English

Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud

Cryptography and Security 2026-01-27 v1 Distributed, Parallel, and Cluster Computing Operating Systems

Abstract

Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.

Keywords

Cite

@article{arxiv.2601.18216,
  title  = {Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud},
  author = {Beom Heyn Kim and Seok Min Hong and Mohammad Mannan},
  journal= {arXiv preprint arXiv:2601.18216},
  year   = {2026}
}

Comments

12 pages, 6 figures, under review (Jan 2026)

R2 v1 2026-07-01T09:19:48.258Z