Resilience without AI: Assessing the Viability of Deception-Based Ransomware Detection

From the first attack in 1989, to date, it is evident that ransomware is highly destructive. Today the vast majority of research on ransomware detection is focused on the use of AI techniques. While the use of these techniques is very effective, they should not be considered an infallible solution for ransomware detection. As with any solution, AI implementations do have shortcomings of their own; compute resource constraints, collation of training data, data poisoning, and data privacy, to name a few. This paper aims to identify whether traditional methods can still effectively detect ransomware in scenarios where AI solutions may not be viable. Typically, there are three main categories of detection; signature-based, behaviour-based, & deception-based. This paper focuses on deception-based detection, using honey files. Three detection solutions have been implemented on two isolated VMs, one running Windows 10, the other Linux Mint. The solutions include RansomwareLocker, for the Linux VM, R-Locker and 4663 Windows event monitoring on the Windows 10 VM. With these solutions implemented, ransomware samples were executed in turn, up to three times, allowing an initial ‘out of the box’ test run and two subsequent tests after necessary configuration changes were made. Overall, from the ransomware samples chosen and detection solutions implemented, deception-based detection proves to be a promising approach. Testing resulted in two of the three solutions ultimately achieving a 100% detection rate. However, throughout the experiment, it is evident that this approach is not a silver bullet, and very dependent on the configuration of the solutions. Therefore, whether AI-based or traditional, a defence-in-depth approach remains best.