近年來勒索軟體的危害程度對於使用者越來越高,勒索軟體會想盡辦法入侵使用者的電腦去加密檔案,並勒索贖金,被攻擊的使用者只能被迫向勒索軟體作者付出高額的贖金,而且付出贖金也不一定會解鎖檔案,受害者只能被動等待作者解鎖。 對於勒索軟體的攻擊,防毒軟體雖然有辦法偵測到電腦遭受到攻擊,但是這是在確定是勒索軟體後才能阻擋,在這病毒空窗期的期間,可能已有不少使用者遭受到勒索軟體攻擊,因此這在期間保護使用者就成為首要任務。 為了抵禦勒索軟體的攻擊,我們提出了一個能在平時偵測疑似勒索軟體的方法,該方法是建置在 Windows 的 minifilter driver 上,因此勒索軟體很難繞過我們的偵測。 在偵測到疑似勒索軟體後,我們的系統能讓使用者做後續的處理,像是終止目前的程式或是直接將程式加入白名單,讓使用者可以有選擇的空間。除了可以對程式進行操作外,當使用者選擇終止程式時,我們的系統還會還原被改變的檔案,減少使用者的損失。;In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma. Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period. In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method. After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.
