{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:40:22Z","timestamp":1760060422985,"version":"build-2065373602"},"reference-count":16,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T00:00:00Z","timestamp":1756252800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Ransomware encrypts targeted files, making recovery difficult using conventional disinfection or deletion methods, unlike other types of malware. In particular, ransomware commonly encrypts important documents as a follow-up action, and existing antivirus programs are fundamentally incapable of preventing them. In this study, we analyzed 97 real-world ransomware behaviors and found that 95.88% of them involved encryption attempts. Consequently, we propose a real-time method for determining whether critical files have been compromised through encryption and for recovering them accordingly. The proposed Simple Format Analysis (SFA) detection technique consists of three methods: Simple Format Analysis\u2013Fixed-structure-based (SFA-F), which analyzes the file format; Simple Format Analysis\u2013Header-based (SFA-H), which focuses on file header information; and Simple Format Analysis\u2014Fixed-structure-and-Header-based (SFA-F-H), a hybrid method that combines both. These techniques achieved detection accuracies ranging from 95.0% (SFA-F) to 97.9% (SFA-F-H), outperforming existing detection approaches. In addition, we introduce a novel real-time recovery approach known as real-time file restoration from damage, which integrates SFA detection with pre-input\/output monitoring. We expect the proposed approach to significantly contribute to ransomware mitigation in cybersecurity environments.<\/jats:p>","DOI":"10.3390\/info16090739","type":"journal-article","created":{"date-parts":[[2025,8,28]],"date-time":"2025-08-28T09:31:12Z","timestamp":1756373472000},"page":"739","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Real-Time Detection and Recovery Method Against Ransomware Based on Simple Format Analysis"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-7363-9621","authenticated-orcid":false,"given":"JaeYeol","family":"Kim","sequence":"first","affiliation":[{"name":"Department of Software, Kyungwoon University, Gumi 39160, Republic of Korea"}]}],"member":"1968","published-online":{"date-parts":[[2025,8,27]]},"reference":[{"key":"ref_1","unstructured":"Cyberint (2025, June 11). Ransomware Annual Report 2024. Available online: https:\/\/cyberint.com\/blog\/research\/ransomware-annual-report-2024\/."},{"key":"ref_2","unstructured":"Sophos (2024). The State of Ransomware 2024, Sophos Ltd.. Available online: https:\/\/www.sophos.com\/en-us\/content\/state-of-ransomware."},{"key":"ref_3","unstructured":"Aung, Y.L., Khoo, Y.L., Zheng, D.Y., Swee Duo, B., Chattopadhyay, S., Zhou, J., Lu, L., and Goh, W. (2025). HoneyWin: High-Interaction Windows Honeypot in Enterprise Environment. arXiv."},{"key":"ref_4","unstructured":"AV-TEST Institute (2025, June 11). Every Day, the AV-TEST Institute Registers over 450,000 New Malicious Programs (Malware) and Potentially Unwanted Applications (PUA). Available online: https:\/\/www.av-test.org\/en\/statistics\/malware\/."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1007\/978-3-642-05284-2_4","article-title":"Baiting Inside Attackers Using Decoy Documents","volume":"Volume 19","author":"Chen","year":"2009","journal-title":"Security and Privacy in Communication Networks: Revised Selected Papers"},{"key":"ref_6","unstructured":"Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., and Kirda, E.A. (2016, January 10\u201312). Large-Scale, Automated Approach to Detecting Ransomware. Proceedings of the 25th USENIX Security Symposium, Austin, TX, USA. Available online: https:\/\/www.usenix.org\/conference\/usenixsecurity16\/technical-sessions\/presentation\/kharaz."},{"key":"ref_7","first-page":"378","article-title":"RENTAKA: A Novel Machine Learning Framework for Crypto-Ransomware Pre-Encryption Detection","volume":"13","author":"Zakaria","year":"2022","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1971","DOI":"10.30574\/ijsra.2024.13.2.2381","article-title":"The Role of Encryption in Securing Backup Data Against Ransomware Threats","volume":"13","author":"Mehra","year":"2024","journal-title":"Int. J. Sci. Res. Arch."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1186\/s42400-024-00287-9","article-title":"Enabling Per-File Data Recovery from Ransomware Attacks via File System Forensics and Flash Translation Layer Data Extraction","volume":"7","author":"Dafoe","year":"2024","journal-title":"Cybersecurity"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Gayathri, G., and Arivoli, R.S. (2024, January 16\u201317). A Comprehensive Behavioural Study of Ransomware and Its Impact. Proceedings of the International Conference on Innovative Computing & Communication (ICICC 2024), New Delhi, India. Available online: https:\/\/ssrn.com\/abstract=5022928.","DOI":"10.2139\/ssrn.5022928"},{"key":"ref_11","unstructured":"Thomas, M.C., and Joy, A.T. (2006). Elements of Information Theory, Wiley Interscience."},{"key":"ref_12","unstructured":"Hassan, M.W., Goel, N., and Kalyan, T.V. (October, January 30). CARDR: DRAM Cache Assisted Ransomware Detection and Recovery in SSDs. Proceedings of the ACM International Symposium on Memory Systems (MEMSYS 2024), Washington, DC, USA."},{"key":"ref_13","first-page":"10900","article-title":"Enhanced Ransomware Detection and Prevention Using CNN-BiLSTM for Deep Behavioural Analysis","volume":"12","author":"Jadon","year":"2025","journal-title":"Int. J. Recent Adv. Multidiscip. Res."},{"key":"ref_14","unstructured":"Higuchi, K., and Kobayashi, R. (2025). ROFBS\u03b1: Real-Time Backup System Decoupled from ML-Based Ransomware Detection. arXiv."},{"key":"ref_15","unstructured":"Microsoft Docs (2025, June 08). IRP Major Function Codes. Available online: https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/kernel\/irp-major-function-codes."},{"key":"ref_16","unstructured":"ytisf (2025, July 28). theZoo: A Live Repository of Malware Samples. Available online: https:\/\/github.com\/ytisf\/theZoo."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/739\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:33:57Z","timestamp":1760034837000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/739"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,27]]},"references-count":16,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["info16090739"],"URL":"https:\/\/doi.org\/10.3390\/info16090739","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,8,27]]}}}