近年的台灣積體電路公司、台灣中油、鴻海集團等台灣重要的產業龍頭都已受到勒索病毒的危害，雖然造成的原因不盡相同，但是都對企業造成的影響甚鉅。例如：鴻海集團在2020年11月底，墨西哥廠區及威州廠區遭駭客勒索病毒「DoppelPaymer」攻擊，駭客竊取了約莫100GB儲存空間的機密檔案，並且刪除約莫20TB到30TB儲存空間的備份檔案，並且勒索1804枚比特幣。
勒索病毒是一種特殊的惡意程式。首先，勒索病毒會對電腦上重要的形式引數或檔案進行加密或是限制作業系統存取權，在受害者電腦螢幕上顯示勒索訊息，知會受害者交付指定的贖金方能獲得解密金鑰，這也就是這類型的病毒被稱為「勒索病毒」的緣故。由於病毒在進行檔案搜尋使用者檔案時會使用到額外的中央處理器、暫存記憶體、硬碟等硬體資源，經由及時監控的方的法發現不正常的硬體資源使用行為，就有可能及時發現勒索病毒的存在以避免受到勒索病毒所造成的損失。
在本論文中我們將會利用電腦硬體資源使用狀況進行判斷，例如:當中央處理器(CPU)使用率有大幅震盪現象和硬碟讀寫有大幅變化就表示可能有勒索病毒正在執行。經實驗證明，透過這種方法確實可以偵測到所有勒索病毒；同時，目前對特徵未改變的勒索病毒也能有效地發現。

In recent years, Taiwan’s important industrial leaders such as TSMC, CPC Corporation, and Foxconn Technology Group have all been harmed by ransomware. Although the causes are different, they all have a huge impact on enterprises. In this paper, we will use computer hardware resource usage to make judgments. For example, when the central processing unit (CPU) usage rate fluctuates greatly and the hard disk read and write changes significantly, it means that a ransomware may be executing. Experiments have proved that this method can indeed detect all ransomware; at the same time, the current ransomware with unchanged characteristics can also be effectively detected.

目錄
第一章	緒論	1
1.1	研究背景與動機	1
1.2	研究目的	3
1.3	論文架構	4
第二章	技術背景與相關研究	5
2.1	勒索病毒 (Ransomware)	5
2.1.1	可疑的設置行為	5
2.1.2	加密行為	7
2.1.3	著名勒索病毒	8
2.2	模糊理論 (Fuzzy Logic)	12
第三章	系統架構與實作	15
3.1	問題陳述	15
3.2	研究方法	18
3.2.1	大數據分析找出電腦硬體資源的正常使用行為	18
3.2.2	分析病毒對電腦硬體資源所造成的影響	19
3.2.3	檢測是否有不正常情形發生及後續處理方法	20
第四章	實驗結果	24
4.1	環境架設	24
4.2	病毒對各項硬體資源的影響	26
4.2.1	中央處理器(CPU)	27
4.2.2	記憶體(Memory)	31
4.2.3	硬碟讀寫(Hard disk I/O)	35
4.3	病毒偵測程式測試結果	39
4.3.1	實測結果(一)	40
4.3.2	實測結果(二)	49
第五章	結論與未來展望	52
參考文獻	53
附錄–英文論文	57

圖目錄
圖 3.2 1 即時檢測流程	21
圖 3.2 2 可疑程序篩選	23
圖 4.1 1實體主機與虛擬主機之架構	24
圖 4.2 1 Cerber 5 CPU使用狀態	27
圖 4.2 2 DeriaLock CPU使用狀態	28
圖 4.2 3 Infinitycrypt CPU使用狀態	29
圖 4.2 4 WannaCry CPU使用狀態	30
圖 4.2 5 Cerber 5記憶體使用狀態	31
圖 4.2 6 DeriaLock記憶體使用狀態	32
圖 4.2 7 Infinitycrypty記憶體使用狀態	33
圖 4.2 8 WannaCry記憶體使用狀態	34
圖 4.2 9 Cerber 5 硬碟讀寫量	35
圖 4.2 10 DeriaLock 硬碟讀寫量	36
圖 4.2 11 Infinitycrypt硬碟讀寫量	37
圖 4.2 12 WannaCry硬碟讀寫量	38
圖 4.3 1 Revil 偵測狀況	42
圖 4.3 2 Robinhood 偵測狀況	44
圖 4.3 3 SunCrypto 偵測狀況	46
圖 4.3 4 TeslaCrypto 偵測狀況	48
圖 4.3 5 DearCry 偵測狀況	50

表目錄
表 3.1 1勒索病毒運行至開始加密時間	17
表 4.3 1第一次勒索病毒測試清單	40

[1] 	C. A. Brebbia, F. Garzia, M. Lombardi, Ransomware in industrial control systems. what comes after wannacry and petya global attacks?  Safety and Security Engineering VII, 2018
[2] 	Kevin Liao; Ziming Zhao; Adam Doupe; Gail-Joon Ahn, Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin, APWG Symposium on Electronic Crime Research (eCrime), Toronto, ON, Canada, 2016
[3] 	Kevin Liao; Ziming Zhao; Adam Doupe; Gail-Joon Ahn, Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin, APWG Symposium on Electronic Crime Research (eCrime), Toronto, ON, Canada, 2016
[4] 	Nikolai Hampton; Zubair Baig; Sherali Zeadally, Ransomware Behavioral Analysis on Windows Platforms, Journal of Information Security and Applications ,Volume 40, June 2018, PP. 44-51
[5] 	Prashanth Krishnamurthy; Ramesh Karri; Farshad Khorrami, Anomaly Detection in Real-Time Multi-Threaded Processes Using Hardware Performance Counters, IEEE Transactions on Information Forensics and Security, Volume: 15,June 2019,PP.666-680
[6] 	Nieuwenhuizen, D. (2017). A behavioural-based approach to ransomware detection. White-paper. MWR Labs Whitepaper.
[7] 	Cohen, A., and Nissim, N. Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications, 102, 158-178.
[8] 	Z. Xu, S. Ray, P. Subramanyan, and S. Malik, Malware detection using machine learning based analysis of virtual memory access patterns, in Proc. IEEE Design Autom. Test Europe Conf. Exhibit. (DATE), 2017, pp. 169–174.
[9] 	Fahad M. Alotaibi; Vassilios G. Vassilakis, SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit, IEEE Access ( Volume: 9),pp. 28039 - 28058
[10] 	Stijn Pletinckx; Cyril Trap; Christian Doerr, Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware, 2018 IEEE Conference on Communications and Network Security (CNS), Beijing, China, 2018
[11] 	Ilker Kara; Murat Aydos, Static and Dynamic Analysis of Third Generation Cerber Ransomware, 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), Ankara, Turkey, 2018
[12] 	Anish Pillai; Ruturaj Kadikar; M. S. Vasanthi; B. Amutha, Analysis of AES-CBC Encryption for Interpreting Crypto-Wall Ransomware, 2018 International Conference on Communication and Signal Processing (ICCSP), Chennai, India, April 2018
[13] 	Ahmad O. Almashhadani; Mustafa Kaiiali; Sakir Sezer; Philip O’Kane, A Multi-Classifier Network-Based Crypto Ransomware Detection System: A Case Study of Locky Ransomware,  IEEE Access ( Volume: 7),pp. 47053 - 47067
[14] 	Alejandro Chuquilla; Teresa Guarda; Geovanni Ninahualpa Quiña, Ransomware - WannaCry Security is everyone's, 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), Coimbra, Portugal, June 2019
[15] 	Qian Chen; Robert A. Bridges, Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware, 16th IEEE International Conference on Machine Learning and Applications (ICMLA), Cancun, Mexico, 2017
[16] 	K.V.S.V.N. Raju, A.K. Majumdar, Fuzzy functional dependencies and lossless join decomposition on fuzzy relational database systems, ACM TODS 13 (1988) 129–166.
[17] 	L.A. Zadeh, Fuzzy sets, Inf. and Control 8 (1965) 338–353.
[18] 	L.A. Zadeh, Fuzzy sets as a basis for theory of possibility, Fuzzy Sets and Systems 1 (1) (1978) 3–28.
[19] 	B.P. Buckles, F.E. Petry, Information-theoretical characterization of fuzzy relational databases, IEEE Trans. Syst., Man Cybern. 13 (1) (1983) 72–77.
[20] 	R.R. Yager, Database discovery using fuzzy sets, Int. J. Intelligent System 11 (1996) 691–712.
[21] 	L.A. Zadeh, A computational approach to fuzzy quantiers in natural languages, Comput. Math. Appl. 9 (1984) 149–184.
[22]	R.R. Yager, General multiple-objective decision functions and linguistically quantied statements, Int. J. Man–Mach. Stud. 21 (1984) 389–400.
[23]	R.R. Yager, On ordering weighted averaging aggregation operations in multicriteria decisionmaking, IEEE Trans. Syst., Man Cybern. 18 (1988) 183–190.
[24]	J. Kacprzyk, C. Iwanski, Fuzzy logic with linguistic quantiers in inductive learning, in: Fuzzy Logic for the Management of Uncertainty, pp. 465–478.