With advances in social engineering tricks and other technical shortcomings, ransomware attacks have become a severe cybercrime affecting organizations of all shapes and sizes. Although the security teams are making plenty of ransomware detection tools, the ransomware incident report shows they are ineffective in detecting emerging ransomware attacks. This work presents “RTrap,” a systematic framework to detect and contain ransomware efficiently and effectively via machine learning-generated deceptive files. Using a data-driven decoy file selection and generation strategy, RTrap plants deceptive decoy files across the directory to lure the ransomware to access it. RTrap also introduced a lightweight decoy watcher to monitor generated decoy files in real time. As the timing of the ransomware attack is not known to the victim in advance, and the ransomware encryption process is speedy, the proposed decoy-watcher executes an automatic/automated response after the detection promptly. The experiment shows that RTrap can detect ransomware with an average 18 file loss per 10311 legitimate user files.

中文翻译：

---

RTrap：利用机器学习捕获和遏制勒索软件

随着社会工程技巧的进步和其他技术缺陷的出现，勒索软件攻击已成为影响各种形式和规模的组织的严重网络犯罪。尽管安全团队正在制作大量勒索软件检测工具，但勒索软件事件报告显示，它们在检测新出现的勒索软件攻击方面效果不佳。这项工作提出了“RTrap”，这是一个系统框架，可通过机器学习生成的欺骗性文件高效地检测和包含勒索软件。使用数据驱动的诱饵文件选择和生成策略，RTrap 在整个目录中植入欺骗性诱饵文件，以引诱勒索软件访问它。RTrap 还引入了一个轻量级的诱饵观察器来实时监控生成的诱饵文件。由于受害者事先不知道勒索软件攻击的时间，并且勒索软件加密过程很快，所提出的诱饵观察器会在检测后迅速执行自动/自动响应。实验表明，RTrap 可以检测到每 10311 个合法用户文件平均丢失 18 个文件的勒索软件。