Preventing Disruption of System Backup against Ransomware Attacks

The ransomware threat to the software ecosystem has grown rapidly in recent years. Despite being wellstudied, new ransomware variants continually emerge, designed to evade existing encryption-based detection mechanisms. This paper introduces Remembrall, a new perspective to defend against ransomware by monitoring and preventing system backup disruptions. Focusing on deletion actions of volume shadow copies (VSC) in Windows, Remembrall captures related malicious events and identifies all ransomware traces as a real-time defense tool. To ensure no ransomware is missing, we conduct a comprehensive investigation to classify all potential attack actions that can be used to delete VSCs throughout the application layer, OS layer, and hardware layer. Based on the analysis, Remembrall is designed to retrieve system event information and accurately identify ransomware without false negatives. We evaluate Remembrall on recent ransomware samples. Remembrall achieves 4.31%-87.55% increase in F1-score compared to other state-of-the-art antiransomware tools across 60 ransomware families. Remembrall has also detected eight zero-day ransomware samples in the experiment. CCS Concepts: • Security and privacy → Software and application security; Malware and its mitigation; • Software and its engineering → Software functional properties.