Pepper: Preference-Aware Active Trapping for Ransomware

Ransomware encrypts files on infected systems and demands a hefty ransom for decryption, posing a significant threat to both enterprises and individuals. However, existing methods fail to capture the encryption preferences of diverse ransomware families, lacking an efficient and systematic proactive defense method. In this paper, we propose Pepper , a preference-aware active ransomware trapping method, covering decoy file generation, deployment, and monitoring. Through examination of numerous ransomware families, we have identified two prevalent encryption preferences: encryption file preferences and encryption path preferences. Deploying decoy files aligned with ransomware’s encryption preferences within its preferred pathways provides an opportunity for efficient and early trapping of ransomware. Pepper combines a GNN-based recommendation model with expert insights to unveil the encryption file and path preferences across various ransomware families, guiding the generation and deployment of decoy files. Moreover, a decoy file monitor is designed to continuously monitor decoy file changes and promptly respond to anomalies. Extensive experiments show that Pepper achieves a 98.68% detection rate for ransomware, with an average file loss of 2.27. Moreover, it exhibits robustness in detecting unknown ransomware variants and does not interfere with regular users.