Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker
Abstract
1. Introduction
2. Related Works
3. System Architecture
3.1. Pre-Encryption Detection Technique
- Processes that cause abnormal CPUs, GPU loads, and file accesses;
- Processes that request administrative rights;
- Scripts and applications trying to establish remote connection;
- Abnormal disk utilization and memory consumption;
- Network connections with untrusted sources;
- Plug and play applications;
- The constant monitoring of OS-based system APIs.
3.2. Post-Encryption Detection Technique
- Symmetric encryption ransomware (Figure 2). This ransomware employs fast encryption using algorithms like the AES. This type of ransomware encrypts all user files and stores the keys on a disk. When the ransom is paid, decryption software utilizes these keys to initiate the decryption process. However, since the keys are stored unencrypted on the client side, security researchers can locate and utilize them to decrypt the victim’s files.
- Client-side asymmetric encryption (Figure 3). In this case, the ransomware generates an RSA key pair on the client machine, encrypts all files with the public key, and sends the private key to the server for storage. This method has some disadvantages. First, encryption is slow because large files take a long time to RSA. Secondly, it requires an internet connection on the victim’s machine to send the private key to a server. If neither of the two parts is connected, there will be a problem. In this case, the ransomware may stop executing it, encrypt files, and permanently delete the private key, or simply store the private key on the victim’s machine until the connection is established.
- Server-side asymmetric encryption. In this scheme, the public and private keys are generated on the server side and the public key is encrypted for the ransom goods. With this approach, once the ransom money has been paid, the attacker sends the private key to the victim’s machine to decrypt the files. This is not practical because if one person pays the ransom, one private key can be used to decrypt all the other infected machines. But this method can be improved, as shown in the following vignette.
- The hybrid encryption using both server-side and client-side encryption in Figure 4 is a common technique employed by many ransomware attacks today. This method combines symmetric and asymmetric encryption and does not rely on an internet connection during the encryption process. In this approach, both the ransomware and the server generate an RSA key pair, consisting of a client public key (cpub.key), client private key (cpriv.key), server public key (spub.key), and server private key (spriv.key). During the attack, the following steps are typically taken:
- Within the client machine, the ransomware will generate the cpub.key and cpriv.key on the fly. In addition, the ransomware will already have the spub.key hardcoded.
- It will encrypt the cpriv.key with the built-in spub.key.
- Once the encryption process starts, files will be encrypted with the AES.
- When finished, all the AES secret keys will be encrypted with the cpub.key.
3.3. Artificial Immune System
3.3.1. The Detection Rate (True-Positive Rate)
3.3.2. The False-Positive Rate
3.3.3. The Novelty of the AIS Method
- The Detection Rate: compares how well the AIS method identifies ransomware relative to other methods;
- The False-Positive Rate: assesses whether the AIS method achieves a lower false-positive rate compared to more traditional approaches;
- Time to Detection: evaluates whether the AIS method offers faster detection times, which is especially important in mitigating ransomware attacks before they cause significant harm.
3.4. Anomaly-Based Detection Methodology
- Implemented Methodologies:
- File System Anomaly Detection [Implemented]:
- (a)
- Entropy-based file monitoring: the real-time entropy analysis of file contents (threshold: >0.95 Shannon entropy);
- (b)
- File modification rate: detection threshold set at >50 file alterations/sec sustained for >5s;
- (c)
- Extension pattern tracking: flagging mass addition of ransomware-associated extensions (e.g., .encrypted);
- Resource/Process Behavior Analysis [Implemented]:
- (a)
- CPU/memory profiling: detection of sustained CPU utilization >85% by non-authorized processes;
- (b)
- API call sequencing: blacklisting of cryptographic APIs (e.g., CryptEncrypt) in non-whitelisted processes;
- (c)
- Process tree monitoring: identification of privilege escalation chains and child process spawning anomalies;
- Decoy-Based Trapping [Implemented]:
- (a)
- Honeyfile deployment: FIFO-based decoys in high-risk directories trigger immediate process termination upon access;
- Machine Learning Detection [Partially Implemented]:
- (a)
- Model: Isolation Forest algorithm for unsupervised anomaly detection;
- (b)
- Features: file entropy delta, I/O request rate, memory commit charge (25 selected features via PCA);
- (c)
- Excluded: network traffic analysis and user behavior analytics (UBA).
- Key Differentiators from Prior Work
- Hybrid Threshold–ML Approach: combines deterministic rules (low latency) with ML scoring (adaptive detection);
- Resource-Centric Focus: emphasis on CPU/disk I/O patterns over network traffic;
- Lightweight Architecture: a 3.2% CPU overhead vs. 8–12% in LSTM-based solutions.
- Performance Claims
- Detection Rate: 96.7% for crypto-ransomware, 89.2% for locker ransomware (testing dataset);
- False Positives: 3.1% (vs. 1.8–7.4% in comparable systems);
- Latency: 1.7 s mean detection time post-encryption initiation.
3.5. Honeyfile-Based Approach for Ransomware Detection
3.6. R-Locker Implementation for Windows
- Honeyfile Creation: The honeyfile acts as a decoy designed to attract ransomware activity. On Windows, this can be implemented as a file with a sensitive-looking name and extension (e.g., .docx, .pdf) to entice ransomware while using unique metadata or attributes to ensure that it is not accessed by legitimate processes.
- FIFO-Like Behavior Implementation: Since Windows lacks native FIFO support, equivalent functionality can be achieved using named pipes. A named pipe can be created via the CreateNamedPipe function, emulating FIFO behavior. The pipe serves as the honeyfile; when the ransomware attempts to open and read the file, the process is stalled if the pipe remains empty, effectively blocking the ransomware.
- File Access Monitoring: A monitoring service should be established to detect access attempts on the honeyfile. This can be achieved using Windows APIs such as ReadDirectoryChangesW, FindFirstChangeNotification, or File System Filter Drivers, which enable continuous monitoring for file read or modification events.
- Automated Response Triggering: When the honeyfile is accessed, an automated response procedure is triggered. Possible responses include terminating the offending process using the Terminate Process function, isolating the system from the network, or creating a snapshot for recovery and analysis. Incident details, such as the accessing process, timestamp, and other relevant information, should be logged for forensic analysis.
- Minimizing Impact on Normal Operations: The honeyfile and monitoring system must be configured to avoid interfering with legitimate processes, ensuring no disruption to the normal system functions or performance.
- Testing and Validation: The R-Locker implementation should be thoroughly tested in a controlled environment to simulate various ransomware scenarios. Configuration adjustments may be required based on the results to optimize the detection accuracy and reduce false positives.
- Deployment and Maintenance: R-Locker should be deployed across multiple endpoints as needed, with the monitoring service actively running. Regular updates to the honeyfiles and monitoring rules are essential to adapt to evolving ransomware techniques.
4. Experimental Results
4.1. Ransomware Installation
4.2. Configuration
- Virtual Machine Setup: First, we installed Windows (version 10 or 11) on a virtual machine.
- Key Features for Monitoring: Then, based on the ransomware detection papers that we reviewed, we created a list of features. This was the first assumption, meaning that we assumed that the following features would be triggered during the ransomware attack; the CPU utilization, network usage (TCP, UDP protocols, packets sent/received), memory consumption, and disk usage [16].
- Observing Baseline: We looked at the values of these parameters in the virtual machine—during the normal state of the VM. Without any attack, just during the normal runtime, we wrote down numbers for all these parameters.
- Ransomware Execution: Then, we found one open-source ransomware and ran it on the VM. This was the tricky part: to make sure it did not block access to the VM. We measured the parameters right after the ransomware was executed. We looked at which parameters were changing and wrote them down.
4.3. Setup
- Virtual machine software compatible with running Windows 10 or 11, with directions for Oracle VirtualBox;
- A virtual machine running Windows 10 or 11, untested on legacy Windows operating systems:https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ (accessed on 26 September 2022)
- ❖
- Microsoft SysInternals Suite to gather system forensics if needed:
https://docs.microsoft.com/en-us/sysinternals/downloads/ (accessed on 26 September 2022)- ❖
- If not installed, Visual Studio (2022 was used for testing) and the latest version of Windows Powershell, which both come with the Virtual Machine image supplied above;
- If using Metasploit integration or if desired, an attacker virtual machine running an operating system of choice:
- ❖
- Metasploit software and tools should be installed if using integration:
https://github.com/rapid7/metasploit-framework (accessed on 26 September 2022) - Povlsomware Release v2.0.0.4:https://github.com/listinvest/Povlsomware-1 (accessed on 26 September 2022)
- A virtual network to connect both virtual machines.
4.4. Customizing Configuration Parameters
4.5. User Execution
4.6. Metasploit Integration
Research Experiment: Launching Ransomware Attack with Metasploit
- General Info.
- Operating System: Windows 10 Professional 2H12
- CPU Core Count: 4 cores
- RAM Storage: 8192 MB
- System Storage: 40 GB, NVMe SSD
- File Info.
- File Name: Povlsomware.exe
- MD5 Hash: 92EAB44788FE2491D2EAAA3DD9E521FB
- Imports: mscoree.dll
- Registry Activity
- 68 keys read
- 1 key written
- Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Operation: write
- Name: Povlsomware
- Value: “C:\Users\admin\Downloads\Povlsomware.exe”
- Note: File was added to startup
- Network Activity
- No network activity detected.
4.7. Requirements for R-Locker Installation
- The increased write rate and CPU load during this period are consistent with the ransomware’s attempts to encrypt these trap files while R-Locker continuously deploys new decoys.
- R-Locker’s strategy of generating trap files reduces the ransomware’s effectiveness, causing it to waste resources on encrypting files that hold no value, as evidenced by the heightened resource consumption during the combined attack.
- In the absence of ransomware, R-Locker’s resource usage remains relatively low, as its primary functions involve setting up traps and monitoring rather than responding to active encryption attempts.
5. Discussion
5.1. Interpretation of Key Results
5.2. Computational Efficiency
- Selective ML deployment: Isolation Forest operates only during behavioral threshold breaches;
- A lightweight feature set: 25 PCA-optimized features (reduced from 48).
5.3. Generalizability Concerns
6. Conclusions and Future Work
Primary Contributions
- A novel hybrid architecture: a real-time anomaly detection framework combining
- (a)
- Deterministic thresholds (entropy, file modification rates) for low-latency response;
- (b)
- ML-driven behavioral scoring (Isolation Forest) for adaptive threat identification;
- FIFO honeyfile implementation: the first cross-platform deployment of named pipes as ransomware decoys, reducing pre-encryption evasion by 63% versus static honeypots;
- Resource-efficient design: a 3.2% CPU overhead enabling deployment on edge devices (e.g., medical IoT, industrial controllers).
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Alhawi, O.M.; Baldwin, J.; Dehghantanha, A. Leveraging machine learning techniques for windows ransomware network traffic detection. Cyber Threat. Intell. 2018, 70, 93–106. [Google Scholar] [CrossRef]
- Poudyal, S.; Subedi, K.P.; Dasgupta, D. A Framework for Analyzing Ransomware using Machine Learning. In Proceedings of the 2018 IEEE Symposium Series on Computational Intelligence (SSCI), Bengaluru, India, 18–21 November 2018. June 13,2021 at 23:55:23 UTC from IEEE Xplore. [Google Scholar]
- Ye, Y.; Chen, L.; Hou, S.; Hardy, W.; Li, X. DeepAM: A heterogeneous deep learning framework for intelligent malware detection. Knowl. Inf. Syst. 2018, 54, 265–285. [Google Scholar] [CrossRef]
- Maniath, S.; Ashok, A.; Poornachandran, P.; Sujadevi, V.G.; AU, P.S.; Jan, S. Deep Learning LSTM based Ransomware Detection. In Proceedings of the 2017 Recent Developments in Control, Automation & Power Engineering (RDCAPE), Noida, India, 26–27 October 2017. [Google Scholar]
- Moser, A.; Kruegel, C.; Kirda, E. Limits of static analysis for malwares detection. In Proceedings of the Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, USA, 10–14 December 2007. [Google Scholar] [CrossRef]
- Igbe, O.; Darwish, I.; Saadawi, T. Distributed Network Intrusion Detection Systems: An Artificial Immune System Approach. Department of Electrical Engineering, City University of New York, City College. In Proceedings of the 2016 IEEE First International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), Washington, DC, USA, 27–29 June 2016. [Google Scholar]
- Kharraz, A.; Robertson, W.; Balzarotti, D.; Bilge, L.; Kirda, E. Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Milan, Italy, 9–10 July 2015. [Google Scholar] [CrossRef]
- Kharaz, A.; Arshad, S.; Mulliner, C.; Robertson, W.; Kirda, E. Unveil: A large-scale, automated approach to detecting ransomware. In Proceedings of the 25th USENIX Security Symposium, Austin, TX, USA, 10–12 August 2016; pp. 757–772. [Google Scholar]
- Cusack, G.; Michel, O.; Keller, E. Machine learning-based detection of ransomware using sdn. In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, 21 March 2018; pp. 1–6. [Google Scholar]
- Takeuchi, Y.; Sakai, K.; Fukumoto, S. Detecting ransomware using support vector machines. In Proceedings of the 47th International Conference on Parallel Processing Companion, ICPP ’18, New York, NY, USA, 13–16 August 2018; pp. 1:1–1:6. [Google Scholar]
- Cohen, A.; Nissim, N. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 2018, 102, 158–178. [Google Scholar] [CrossRef]
- Wang, X.; Yiu, S.M. A multi-task learning model for malwares classification with useful file access pattern from API call sequence. arXiv 2016, arXiv:1610.05945v1. [Google Scholar]
- Kok, S.H.; Abdullah, A.; Jhanjhi, N.Z. Early detection of crypto-ransomware using pre-encryption detection algorithm. J. King Saud Univ.-Comput. Inf. Sci. 2022, 34, 1984–1999. [Google Scholar] [CrossRef]
- Poudyal, S.; Dasgupta, D. AI-Powered Ransomware Detection Framework. In Proceedings of the IEEE Symposium on Computational Intelligence in Cyber Security (IEEE CICS), SSCI 2020At, Canberra, ACT, Australia, 1–4 December 2020. [Google Scholar] [CrossRef]
- Huseynov, H.; Kourai, K.; Saadawi, T.; Igbe, O. Virtual Machine Introspection for Anomaly-Based Keylogger Detection. In Proceedings of the IEEE 21st International Conference on High Performance Switching and Routing (HPSR), Newark, NJ, USA, 11–14 May 2020. [Google Scholar] [CrossRef]
- Ajayi, O.; Huseynov, H.; Saadawi, T.; Tsuru, M.; Kourai, K. Transpacific Testbed for Real-Time Experimentation. In Proceedings of the IEEE 4th 5G World Forum (5GWF), Virtual, 13–15 October 2021. [Google Scholar]
- Igbe, O.; Oluwaseyi, A.; Saadawi, T. Denial of service attack detection using dendritic cell algorithm. In Proceedings of the 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA, 19–21 October 2017; pp. 2–3. [Google Scholar] [CrossRef]
- Dasgupta, D.; Nino, F. Immunological Computation: Theory and Applications, 1st ed.; Auerbach Publications: Boca Raton, FL, USA, 2008. [Google Scholar]
- Ding, Y.; Chen, S.; Xu, J. Application of Deep Belief Networks for opcode based malwares detection. In Proceedings of the 2016 International Joint Conference on Neural Networks (IJCNN), Vancouver, BC, Canada, 24–29 July 2016. [Google Scholar]
- Gómez-Hernández, J.A.; Álvarez-González, L.; García-Teodoro, P. R-Locker: Thwarting Ransomware Action through a Honeyfile-based Approach. Comput. Secur. 2018, 73, 389–398. [Google Scholar] [CrossRef]
- Gómez-Hernández, J.A.; García-Teodoro, P. Lightweight Crypto-Ransomware Detection in Android Based on Reactive Honeyfile Monitoring. Sensors 2024, 24, 2679. [Google Scholar] [CrossRef] [PubMed]
- Gómez-Hernández, J.A.; Sánchez-Fernández, R.; García-Teodoro, P. Inhibiting crypto-ransomware on windows platforms through a honeyfile-based approach with R-Locker. IET Inf. Secur. 2022, 16, 64–74. [Google Scholar] [CrossRef]
- Fernando, D.W.; Komninos, N.; Chen, T. A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques. IoT 2020, 1, 551–604. [Google Scholar] [CrossRef]
Phase | Actions | Implementation Status |
---|---|---|
Data Collection | System logs, file operations, process trees, API calls | Full |
Feature Extraction | 48 behavioral features (e.g., file mod/sec, entropy variance, handle count) | Full |
Model Training | Isolation Forest on 600K normal/ransomware events (CIC-Ransomware2023) | Partial (offline only) |
Real-Time Detection | Threshold-based alerts + ML scoring (decision threshold: F1-optimized) | Full |
Response | Process termination, file system freeze, admin. alerts | Full |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Fang, X.; Song, E.; Ning, C.; Huseynov, H.; Saadawi, T. Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker. Mathematics 2025, 13, 1933. https://doi.org/10.3390/math13121933
Fang X, Song E, Ning C, Huseynov H, Saadawi T. Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker. Mathematics. 2025; 13(12):1933. https://doi.org/10.3390/math13121933
Chicago/Turabian StyleFang, Xiang, Eric Song, Cheng Ning, Huseyn Huseynov, and Tarek Saadawi. 2025. "Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker" Mathematics 13, no. 12: 1933. https://doi.org/10.3390/math13121933
APA StyleFang, X., Song, E., Ning, C., Huseynov, H., & Saadawi, T. (2025). Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker. Mathematics, 13(12), 1933. https://doi.org/10.3390/math13121933