Hypervisor-based Detection of Ransomware

In recent years, ransomware attacks have become a significant threat to organizations worldwide, causing substantial financial losses and data breaches [1, 2]. Hypervisors, the software or hardware platforms used to create and manage virtual machines, have emerged as potential targets for ransomware attacks due to their critical role in virtualized environments. For example, on malwareBazaar [3], a platform that was created for the collection of malware artifacts, several ransomware samples specifically target ESXi-based hypervisors by encrypting storage volumes. Detecting ransomware attacks on hypervisors presents a unique challenge, as the attacks often exploit technology-specific vulnerabilities and require an innovative approach to identify and mitigate the threats effectively.

This thesis aims to research and develop a novel approach to detect ransomware attacks specifically targeting hypervisors. The proposed methodology will focus on enhancing the existing security mechanisms deployed within virtualized environments to proactively identify and mitigate ransomware threats. The research will explore various techniques such as anomaly detection, behavior analysis, and machine learning algorithms to create a robust and efficient detection system. For that, the state of the art with respect to detecting ransomware on such systems [4, 5] needs to be reviewed, and, in a later stage, available data on hypervisors has to be explored.

[1] H. Isabella, "10 common types of malware attacks and how to prevent them — techtarget.", Available: https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them

[2] J. P. Morgan, “Cyber Threat Awareness – Potential Impacts of Ransomware,”, Available: https://www.jpmorgan.com/technology/potential-impacts-of-ransomware

[3] abuse.ch: "MalwareBazaar | Malware sample exchange", Available: https://bazaar.abuse.ch/

[4] M. Hirano and R. Kobayashi, "Machine Learning Based Ransomware Detection Using Storage Access Patterns Obtained From Live-forensic Hypervisor," 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), Granada, Spain, 2019, pp. 1-6.

[5] M. Hirano and R. Kobayashi, "Machine Learning-based Ransomware Detection Using Low-level Memory Access Patterns Obtained From Live-forensic Hypervisor," 2022 IEEE International Conference on Cyber Security and Resilience (CSR), Rhodes, Greece, 2022, pp. 323-330.