Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker

Fang, Xiang; Song, Eric; Ning, Cheng; Huseynov, Huseyn; Saadawi, Tarek

Crypto-Ransomware Detection Through a Honeyfile-Based Approach with R-Locker

Xiang Fang (), Eric Song, Cheng Ning, Huseyn Huseynov and Tarek Saadawi
Additional contact information
Xiang Fang: Department of Electrical Engineering, City University of New York, City College, New York, NY 10031, USA
Eric Song: Yorktown High School, Yorktown Heights, NY 10598, USA
Cheng Ning: Department of Computer Science, City University of New York, Graduate Center, New York, NY 10016, USA
Huseyn Huseynov: Department of Electrical Engineering, City University of New York, City College, New York, NY 10031, USA
Tarek Saadawi: Department of Electrical Engineering, City University of New York, City College, New York, NY 10031, USA

Mathematics, 2025, vol. 13, issue 12, 1-25

Abstract: Ransomware is a group of malware that aims to make computing resources unavailable, demanding a ransom amount to return control back to users. Ransomware can be classified into two types: crypto-ransomware and locker ransomware. Crypto-ransomware employs strong encryption and prevents users’ access to the system. Locker ransomware makes access unavailable to users either by locking the boot sector or the user’s desktop. The proposed solution is an anomaly-based ransomware detection and prevention system consisting of post- and pre-encryption detection stages. The developed IDS is capable of detecting ransomware attacks by monitoring the usage of resources, triggered by anomalous behavior during an active attack. By analyzing the recorded parameters after recovery and logging any adverse effects, we were able to train the system for better detection patterns. The proposed solution allows for detection and intervention against the crypto and locker types of ransomware attacks. In previous work, the authors introduced a novel anti-ransomware tool for Windows platforms, known as R-Locker, which demonstrates high effectiveness and efficiency in countering ransomware attacks. The R-Locker solution employs “honeyfiles”, which serve as decoy files to attract ransomware activities. Upon the detection of any malicious attempts to access or alter these honeyfiles, R-Locker automatically activates countermeasures to thwart the ransomware infection and mitigate its impact. Building on our prior R-Locker framework this work introduces a multi-stage detection architecture with resource–behavioral hybrid analysis, achieving cross-platform efficacy against evolving ransomware families not addressed previously.

Keywords: ransomware detection; honeyfile; artificial immune system; virtual machine; anomaly-based IDS (search for similar items in EconPapers)
JEL-codes: C (search for similar items in EconPapers)
Date: 2025
References: View complete reference list from CitEc
Citations:

Downloads: (external link)
https://www.mdpi.com/2227-7390/13/12/1933/pdf (application/pdf)
https://www.mdpi.com/2227-7390/13/12/1933/ (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:gam:jmathe:v:13:y:2025:i:12:p:1933-:d:1675914

Access Statistics for this article

Mathematics is currently edited by Ms. Emma He

More articles in Mathematics from MDPI
Bibliographic data for series maintained by MDPI Indexing Manager ().