Ransomware encrypted your files but you restored them from network traffic
Fecha
2019Autor
Versión
Acceso embargado / Sarbidea bahitua dago
Tipo
Contribución a congreso / Biltzarrerako ekarpena
Versión
Versión aceptada / Onetsi den bertsioa
Impacto
|
10.1109/CSNET.2018.8602978
Resumen
In a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches ...
[++]
In a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families. [--]
Materias
Ransomware,
Servers,
Probes,
Tools,
Cryptography,
Monitoring
Editor
IEEE
Publicado en
2018 2nd Cyber Security In Networking Conference, CSnet 2018. Paris, oct. 24-26, 2018
Departamento
Universidad Pública de Navarra. Departamento de Ingeniería Eléctrica, Electrónica y de Comunicación /
Nafarroako Unibertsitate Publikoa. Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza Saila /
Universidad Pública de Navarra/Nafarroako Unibertsitate Publikoa. Institute of Smart Cities - ISC
Versión del editor
Entidades Financiadoras
This work was supported by Spanish MINECO through project PIT (TEC2015-69417-C2-2-R).