EP-4740360-A1 - METHOD AND APPARATUS OF INVESTIGATING A RANSOMWARE ATTACK ON A NETWORK DEVICE DURING RUNTIME

Abstract

A method investigating a ransomware attack on a network device (126) during runtime is provided. The method includes detecting the ransomware attack on the network device (126). The method includes determining one or more investigating properties of the detected ransomware attack. The method includes generating one or more bait files and one or more processes. Each of the one or more bait files and each of the one or more processes corresponds to the one or more investigating properties, and the method includes inspecting the ransomware attack during the runtime using the one or more bait files and the one or more processes to mitigate the ransomware attack.

Inventors

• ARAZI, Ron
• DAVID, DAVID
• BIRMAN, Yoni

Assignees

• Huawei Technologies Co., Ltd.

Dates

Publication Date

20260513

Application Date

20240215

Claims (8)

1. 1. A method of investigating a ransomware attack on a network device (126) during runtime, comprising steps of: detecting the ransomware attack on the network device (126); determining a plurality of investigating properties of the detected ransomware attack; generating a plurality of bait files and a plurality of processes, where each one of the plurality of bait files and each one of the plurality of processes corresponds to at least one of the plurality of investigating properties; and inspecting the ransomware attack during the runtime using the plurality of bait files and the plurality of processes, to mitigate the ransomware attack.
2. 2. The method of claim 1 further comprising a step of: during the inspecting step, generating further bait files, and using the generated further bait files to delay the ransomware attack.
3. 3. The method of claim 2 wherein the generating further bait files and using the generated further bait files to delay the ransomware attack occurs throughout the inspecting step.
4. 4. The method of claim 1 wherein the plurality of investigating properties which correspond to the plurality of bait files include file formats affected by the ransomware attack, whether the ransomware attack is targeted to specific file names, file sizes, or specific directories.
5. 5. The method of claim 1 wherein the plurality of investigation properties which correspond to the plurality of processes include whether the ransomware attack is aware of a monitoring tool.
6. 6. The method of claim 5 wherein the plurality of investigation properties which correspond to the plurality of processes include whether the ransomware attack is aware of the monitoring tool and can terminate the monitoring tool.
7. 7. A computer program comprising instructions for carrying out all the steps of the method according to any preceding method claim, when said computer program is executed on a computer system.
8. 8. An apparatus (100) for investigating a ransomware attack on a network device (126), comprising: a detecting unit (104) configured to detect a ransomware attack on the network device (126); a determining unit (110) configure to determine a plurality of investigating properties of the detected ransomware attack; a generating unit (114) configured to generate a plurality of bait files and a plurality of processes, where each one of the plurality of bait files and each one of the plurality of processes corresponds to at least one of the plurality of investigating properties; and an inspecting unit (108) configured to inspect the ransomware attack during runtime using the plurality of bait files and the plurality of processes, to mitigate the ransomware attack.

Description

METHOD AND APPARATUS OF INVESTIGATING A RANSOMWARE ATTACK ON A NETWORK DEVICE DURING RUNTIME TECHNICAL FIELD The disclosure generally relates to inspecting a ransomware attack, and more particularly, the disclosure relates to a method and an apparatus for investigating a ransomware attack on a network device during runtime. BACKGROUND In recent years, ransomware attacks have become prominent cyber-attacks. There are various existing techniques utilized for detecting and mitigating the ransomware attacks. The existing techniques are used to protect important data from corruption or encryption. For example, if an existing defense system detects an unknown ransomware running on a network device, different detection techniques are utilized by the existing defense system to halt the unknown ransomware. The existing defense system requires an investigation to completely mitigate or recover an impact of the unknown ransomware on the network device. This investigation is used to extract properties of the unknown ransomware. The investigation is done by a Security Operation Center, SOC professionals experienced in investigating and mitigating cyber-attacks. The investigation may be automatic or manual. The investigation requires executing the unknown ransomware in a sandbox. Once the sandbox is configured to run the unknown ransomware, playbooks featuring various execution and configuration scenarios are used to execute the unknown ransomware allowing the SOC professionals to comprehend and map or extract the properties of the unknown ransomware. The SOC professionals conduct a network scan using a Security Information and Event Management, SIEM tool. The network scan is conducted to identify any network devices that may have been infected or affected by the unknown ransomware, facilitating its recovery and termination. The SOC professionals halt the unknown ransomware if any network devices are affected by the unknown ransomware. During the investigation, the unknown ransomware, even if identified and terminated or quarantined, may persist in causing damages and spreading, thereby affecting the network device and inflicting unrecoverable impacts. This is because, without a complete understanding of all properties of the unknown ransomware, it is challenging for SOC professionals to determine whether the unknown ransomware has been completely halted and mitigated. Moreover, the properties of the unknown ransomware are vast. Interpreting the vast number of properties of the unknown ransomware for SOC professionals is difficult. For example, the properties of the unknown ransomware may be encryption technique, speed, attacked file properties that are changed, traversal of the attack, and ransomware notes. An existing system protects a database against a ransomware attack. The existing system includes (i) a database backup handler that is configured to selectively store a backup database associated with the database in a storage device, (ii) a ransomware detector that is configured to monitor changes within the database and identify changes in the database resulting from a ransomware attack, and (iii) a ransomware remediator configured to restore data in the database to a point before the ransomware attack based upon the backup database in the storage device. The existing system might not recover recent changes in the database if there are changes to the data between intervals of backup and the ransomware attack. Another existing monitoring system monitors a ransomware attack. This monitoring system includes a monitoring module that monitors files within the system for specific patterns of file access. If a number of patterns of file access exceeds a first threshold, an investigation module is activated. The investigation module records actions carried out by processes in modifying the files. This monitoring system further includes a reaction module that intervenes by temporarily halting a set of processes on the system when the number of patterns of file access exceeds a second threshold. This monitoring system further includes a reaction module that identifies processes associated with a suspected ransomware attack based on logging performed by the investigation module and resumes legitimate processes. This monitoring system might not accurately identify the processes associated with a suspected ransomware attack as utilizing the logging of the investigation module may be inaccurate. Moreover, this monitoring system does not mitigate the suspected ransomware attack associated with the identified processes. Another existing system orchestrates a large-scale and high-interaction honeypot network. This system sends traffic detected at a sensor to a smart proxy for a honeypot farm. The traffic is a forwarded attack that is sent using a tunneling protocol. The high-interaction honeypot network includes container images, each representing different types of vulnerable services. This system selects a matching type of vuln