This work addresses the vulnerability of existing ransomware detection methods to evasion by advanced variants that employ privilege escalation and sophisticated evasion strategies—such as intermittent encryption, low-entropy encryption, and masquerading attacks—which can manipulate I/O traces or invalidate statistical features. To overcome this limitation, the authors propose Rhea, a novel system that leverages syntactic and semantic specifications of file formats as detection invariants. By performing format-aware validation against cloud-based snapshots, Rhea eliminates reliance on I/O behavior or statistical characteristics. This approach effectively identifies highly stealthy, fine-grained, and intermittent encryption activities. Experimental results demonstrate that Rhea significantly outperforms state-of-the-art solutions in detecting modern evasive ransomware, achieving both high accuracy and robust deployability.

Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.