#121 Peeler: Profiling Kernel-Level Events to Detect Ransomware

Ransomware is a growing threat that typically operates by either encrypting a victim's files or locking the desktop screen of a victim's computer until the victim pays a ransom. However, it is still challenging to detect timely such malware with existing traditional malware detection techniques. In this paper, we present a novel ransomware detection system, called ``Peeler'' (Profiling kErnEl -Level Events to detect Ransomware). Peeler deviates from the use of signatures for individual ransomware samples and relies on common and generic characteristics of ransomware depicted at the kernel-level. Analyzing diverse ransomware families at the kernel-level, we observed ransomware's inherent behavioral characteristics such as file I/O request patterns, process spawning, and causality relationships among kernel-level events. Based on those characteristics, we develop Peeler that continuously monitors kernel events of a target system and detects ransomware attacks on the system. Our experimental results show that Peeler achieves more than 99% detection rate with 0.58% false-positive rate against 43 distinct ransomware families, containing samples from both crypto and screen-locker types of ransomware. For crypto ransomware, Peeler detects them promptly after only one file is lost (within 115 milliseconds on average). Peeler utilizes around 4.9% of CPU time with only 9.8 MB memory under the normal workload condition. Our analysis demonstrates that Peeler can efficiently detect diverse malware families by monitoring their kernel-level events.