Ransomware Detection Considering User'S Document Editing

The number of victims suffering from crypto ransomware is increasing. Methods for detecting ransomware when it accesses target files or when it uses encrypting APIs have been studied. However, the former method is operated within an analysis sandbox, and the latter method can be avoided if the ransomware uses its own encrypting functions. To protect users, a detection method should be able to detect ransomware in the user's real-time environment and make it difficult for the ransomware to avoid detection. This paper proposes a detection method that satisfies these requirements by using human file-operating characteristics as a whitelist. We evaluate the effectiveness of our prototype method, which inspects the consistency between displayed documents and the user's editing operations.