Catching ransomware on the wire before it locks the file server

Corporate networks keep sensitive files off individual workstations and store them on shared servers that staff reach through mapped network drives. That arrangement hands ransomware operators a target worth chasing. A single compromised laptop can begin encrypting files that live on a server across the building, and the encryption travels over the network as ordinary file-sharing traffic.

Endpoint detection tools watch the machine they run on. When the encryption lands on a remote file server, the server does little of the visible work. It accepts read and write commands from a client and carries them out, the same way it serves any legitimate user. The agent on the server records normal operation. The agent on the client sees an application touching mapped files. Damage settles in the gap between the two machines, where each agent has a poor view.

A team at La Trobe University in Melbourne built a detection method that lives on the wire. The researchers designed a framework that reads Server Message Block traffic, the protocol Windows uses for file sharing, and flags ransomware by the pattern of operations it produces.

Reading the protocol’s own rhythm

The core idea is a method for slicing traffic into meaningful pieces. Older approaches chopped traffic into fixed time windows, which bakes in the habits of whatever network produced the data. The La Trobe method leans on a quirk of SMB. Each time a client browses a shared directory, it sends a small enumeration packet that holds at 260 bytes regardless of the folder or the network. Everything between two of those packets becomes one unit of activity, which the researchers call a Region of Interest.

Control packets in SMB carry consistent sizes for consistent actions. A new-file response, for instance, holds steady at 410 bytes across environments. A read request, a rename, and a file close each carry their own fixed size. Reading these sizes lets the system reconstruct what a client does to a file server. The method opens no packet contents and places no software on the endpoints.

shared storage ransomware detection

Implementation scenario (Source: Research paper)

What the numbers say

The framework runs in three stages. The first two compare traffic against known indicators of compromise, including the size of the ransom note a family writes to a victim’s drive. Each family drops a note of a recognizable size, which serves as a fingerprint. Traffic that passes those checks moves to a machine learning model trained to catch families the signatures miss.

The model the team selected, a Random Committee classifier, reached an accuracy of about 99.6% on their test data. The authors report that it caught every ransomware sample in their tests, and false positives stayed rare.

The framework also aims to raise an alarm early. A short window of activity near the start of an attack produced an accuracy of 99.44%. That sits within a quarter of a percent of the result from a complete capture. Some families revealed themselves faster, and Lockbit became identifiable after about a third of its run.

The part worth copying

One choice in the study deserves attention. Many ransomware detection studies post high accuracy because their benign traffic is easy to separate from an attack. The La Trobe team picked benign samples that behave like ransomware on purpose. They captured network-encryption tools such as Hicrypt, bulk file copies through TeraCopy, and compression utilities like WinRAR and 7-Zip running with encryption switched on. These actions create bursts of new files and heavy writes, the same trace ransomware leaves.

A few limits sit alongside the results. The data came from a single testbed with one client and one server, which leaves open how the numbers hold across varied production networks. The team offers a server-side script that reports file and directory counts to adjust features for each environment, a step they describe and have yet to prove at scale.

The published indicators also cover plaintext SMBv2 traffic. Microsoft systems negotiate the encrypted SMBv3 dialect by default, and the encrypted equivalents sit in a separate dataset the paper holds back. The method reads packet sizes, so encryption that masks those sizes poses a real question for deployment.

The framework targets automated attacks that encrypt a mapped drive on their own. The team set aside samples that needed manual operation, the hands-on-keyboard style of intrusion common in larger breaches. The approach handles one ransomware pattern well and leaves the rest to other tools.

Deployment stays simple in practice. The sensor runs off network traffic alone, with no software placed on the server or client, and sits on a span port reading packets. That suits storage that host-based agents cover poorly, including network-attached devices and older systems still speaking SMBv2. Evidence of a shared-storage attack moves across the network, and a sensor on the wire watches the path where the damage travels.

Guide: What automated pentesting alone cannot see

Don't miss