||In recent years, the major security companies all report ransomware as one of major parts in their annual threat analysis reports. Large viruses spread network such as Botnet, Exploit Kits all set Ransomware as a terminal attack weapon. According to FBI conservative estimates, In the first half of 2016, ransomware caused more than one billion dollars damage around the world. Obviously, Ransomware is a huge threat of information security. To face to the rapid growth of ransomware’s evolution rate and unstoppable new varieties appearance, to develop an effective defense system of ransomware is imperative.|
Traditional anti-virus softwares in the aspect of facing ransomware threats have a lot of omissions, the method of static analysis and virus signatures cannot keep up with the endless stream of ransomware in the world software variants speed. In this situation, there came up with some academic papers focus on solving this situation with their detecting systems, but these systems are not design any reasonable resolution in their method to reduce the error malware detecting rate of benign software. It really cannot become a practical system. Therefore, this study defines the hypothesis and implements the effective ransomware detecting system while reducing the false detecting rate of benign software and containing the future applicability.
In this study, it used Minifilter's architecture to monitor system IRPs (I/O request packets) to detect the ransomware. In addition of collecting the IRP Logs to analyze the threshold, the system also combined with the decoy folder to increase the detecting capability. Moreover, this study uses comparing the file types changing and entropy before and after of the file to reduce the error malware detecting rate of benign software.