|dc.description.abstract||In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma.
Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period.
In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method.
After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.||en_US|