the various operations of the device 100 described herein. The processing circuitry may comprise hardware and software. The hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry. The digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable arrays (FPGAs), digital signal processors (DSPs), or multi-purpose processors. In one embodiment, the processing circuitry comprises one or more processors and a non- transitory memory connected to the one or more processors. The non-transitory memory may carry executable program code which, when executed by the one or more processors, causes the device 100 to perform, conduct or initiate the operations or methods described herein. The device 100 is adapted for generating a honeypot for attracting ransomware. In particular, the device 100 is configured to obtain a first backup image 101 of a user system 301 at a first time point. The device 100 is further configured to create a first backup system 102 based on the first backup image 101. Then, the device 100 is configured to run one or more ransomware kits on the first backup system 102. Accordingly, the device 100 is configured to identify a first set of data structures 103 in the first backup system 102 that are attacked within a determined time period by the one or more ransomware kits. Accordingly, the device 100 is configured to identify a first set of properties 104 of the first set of data structures 103. Further, the device 100 is configured to generate the honeypot 200 based on the first set of properties 104.
FIG. 2 shows a system 200 according to an embodiment of the disclosure. The system 200 comprises a device 100. In particular, the device 100 shown in FIG. 2 may be the device 100 shown in FIG. 1. Notably, same elements in all figures are labeled with the same reference signs and function likewise. Generally, the system 200 comprises three kinds of apparatuses, which may be as described below: a user system 201 : which can be directly accessed by the user, and comprising user data (also named as production system in implementations); a backup system 202: which is used to back up the data in the user system 201, and comprising backup images of the user data; a computing device (node): which can be accessed by the administrator of the whole system, and is configured to generate a honeypot 300, or use a honeypot 300, or optimize a honeypot 300, for attracting ransomware.
Notably, the computing device is the device 100 as shown in FIG. 1 or FIG. 2. Generally speaking, a production system, or production device, is directly accessed by users, and is used to perform normal operations, thus it may also be referred to as a user system. One or more user systems 201 locate in a production environment. A backup system is used to back up the data in the user system. The backup system 202 may be a backup server.
FIG. 3 shows a user system 201 and a backup system 202 according to an embodiment of the disclosure. In particular, a backup is performed on a user system 201 at time TO, resulting in the first backup image 101. In the backup system 202, a first backup system 102 is created based on the backup of time TO. For instance, the device 100 obtains the first backup image 101, and creates the first backup system 102, such as by creating a set of virtual machines based on the backup of virtual machines in the user system 201 at time TO.
Then, according to embodiments of the disclosure, the device 100 may infect the first backup system 102 with various types of ransomware, as depicted in FIG. 4. Notably, FIG. 4 shows the same user system 201 and backup system 202 as shown in FIG. 3. By monitoring this backup system, i. e. , the first backup system 102, the device 100 can identify which files or applications are first attacked by each ransomware. Notably, this solution is not limited to a specific type of file system, it applies to all types of file systems. In addition, this disclosure is not limited to file systems, it also can be applied to other data storage architectures including object storage.
In the following, the device 100 can identify the properties of these files or applications (location, format, etc.) and create an artificial file or files, or artificial identical application, i.e., the honeypot 300 as shown in FIG. 4, with similar properties. The identified properties may also include other pieces of information about data structures. Optionally, according to embodiment of the disclosure, the honeypot 300 may comprise one or more artificial files, and/or one or more artificial applications.
Optionally, the device 100 may re-run the ransomware to ensure it first attack the honeypot 300. An example of an artificial application is creating an artificial instance of an Oracle DB, which is simulated to appear “real” to the ransomware in order to trick it into attacking this artificial application first. In particular, according to an embodiment of the disclosure, the device 100 may be configured to re-run the one or more ransomware kits on the first backup system 102; identify a second set of data structures in the first backup system 102 that are attacked within a determined time period by the one or more ransomwares; identify a second set of properties of the second set of data structures. Then, the device 100 may be further configured to generate the honeypot 300 based on the first set and the second set of properties.
Optionally, multiple iterations of the above-mentioned procedure may be performed, in order to ensure that the same files/applications are consistently the first to be attacked by the same ransomware each time. For instance, the device 100 may be configured to obtain a second backup image of the user system 201 at a second time point; create a second backup system based on the second backup image; run one or more ransomware kits on the second backup system; identify a third set of data structures in the second backup system that are attacked within a determined time period by each ransomware kit; identify a third set of properties of the third set of data structures. Then, the device 100 may generate the honeypot 300 based on the first set, the second set and the third set of properties.
According to the previous embodiments, a honeypot 300 can be generated.
Part 2 - usage of the honeypot:
After it is satisfied that the honeypot 300 is effective (i.e., has a high chance of being the first to be attacked by the ransomware), the honeypot 300 can be inserted into a user system 201 as shown in FIG. 5. Notably, FIG. 5 shows the same user system 201 and backup system 202 as shown in FIG. 3 and FIG. 4. According to an embodiment of the disclosure, a device may be configured to insert the honeypot 300 into the user system 201. Notably, this device may be the device 100 as shown in FIG. 1 or FIG. 2. That is, it is possible that the same device generates the honeypot 300 and further uses it for attracting ransomware. However, it is also possible that a different device just obtains the honeypot 300 and uses it (without generating the honeypot 300).
According to an embodiment of the disclosure, the honeypot 300 may comprise one or more artificial files, and/or one or more artificial applications. For instance, if the honeypot 300 is a file of set of files, according to an embodiment of the disclosure, a device may be configured to copy the one or more artificial files into the user system 201, particularly to the relevant location in it. If the honeypot is an artificial application, according to an embodiment of the disclosure, the device may be configured to install it on the user system 201. Possibly, the device may populate the honeypot 300 with the same data used during the honeypot-leaming done in the first backup system 102.
After placing the honeypot 300 in the user system 201, according to an embodiment of the disclosure, the device may monitor the honeypot 300 to identify if a ransomware is infecting the user system 201. Since the honeypot 300 is controlled by the device, any changes to the honeypot 300 that are not initiated by the device or the user system 201 is suspicious. In addition, since the honeypot 300 is designed to attract the ransomware infection as early as possible, once it is detected that the honeypot 300 is being changed, the device can immediately take actions to prevent or contain the ransomware infection. An example of such action might be immediately taking snapshot of entire user system 201, to preserve as much of it before it is encrypted by the ransomware.
Monitoring the state of the honey pot 300 allows detecting malware attack as early as possible, and taking various measures in response, in order to stop the attack and decrypt the encrypted files (which are affected by the ransomware).
Part 3 - optimization of the honeypot:
According to an embodiment of the disclosure, a device for optimizing a honeypot 300 for attracting and decrypting ransomware is proposed. The device is configured to study attack patterns of one or more ransomware kits, and optimize the honeypot 300 according to the attack patterns. Notably, this device may be the device 100 as shown in FIG. 1 or FIG. 2. That is, it is possible that the same device generates the honeypot 300 and further optimizes it. However, it is also possible that a device obtains a honeypot 300 from other devices, and optimizes it.
It is further proposed to optimize the honeypot 300, particularly in a way to better attract ransomwares. Optionally, the honeypot 300 may be the honeypot 300 as shown in FIG. 1 or FIG. 5. That is, the honeypot 300 that is optimized may be the honeypot 300 generated according to embodiments of this disclosure. Notably, the honeypot 300 in the user system 201 is monitored during a learning phase of one or more types of ransomware. Accordingly, the device can adjust the honeypot 300 to ensure that it continues to be an effective honeypot for the one or more ransomwares on the user system 201.
Notably, the honeypot 300 may be generated based on a set of properties. According to an embodiment of the disclosure, the device may be further configured to maintain a set of properties of the honeypot 300, and update the honeypot 300 by modifying one or more properties of the set of properties. In this way, the honeypot 300 may be continuously adjusted by modifying one or more properties in the set of properties.
In particular, the honeypot may be adjusted in a manner such that the updated honeypot can be used for decrypting one or more files that are encrypted by one or more ransomware kits.
Typically, a decryption tool (a decryptor) may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption. The pair of files may be used to deduce an encryption key from them, and then the encryption key can be used to decrypt other files. Since the honey pot 300 is designed to attract the ransomware infection as early as possible, it is possible to use the infected honeypot, i.e., the encrypted honeypot, and the honeypot, i.e., the unencrypted version, in the decryption procedure. Notably, the honeypot 300 can serve an additional and important function, by controlling some properties of the honeypot files and their changes, the honeypot 300 can be tailored to be optimal for use in relevant decryptors. For instance, for some of the decryption tools, the larger the file, the more of the other encrypted files can be decrypted. In such case, a largest size of the honeypot may be desired. Therefore, the device can make sure that the honeypot file size is large enough to be useful when applying decryptors, in order to allow decryption of as many user files as possible. Since the device can control changes to the honeypot files, it can also more easily use them as input for decryptors.
According to an embodiment of the disclosure, the device may be further configured to obtain and analyze a decryption result of the one or more decryptors, and modify the one or more properties of the honeypot, such that the decryption result of the one or more decryptors is optimized.
Notably, there may be more than one decryption tools are used for decrypting files that are affected by the ransomwares. According to an embodiment of the disclosure, the device may be further configured to provide the honeypot 300 to one or more decryptors for decrypting the one or more files that are encrypted by the one or more ransomware kits.
Further, the device may be configured to modify the one or more properties of the honeypot, such that the updated honeypot can be used for decrypting as many files that are encrypted by the one or more ransomware kits as possible. For example, the device can make sure that a file size of the honeypot is large enough to be useful when applying decryptors, in order to allow decryption of as many files as possible.
It is noted that decryptors may require a pair of files, i.e., the files before and after the encryption, in order to perform the decryption. Thus, an original version of the honeypot, which is not affected by ransomwares, is needed. In order to be able to provide the unencrypted honeypot to the decryptors, the device may keep a copy in a safe location in the backup system, or be able to reproduce it. That is, according to an embodiment of the disclosure, wherein the honeypot 300 is inserted in a user system 201, the device is further configured to store a copy of the honeypot 300 in a safe location of a backup system 202 of the user system 201, or regenerate the honeypot 300.
In a specific implementation, a honeypot 300 as discussed in previous embodiments can be an Oracle honeypot. In particular, the user system 201 may contain several instances of Oracle DB, each with its own data schema, size, number of records, field names, and additional properties. The user system 201 is backed up, and re-created inside the backup system 202 (using the backup). Then, according to an embodiment of the disclosure, the device 100 infects the re-created user system with a ransomware and monitors its state are (either by monitoring directly the files associated with each Oracle DB instance, to determine when the files become encrypted, or by attempting to access the Oracle DB instances and identifying that a failure to access is a result of ransomware encryption). Notably, the device 100 may be the device 100 as shown in FIG. 1 or FIG. 2.
Generally, the ransomware encrypts the system in stages. Via the monitoring, the device 100 may identify which Oracle DB instance is the first to be encrypted. The device 100 can re-run this test several times (each time re-creating a user system, perhaps from different backups of the original user system), to increase the confidence in which Oracle DB instance is first encrypted.
Then, the device 100 generates the honeypot 300 accordingly. In particular, the device 100 creates a new, artificial, Oracle DB instance, and model it to be as similar as possible to the first Oracle DB instance which is attacked (e.g., by creating similar schema for it, populating it with similar number of records, giving its fields similar names, etc.).
The device 100 can re-run the ransomware again, and continue to adjust the honeypot 300 until it is the first (or among the first) DB instances encrypted.
Then, this honeypot 300 can be planted in the user system 201 (by creating a DB instance there, and populating it with the same information as it is done while learning the ransomware).
The device 100 can monitor this Oracle DB instance in the user system 201 as monitoring the Oracle DB instance during the learning phase. As the user Oracle DB instances change over time, the device 100 can further adjust this honeypot 300 accordingly, to ensure that it continues to be an effective honeypot for this ransomware on this user system. FIG. 6 shows a method 600 for generating a honeypot 300 for attracting ransomware according to an embodiment of present disclosure. In particular, the method 600 is performed by the device 100 as shown in FIG. 1 or FIG. 2. The method 600 comprises a step 601 of obtaining a first backup image 101 of a user system 201 at a first time point; a step 602 of creating a first backup system 102 based on the first backup image 101; a step 603 of running one or more ransomware kits on the first backup system 102; a step 604 of identifying a first set of data structures 103 in the first backup system 102 that are attacked within a determined time period by the one or more ransomware kits; a step 605 of identifying a first set of properties 104 of the first set of data structures 103; and a step 606 of generating the honeypot 300 based on the first set of properties 104.
Notably, the method 600 may further comprise actions as described in aforementioned embodiments of the device 100.
FIG. 7 shows a method 700 for using a honeypot 300 for attracting ransomware according to an embodiment of present disclosure. In particular, the method 700 may be performed by the device 100 as shown in FIG. 1 or FIG. 2. The method 700 comprises a step 701 of inserting the honeypot 300 into a user system 201; a step 702 of monitoring the honeypot 300 to detect whether the honeypot 300 is affected, in particular by ransomware; and a step 703 of taking an action to preserve data of the user system 201, once it is detected that the honeypot 300 is affected.
FIG. 8 shows a method 800 for optimizing a honeypot 300 for attracting ransomware according to an embodiment of present disclosure. In particular, the method 800 may be performed by the device 100 as shown in FIG. 1 or FIG. 2. The method 800 comprises a step 801 of studying attack patterns of one or more ransomware kits; and a step 802 of optimizing the honeypot 300 according to the attack patterns.
The present disclosure further provides a computer program kit comprising a program code for carrying out, when implemented on a processor, the method 600 as shown in FIG. 6, or the method 700 as shown in FIG. 7, or the method 800 as shown in FIG. 8. The computer program is included in a computer readable medium of a computer program kit. The computer readable medium may comprise essentially any memory, such as a ROM (Read- Only Memory), a PROM (Programmable Read-Only Memory), an EPROM (Erasable PROM), a Flash memory, an EEPROM (Electrically Erasable PROM), or a hard disk drive. The present disclosure has been described in conjunction with various embodiments as examples as well as implementations. However, other variations can be understood and effected by those persons skilled in the art and practicing the claimed disclosure, from the studies of the drawings, this disclosure and the independent claims. In the claims as well as in the description the word “comprising” does not exclude other elements or steps and the indefinite article “a” or “an” does not exclude a plurality. A single element or other unit may fulfill the functions of several entities or items recited in the claims. The mere fact that certain measures are recited in the mutual different dependent claims does not indicate that a combination of these measures cannot be used in an advantageous implementation.

Claims

Claims
1. A device (100) for generating a honeypot for attracting ransomware, the device (100) being configured to: obtain a first backup image (101) of a user system (201) at a first time point; create a first backup system (102) based on the first backup image (101); run one or more ransomware kits on the first backup system (102); identify a first set of data structures (103) in the first backup system (102) that are attacked within a determined time period by the one or more ransomware kits; identify a first set of properties (104) of the first set of data structures (103); and generate the honeypot (300) based on the first set of properties (104).
2. The device (100) according to claim 1, further configured to: re-run the one or more ransomware kits on the first backup system (102); identify a second set of data structures in the first backup system (102) that are attacked within a determined time period by the one or more ransomwares; identify a second set of properties of the second set of data structures; and generate the honeypot (300) based on the first set and the second set of properties.
3. The device (100) according to claim 1 or 2, further configured to: obtain a second backup image of the user system (201) at a second time point; create a second backup system based on the second backup image; run one or more ransomware kits on the second backup system; identify a third set of data structures in the second backup system that are attacked within a determined time period by each ransomware kit; identify a third set of properties of the third set of data structures; and generate the honeypot (300) based on the first set, the second set and the third set of properties.
4. The device (100) according to one of the claims 1 to 3, wherein the first set of properties (104) includes a location and/or a format of each data structure in the first set of data structures.
5. The device (100) according to one of the claims 1 to 4, wherein the first set of data structures includes one or more files and/or one or more objects.
6. The device (100) according to one of the claims 1 to 5, wherein the honeypot (300) comprises one or more artificial files, and/or one or more artificial applications.
7. A device for using a honeypot (300) for attracting ransomware, configured to: insert the honeypot (300) into a user system (201); monitor the honeypot (300) to detect whether the honeypot (300) is affected, in particular by ransomware; and take an action to preserve data of the user system (201), once it is detected that the honeypot (300) is affected.
8. The device according to claim 7, wherein the action comprises creating a snapshot of the user system (201).
9. The device according to claim 7 or 8, further configured to: obtain the honeypot (300), which is generated based on a set of properties; and insert the honeypot (300) into the user system (201) according to the set of properties.
10. The device according to one of the claims 7 to 9, wherein the honeypot (300) comprises one or more artificial files, and/or one or more artificial applications.
11. The device according to claim 10, further configured to: copy the one or more artificial files into the user system (201); and/or install the one or more artificial applications on the user system (201).
12. A device for optimizing a honeypot (300) for attracting and decrypting ransomware, configured to: study attack patterns of one or more ransomware kits; and optimize the honeypot (300) according to the attack patterns.
13. The device according to claim 12, further configured to: maintain a set of properties of the honeypot (300); and update the honeypot (300) by modifying one or more properties of the set of properties.
14. The device according to claim 13, further configured to: modify the one or more properties of the honeypot (300), such that the updated honeypot can be used for decrypting one or more files that are encrypted by one or more ransomware kits.
15. The device according to claim 14, further configured to: provide the honeypot (300) to one or more decryptors for decrypting the one or more files that are encrypted by the one or more ransomware kits. 16. The device according to claim 15, further configured to: obtain and analyze a decryption result of the one or more decryptors; and modify the one or more properties of the honeypot (300), such that the decryption result of the one or more decryptors is optimized. 17. The device according to one of the claims 14 to 16, further configured to: modify the one or more properties of the honeypot (300), such that the updated honeypot can be used for decrypting as many files that are encrypted by the one or more ransomware kits as possible. 18. The device according to one of the claims 12 to 17, wherein the honeypot (300) is inserted in a user system (201), the device is further configured to: store a copy of the honeypot (300) in a safe location of a backup system (202) of the user system (201); or regenerate the honeypot (300).
19. A method (600) for generating a honeypot (300) for attracting ransomware, the method (600) comprising: obtaining (601) a first backup image (101) of a user system (201) at a first time point; creating (602) a first backup system (102) based on the first backup image (101); running (603) one or more ransomware kits on the first backup system (102); identifying (604) a first set of data structures (103) in the first backup system
(102) that are attacked within a determined time period by the one or more ransomware kits; identifying (605) a first set of properties (104) of the first set of data structures
(103); and generating (606) the honeypot (300) based on the first set of properties (104). 20. A method (700) for using a honeypot (300) for attracting ransomware, the method
(700) comprising: inserting (701) the honeypot (300) into a user system (201); monitoring (702) the honeypot (300) to detect whether the honeypot (300) is affected, in particular by ransomware; and taking (703) an action to preserve data of the user system (201), once it is detected that the honeypot (300) is affected.
21. A method (800) for optimizing a honeypot (300) for attracting ransomware, the method (800) comprising: studying (801) attack patterns of one or more ransomware kits; and optimizing (802) the honeypot (300) according to the attack patterns.
22. A computer program kit comprising a program code for carrying out, when implemented on a processor, the method according to one of the claims 19 to 21.
PCT/EP2020/068659 2020-07-02 2020-07-02 Device and method for generating, using and optimizing a honeypot WO2022002405A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/EP2020/068659 WO2022002405A1 (en) 2020-07-02 2020-07-02 Device and method for generating, using and optimizing a honeypot
CN202080015668.7A CN114175575B (en) 2020-07-02 2020-07-02 Apparatus and method for generating, using and optimizing honeypots

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/068659 WO2022002405A1 (en) 2020-07-02 2020-07-02 Device and method for generating, using and optimizing a honeypot

Publications (1)

Publication Number Publication Date
WO2022002405A1 true WO2022002405A1 (en) 2022-01-06

Family

ID=71409429

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/068659 WO2022002405A1 (en) 2020-07-02 2020-07-02 Device and method for generating, using and optimizing a honeypot

Country Status (2)

Country Link
CN (1) CN114175575B (en)
WO (1) WO2022002405A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11537713B2 (en) * 2017-08-02 2022-12-27 Crashplan Group Llc Ransomware attack onset detection

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100077483A1 (en) * 2007-06-12 2010-03-25 Stolfo Salvatore J Methods, systems, and media for baiting inside attackers
US20160080414A1 (en) * 2014-09-12 2016-03-17 Topspin Security Ltd. System and a Method for Identifying Malware Network Activity Using a Decoy Environment
US20170034212A1 (en) * 2013-12-17 2017-02-02 Verisign, Inc. Systems and methods for incubating malware in a virtual organization
US20200204589A1 (en) * 2017-09-22 2020-06-25 Acronis International Gmbh Systems and methods for preventive ransomware detection using file honeypots
US20200366714A1 (en) * 2016-02-23 2020-11-19 nChain Holdings Limited Reactive and pre-emptive security system for the protection of computer networks & systems

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180248896A1 (en) * 2017-02-24 2018-08-30 Zitovault Software, Inc. System and method to prevent, detect, thwart, and recover automatically from ransomware cyber attacks, using behavioral analysis and machine learning
KR102000369B1 (en) * 2017-12-28 2019-07-15 숭실대학교산학협력단 Method for ransomware detection, computer readable medium for performing the method and ransomware detection system
CN108616510A (en) * 2018-03-24 2018-10-02 张瑜 It is a kind of that virus detection techniques are extorted based on digital immune reclusion
CN110941822A (en) * 2018-09-21 2020-03-31 武汉安天信息技术有限责任公司 Lesovirus detection method and apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100077483A1 (en) * 2007-06-12 2010-03-25 Stolfo Salvatore J Methods, systems, and media for baiting inside attackers
US20170034212A1 (en) * 2013-12-17 2017-02-02 Verisign, Inc. Systems and methods for incubating malware in a virtual organization
US20160080414A1 (en) * 2014-09-12 2016-03-17 Topspin Security Ltd. System and a Method for Identifying Malware Network Activity Using a Decoy Environment
US20200366714A1 (en) * 2016-02-23 2020-11-19 nChain Holdings Limited Reactive and pre-emptive security system for the protection of computer networks & systems
US20200204589A1 (en) * 2017-09-22 2020-06-25 Acronis International Gmbh Systems and methods for preventive ransomware detection using file honeypots

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
GENÇ ZIYA ALPER ET AL: "On Deception-Based Protection Against Cryptographic Ransomware", 6 June 2019, ADVANCES IN DATABASES AND INFORMATION SYSTEMS; [LECTURE NOTES IN COMPUTER SCIENCE; LECT.NOTES COMPUTER], SPRINGER INTERNATIONAL PUBLISHING, CHAM, PAGE(S) 219 - 239, ISBN: 978-3-319-10403-4, XP047510140 *
JIANG ET AL: "Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention", JOURNAL OF PARALLEL AND DISTRIBUTED COMPUTING, ELSEVIER, AMSTERDAM, NL, vol. 66, no. 9, 1 September 2006 (2006-09-01), pages 1165 - 1180, XP005597366, ISSN: 0743-7315, DOI: 10.1016/J.JPDC.2006.04.012 *
MEHNAZ SHAGUFTA ET AL: "RWGuard: A Real-Time Detection System Against Cryptographic Ransomware", 7 September 2018, ICIAP: INTERNATIONAL CONFERENCE ON IMAGE ANALYSIS AND PROCESSING, 17TH INTERNATIONAL CONFERENCE, NAPLES, ITALY, SEPTEMBER 9-13, 2013. PROCEEDINGS; [LECTURE NOTES IN COMPUTER SCIENCE; LECT.NOTES COMPUTER], SPRINGER, BERLIN, HEIDELBERG, PAGE(S) 114 - 1, ISBN: 978-3-642-17318-9, XP047484733 *
UNKNOWN ET AL: "How to Make Efficient Decoy Files for Ransomware Detection?", PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON RESEARCH IN ADAPTIVE AND CONVERGENT SYSTEMS , RACS '17, 1 January 2017 (2017-01-01), New York, New York, USA, pages 208 - 212, XP055453414, ISBN: 978-1-4503-5027-3, DOI: 10.1145/3129676.3129713 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11537713B2 (en) * 2017-08-02 2022-12-27 Crashplan Group Llc Ransomware attack onset detection

Also Published As

Publication number Publication date
CN114175575B (en) 2023-04-18
CN114175575A (en) 2022-03-11

Similar Documents

Publication Publication Date Title
AU2005320910B9 (en) Method and system for securely identifying computer storage devices
JP6789308B2 (en) Systems and methods for generating tripwire files
US20190235973A1 (en) Automated ransomware identification and recovery
US20190147188A1 (en) Hardware protection for differential privacy
JP6774497B2 (en) A computer implementation method for performing a backup of an object set by a client and a computer implementation method for restoring a backup of an object set by a client.
EP2887612A1 (en) Systems and methods for incubating malware in a virtual organization
US20070234337A1 (en) System and method for sanitizing a computer program
WO2015130715A1 (en) Systems and methods for optimizing scans of pre-installed applications
US9894085B1 (en) Systems and methods for categorizing processes as malicious
Fowler SQL server forenisc analysis
US10642984B2 (en) Secure drive and method for booting to known good-state
US11379593B2 (en) Storage monitoring
US11341234B1 (en) System for securely recovering backup and data protection infrastructure
US10261920B2 (en) Static image RAM drive
WO2022002405A1 (en) Device and method for generating, using and optimizing a honeypot
US8336107B2 (en) System and methods for defending against root
Zhang et al. Protecting private cloud located within public cloud
US11341245B1 (en) Secure delivery of software updates to an isolated recovery environment
Iffländer et al. Hands off my database: Ransomware detection in databases through dynamic analysis of query sequences
KR102446985B1 (en) Key management mechanism for cryptocurrency wallet
US11163908B2 (en) Device state driven encryption key management
WO2021098968A1 (en) Device and method for ransomware decryption
Zlatkovski et al. A new real-time file integrity monitoring system for windows-based environments
CN111190695A (en) Virtual machine protection method and device based on Roc chip
Jethva A new ransomware detection scheme based on tracking file signature and file entropy

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20735591

Country of ref document: EP

Kind code of ref document: A1