Enregistré dans:
Détails bibliographiques
Auteurs principaux: Hirano, Manabu, Kobayashi, Ryotaro
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2508.08655
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866911124264321024
author Hirano, Manabu
Kobayashi, Ryotaro
author_facet Hirano, Manabu
Kobayashi, Ryotaro
contents Double extortion ransomware attacks have become mainstream since many organizations adopt more robust and resilient data backup strategies against conventional crypto-ransomware. This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks. We then present a novel detection method using low-level storage and memory behavioral features and network traffic features obtained from a thin hypervisor to establish a defense-in-depth strategy for when attackers compromise OS-level protection. We employed the lightweight \emph{Kitsune} Network Intrusion Detection System (NIDS)'s network feature to detect the data exfiltration phase in double extortion ransomware attacks. Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate. Lastly, we discuss the limitations of the presented method and future work.
format Preprint
id arxiv_https___arxiv_org_abs_2508_08655
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features
Hirano, Manabu
Kobayashi, Ryotaro
Cryptography and Security
Double extortion ransomware attacks have become mainstream since many organizations adopt more robust and resilient data backup strategies against conventional crypto-ransomware. This paper presents detailed attack stages, tactics, procedures, and tools used in the double extortion ransomware attacks. We then present a novel detection method using low-level storage and memory behavioral features and network traffic features obtained from a thin hypervisor to establish a defense-in-depth strategy for when attackers compromise OS-level protection. We employed the lightweight \emph{Kitsune} Network Intrusion Detection System (NIDS)'s network feature to detect the data exfiltration phase in double extortion ransomware attacks. Our experimental results showed that the presented method improved by 0.166 in the macro F score of the data exfiltration phase detection rate. Lastly, we discuss the limitations of the presented method and future work.
title Hypervisor-based Double Extortion Ransomware Detection Method Using Kitsune Network Features
topic Cryptography and Security
url https://arxiv.org/abs/2508.08655