RTrap: Trapping and Containing Ransomware With Machine Learning

With advances in social engineering tricks and other technical shortcomings, ransomware attacks have become a severe cybercrime affecting organizations of all shapes and sizes. Although the security teams are making plenty of ransomware detection tools, the ransomware incident report shows they are ineffective in detecting emerging ransomware attacks. This work presents 'RTrap,' a systematic framework to detect and contain ransomware efficiently and effectively via machine learning-generated deceptive files. Using a data-driven decoy file selection and generation strategy, RTrap plants deceptive decoy files across the directory to lure the ransomware to access it. RTrap also introduced a lightweight decoy watcher to monitor generated decoy files in real time. As the timing of the ransomware attack is not known to the victim in advance, and the ransomware encryption process is speedy, the proposed decoy-watcher executes an automatic/automated response after the detection promptly. The experiment shows that RTrap can detect ransomware with an average 18 file loss per 10311 legitimate user files.