The document proposes a ransomware protection method called "Hiding in the Crowd" that protects critical files from ransomware attacks by applying a camouflage and hiding strategy. The method hides files in directories that ransomware typically avoids encrypting and uses link files to allow convenient access to hidden files. The authors enhance the security of the method by implementing an encrypted database and linker to avoid exposing information about hidden files. Experiments show the method successfully protects files against real-world ransomware samples in a cost-effective manner.

1. Received 25 June 2023, accepted 16 August 2023, date of publication 29 August 2023, date of current version 1 September 2023.
Digital Object Identifier 10.1109/ACCESS.2023.3309879
Hiding in the Crowd: Ransomware Protection by
Adopting Camouflage and Hiding Strategy
With the Link File
SOOHAN LEE 1, SUHYEON LEE 2, (Member, IEEE), JIWON PARK1,
KYOUNGMIN KIM 1, AND KYUNGHO LEE 3
1Department of Cyber Security, Korea University, Seoul 02841, Republic of Korea
2Ministry of Defense, Seoul 04383, Republic of Korea
3Institute of Cyber Security and Privacy, Korea University, Seoul 02841, Republic of Korea
Corresponding author: Kyungho Lee (kevinlee@korea.ac.kr)
This work was supported by Korea University Grant.
ABSTRACT Ransomware is a growing threat and is building ecosystems in the form of ransomware as
a service (RaaS). While there have been diverse efforts to detect and mitigate such threats, techniques to
bypass such countermeasures have advanced considerably. Since detecting all evolving threats has become
challenging, there is a growing interest in developing proactive countermeasures that can minimize the
damage even in environments where ransomware has already been executed. In this study, we gained
insights from an attacker’s perspective by analyzing ransomware such as LockBit and derived a generic
counterstrategy against features that are common in ransomware attacks. Our proposed method protects
critical files from existing ransomware by applying a hiding strategy that poses a challenge to attackers in
finding the target files. We also present best practices for implementing the strategy while considering both
in terms of security and usability using the link file and improving the method through the addition of a
linker and encrypted database to reduce the attack surface. By using real-world ransomware samples, our
experiments show that the proposed method successfully protects valuable files against ransomware in a
cost-effective manner.
INDEX TERMS Cybersecurity, ransomware, avoidance mechanism, malware analysis.
I. INTRODUCTION
With the development of information technology, real-world
values such as information assets are moving into cyberspace.
As a result, ransomware has emerged as a major cybersecurity
threat, and its occurrence has surged drastically in 2022.
According to a recent Verizon report, ransomware instances
continue to exhibit an upward trend, showing an almost
13% increase. This increase is equivalent to the combined
increase of the last five years and is associated with 25%
of all breaches [1]. Ransomware is a subset of malware
designed to limit access to a system or data until a ransom is
paid. Therefore, ransomware can cause considerable damage
to businesses, organizations, and individuals, resulting in data
loss, financial loss, and reputational damage [2], [3].
The associate editor coordinating the review of this manuscript and
approving it for publication was Mohamed Elhoseny .
A trend in ransomware attacks is the use of ransomware as
a service (RaaS) platform, which enables even non-technical
criminals to launch ransomware attacks [4]. RaaS operators
provide a user-friendly interface to affiliates for creating and
distributing ransomware, as well as a range of other services,
such as payment processing and negotiation support [5].
The operators generate profits by allocating a percentage of
each successful ransom payment [6]. The development of
these ecosystems has a significant impact on the spread
of ransomware threats.
In response to the growing threat, studies have focused
on developing effective mechanisms for detection and block-
ing [7]. Researchers have extracted structural and behavioral
features from ransomware samples to design defense mecha-
nisms [8]. Although leveraging structural features is the most
common approach for malware detection, it is ineffective
against sophisticated techniques such as polymorphism and
VOLUME 11, 2023
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 92693

2. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
obfuscation [9]. To overcome these limitations, researchers
have increasingly focused on behavior-based analysis that
monitors the actions of the malware process during run-
time. This approach utilizes features that are challenging
for ransomware authors to conceal, such as API calls and
I/O accesses [10], [11]. Behavior-based detection mecha-
nisms have evolved to incorporate deceptive strategies. As an
example, they create and distribute decoy files considering
ransomware attacks target specific files [12].
However, attackers are constantly developing techniques
to evade detection mechanisms. It results in difficulty in
blocking all emerging threats. Despite the effectiveness of
detection mechanisms, their efficacy is constrained by three
fundamental limitations, as underscored by studies propos-
ing detection mechanisms or investigating the behavior of
ransomware:
1) Static and dynamic analysis techniques become less
efficient as the malware developers continuously
develop evasion techniques [13].
2) Behavior-based detection mechanisms may result in
file loss until detection is achieved [14].
3) Terminating the monitoring process can render the
detection mechanism ineffective [15].
Since process termination is commonly performed before
file encryption in ransomware attacks [16], [17], it highlights
the need for alternative approaches to complement existing
detection-based methods. While monitoring may suffice in
general computing environments from an economic stand-
point, special environments such as military systems cannot
afford even a single intrusion due to the potentially catas-
trophic damage. Thus, reducing risk at all levels is crucial in
such critical environments. As a result, there is a demand for
methods that minimize the damage caused by ransomware in
terms of cyber resilience [18], even in situations where the
malware has already been executed and real-time detection is
not available.
Therefore, our study aims to devise a proactive method that
can function as a secondary line of defense to address two
unfavorable scenarios from a defensive standpoint: i) failure
or termination of the monitoring process before malware
detection, ii) delay in the detection mechanism requiring
additional time to identify the malware.
In this context, our approach ensures file protection
through a two-step process: firstly, by modifying file exten-
sions, and secondly, by concealing the original files within
directories that are typically not targeted by ransomware
for encryption. While our approach may not directly detect
or block ransomware execution, it effectively counters the
targeting strategy employed by the majority of ransomware.
The authors in [15] identified directories that are delib-
erately avoided during the targeting phase. They suggested
further investigating the possibility of utilizing these char-
acteristics as defensive techniques. In their study, a prelim-
inary attempt was made to conceal valuable data within the
C:Windows directory, but it was found ineffective against
ransomware like Onyx. In contrast, our goal is to advance
these concepts by proposing a camouflage and hiding strat-
egy. Our method not only protects files against the majority
of ransomware families but also ensures convenient access to
hidden files using link files.
In addition, prior research on ransomware protection has
limitations when the defense mechanisms are exposed, as it
provides attackers with an opportunity to develop counter-
strategies. To address this concern, we have adopted an open
design approach to enhance the robustness of the proposed
method. In our effort to minimize the likelihood of attackers
uncovering the locations of protected files via the information
within link files, we have enhanced the method by imple-
menting an encrypted database and a linker. The advanced
method ensures that the attacker cannot obtain information
about hidden files through the link files.
The contributions of this paper are as follows:
• We propose a novel approach to protect against ran-
somware proactively while ensuring file access utilizing
link files.
• We enhance the security of our method by implementing
measures to address situations where our defense strat-
egy is exposed to attackers.
• We demonstrate that our approach is practically effective
against various ransomware families through a series of
experiments.
The remainder of the paper is organized as follows.
Section II introduces related work, and Section III presents
common features of ransomware. We propose a ransomware
protection method by applying a camouflage and hiding
strategy in Section IV and demonstrate our experiments
in Section V. We discuss our approach from the perspective
of security and usability in Section VI before concluding our
research in Section VII.
II. RELATED WORK
In this section, we categorize ransomware defense mecha-
nisms into three main categories: detection, recovery, and
avoidance. Table 1 presents the comparison of each mecha-
nism. Table 2 categorizes the related work with our research.
A. DETECTION MECHANISM
This mechanism aims to identify and block ransomware
before or during its execution. Detection mechanisms employ
both static analysis, which examines the structural features of
ransomware, and behavior-based detection, which involves
real-time monitoring of the actions performed by the ran-
somware process. However, static analysis approaches have
limitations when confronted with obfuscation techniques [9].
As a result, behavior-based detection is commonly adopted
in recent research.
In the field of behavior-based detection, Kharraz et al. [19]
presented UNVEIL, a dynamic analysis system that operates
on the principle that ransomware needs to manipulate the
user’s files to carry out a successful attack. UNVEIL actively
92694 VOLUME 11, 2023

3. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 1. Description and limitation of ransomware defense mechanisms.
TABLE 2. Categorization based on types of ransomware defense research ( means applied and # means not applied).
monitors filesystem activities, including input/output (I/O)
requests, with the purpose of identifying alterations made to
the system that could potentially indicate the execution of
ransomware. Arabo et al. [11] proposed a self-defense mech-
anism based on process behavior analysis. They utilized
application programming interface (API) calls and system
usage to differentiate between ransomware and benign appli-
cations, achieving low false-positive/negative rates.
Over the past few years, there has been a growing
interest in hybrid approaches that combine the analysis of
both structural and behavioral characteristics of ransomware.
Notably, machine learning has emerged as a vital component
within such approaches, owing to its ability to automat-
ically extract crucial features from ransomware samples.
Poudyal et al. [20] introduced a reverse engineering frame-
work that integrates feature generation engines and machine
learning techniques for effective ransomware detection. Their
approach involves extracting features at multiple levels,
including the dynamic link library (DLL), function call, and
assembly, to leverage both structural and behavioral charac-
teristics. Karbab et al. [21] proposed SwiftR, a ransomware
detection system that utilizes deep learning models, which
effectively analyze the hybrid features of ransomware.
Modern studies have focused on detection and block-
ing mechanisms that utilize decoy files. For instance,
R-Locker [22] deploys a collection of honeyfiles within the
target environment to detect zero-day ransomware attacks and
automatically launch countermeasures when the honeyfiles
VOLUME 11, 2023 92695

4. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
are accessed. RTrap [12] is a comprehensive framework
that incorporates ML-generated deceptive files to detect ran-
somware, specifically addressing evasion techniques related
to decoy-watching strategies.
Although detection mechanisms may be effective in iden-
tifying existing ransomware, they cannot comprehensively
reflect all evasion techniques. It is also possible that file
loss might occur during the detection process. Furthermore,
these mechanisms are only effective when the monitoring
process is running, and the effect of protection can be lost
if the ransomware terminates such countermeasures to avoid
observation.
B. RECOVERY MECHANISM
This mechanism focuses on data backups or restoring
encrypted files, thereby effectively addressing scenarios
where encryption has already occurred. Unlike the blocking
mechanism, the recovery mechanism does not necessarily
require prior detection. However, as the decryption process
becomes more challenging, proposed methods for recovery
often involve obtaining encryption keys or creating file copies
during ransomware execution, which require the involvement
of the detection process.
Kolodenker et al. [23] introduced a key escrow mechanism
named Paybreak that securely stores encryption keys in a key
vault by hooking cryptographic API and using the keys to
decrypt the victim files. While the authors demonstrate that
the technique can recover from the damage caused by 12 dif-
ferent ransomware families, its effectiveness is limited
against ransomware families that utilize the corresponding
cryptography APIs for file encryption. Continella et al. [24]
proposed ShieldFS which monitors the low-level activity of
the file system and maintains adaptive models that profile the
system behavior over time. When ransomware execution is
detected, the file system triggers a function to create copies
of the data for restoration. Yun et al. [25] proposed a backup
system named CLDSafe that keeps shadow copies of files
and provides secure restoration using cloud storage to prevent
data loss. CLDSafe measures file similarities between a new
file on the client and an old file on the server. To ensure data
integrity, when significant modifications are made to the new
file, the previous version of the file residing on the server is
securely backed up.
As demonstrated by the aforementioned studies, advance-
ments in recovery mechanisms tend to rely on prior detection.
Additionally, recovery mechanisms cannot prevent secondary
damage because modern ransomware employs a double
extortion strategy [26] that threatens to release files publicly
if a ransom is not paid.
C. AVOIDANCE MECHANISM
This mitigation approach aims to prevent ransomware attacks
and minimize their impact. Unlike reactive blocking and
recovery techniques that respond to intrusions, the avoid-
ance technique focuses on proactive measures to avoid
or minimize the potential damage caused by ransomware
attacks. One prominent method for preventing ransomware is
the use of permission restriction. This involves implement-
ing strict access controls and permissions on critical files
and folders, limiting the ability of ransomware to modify or
encrypt them.
Microsoft has introduced controlled folder access [27],
a security feature that restricts access to protected folders
exclusively to trusted applications, effectively preventing ran-
somware from tampering with those folders. However, this
feature also has limitations as it relies on user permissions
and does not provide prevention against potentially mali-
cious programs operating in unprotected locations. Attackers
with sufficient privileges can easily circumvent such defense
mechanisms.
In recent studies, security researchers have focused on
the targeting phase in ransomware execution, where spe-
cific files are selected for encryption. Choi et al. [28] pro-
posed a defense mechanism utilizing deception technology.
This mechanism involved inserting an authentication pro-
cess during file search operations by hooking system calls
like ZwQueryDirectoryFile. While system call hooking was
previously used in antivirus solutions, its efficacy has been
reduced due to bypass techniques such as direct system calls.
For example, the Conti ransomware employs API-unhooking
mechanisms to evade antivirus or endpoint detection and
response (EDR) systems [29].
Lee et al. [30] introduced a countermeasure from the
moving target defense (MTD) perspective. Given that most
ransomware targets files based on file extensions, the authors
protected valuable files from ransomware by changing
their extensions randomly. In the past, ransomware only
encrypted files that contained specific file extensions. How-
ever, as depicted in Table 3, recent variants of ransomware
have adopted a strategic approach wherein they encrypt all
files except those with excluded extensions or located in
excluded paths. This strategy aims to evade countermeasures
reliant on file extension randomization. Consequently, coun-
termeasures of this nature may prove ineffective within such
environments.
The avoidance mechanism does not necessarily require
prior detection as its primary goal is to implement preven-
tive measures. Nevertheless, the incorporation of the detec-
tion process into the framework can be considered a viable
approach to enhance usability and overall effectiveness.
Khan et al. [31] proposed a multi-level MTD method, which
randomizes file extensions and modifies file headers for
proactive mitigation. Additionally, to complement the limita-
tion of the extension randomization strategy, they introduced
an event-based reactive MTD method that switches file exten-
sions with .exe (which is excluded in ransomware encryption)
when typical ransomware events occur. They integrated a
detection procedure into their avoidance mechanism because
changing file extensions to .exe can render the files inac-
cessible. Therefore, they chose to alter the file extensions
only when a ransomware event occurs. However, like other
92696 VOLUME 11, 2023

5. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
detection-based mechanisms, this approach can be ineffective
if ransomware deletes scheduled tasks that monitor ran-
somware events.
Although avoidance mechanisms have demonstrated their
efficacy, there may encounter usability issues. Additionally,
the existing defense mechanisms are susceptible if their
strategies are exposed, as attackers may develop correspond-
ing countermeasures. Hence, we propose a novel approach
that offers protection without relying on a prior detection,
while simultaneously ensuring normal file access.
III. RANSOMWARE ANALYSIS FROM THE ATTACKER’S
PERSPECTIVE
In this section, we introduce three key insights and the
common execution flow of ransomware obtained by a com-
prehensive analysis to select the features and the scope of our
approach.
A. INSIGHTS FROM RANSOMWARE ANALYSIS
To develop a universal approach, we conducted a compre-
hensive analysis of various ransomware families that have
become popular to identify their common features. Given
that most ransomware attacks target the Microsoft Windows
operating system (OS) [32] and prefer encrypting individual
files to locking the device [33], this study focuses on crypto
ransomware executed in the Windows OS. The results of
our ransomware analysis provide three key insights from the
attacker’s perspective.
1) RELIABLE ENCRYPTION ENVIRONMENT
Attackers aim to encrypt files as reliably as possible with-
out destroying the system to demand a ransom. Most ran-
somware has a specific list of files to include or exclude from
encryption. Since attackers generally seek financial gain, they
refrain from encrypting files that may affect the function-
ality of the OS [15]. Consequently, attackers could execute
the entire encryption process and inform the victim of the
damage. Furthermore, encryption has not been applied to files
that can contact the attackers, such as files in the Tor Browser
directory are excluded from encryption.
2) FAST IMPACT
Attackers want to encrypt files as quickly and efficiently as
possible. They select files to encrypt based on their exten-
sions and paths to reduce discovery time. Next, they select
the appropriate encryption method based on the file size,
such as partial encryption of files larger than 5.24 MB [29].
Stream ciphers such as Salsa20 [34] and ChaCha20 [35] are
increasingly used to shorten the encryption time as attackers
believe that the longer the attack time, the more likely it is to
be detected.
3) EVOLVING ATTACK TECHNIQUES
Attackers use various initial access and defense evasion tech-
niques and are constantly evolving their tactics for successful
attacks [36]. In particular, advanced techniques are used
for each group to bypass detection, rendering detection and
blocking of all attacks difficult. Therefore, we consider that
minimizing damage when ransomware is executed can be an
effective defense measure.
FIGURE 1. Main phases of the ransomware execution process.
B. EXECUTION FLOW OF RANSOMWARE
In the case of the latest ransomware samples, attackers
include numerous tactics such as data exfiltration for double
extortion, discovery, and lateral movement for the spread of
attacks [37]. However, we focused on the common character-
istics shared by most ransomware families. As a result of our
analysis, we identified four common phases of ransomware,
as displayed in Fig. 1. In the initial access phase, ransomware
is downloaded and executed through various attack vectors
such as social engineering. In the defense evasion phase, pro-
tective measures such as antivirus are bypassed. During the
targeting phase, ransomware identifies files to be encrypted
and then proceeds to the encryption phase. Due to the evolv-
ing nature of attack techniques, as discussed in Section III-A,
detecting all possible attacks has become challenging. There-
fore, we focused on the targeting phase as the next line of
defense.
We observe that ransomware excludes system-related files
from encryption for a reliable attack and classifies files based
on the extensions and paths for fast encryption, as presented
in Table 3. The Windows OS categorizes files by extensions
and stores system-related files in designated paths, which
allows attackers to easily select targets. Conversely, if these
characteristics disappear, it becomes difficult for attackers
to target files for encryption. Exploiting this weak point,
we develop a generic countermeasure by implementing a
camouflage and hiding strategy.
IV. PROPOSED METHOD
In this section, we propose a novel method to counter ran-
somware targeting by applying a camouflage and hiding
strategy. We also enhance our approach by considering sit-
uations where the strategy is exposed to attackers.
A. CAMOUFLAGE AND HIDING
Since attackers typically categorize files by their extensions
and paths, the proposed method uses excluded extensions to
camouflage files as hard-to-touch files and excluded paths to
hide them in obscure directories that are difficult to encrypt.
For example, we can disguise a document file as a DLL file
by altering its file extension from .docx to .dll and randomly
modify its name. Then, we hide it in a subdirectory of the
Windows directory (C:Windows), making it difficult for
ransomware to target and encrypt. However, this approach
VOLUME 11, 2023 92697

6. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 3. The list of excluded paths and file extensions in LockBit and DarkSide ransomware.
may lead to usability issues as users could encounter diffi-
culty in accessing files.
B. ADDING LAYER WITH LINK FILE
Although the camouflage and hiding strategy is an effective
method of impeding ransomware from selecting targets, this
approach can pose usability challenges because users may
not be able to find and access hidden files. In response to
these usability issues, we have designed a linking system that
allows users to easily access hidden files.
In the Windows OS, soft links are of two types, namely,
a shell link binary file format and a symbolic link. The shell
link binary file format is the format that contains information
to access another data object [38], whereas the symbolic
link is a file system object that points to another file system
object [39]. However, symbolic links are not suitable for our
camouflage and hiding method because their functions are
limited to pointing to files. Since Windows OS identifies files
by their extensions, it cannot open camouflaged files properly
as it mistakes the file type for a camouflaged extension and
connects the wrong application. Therefore, the application
to open the camouflaged file must be specified; however,
symbolic links do not support this flexibility. Furthermore,
symbolic links allow ransomware to access hidden files
directly. We have implemented a camouflage and hiding strat-
egy using symbolic links and conducted simple experiments
by executing ransomware samples. As a result, we observed
that some ransomware, such as LockBit, could encrypt hidden
files through symbolic links.
Instead, we opt to use the shell link binary file format,
which enables the creation of independent data objects that
include command-line arguments. For example, we can
specify a command line in the link file to open a hidden doc-
ument file, such as ‘‘C:Program FilesMicrosoft
OfficerootOffice16WINWORD.EXE [hidden
file path]’’. This approach allows us to create a link file
that provides users with easy access to hidden files, while
hidden files are located in the hidden layer that ransomware
typically excludes from encryption.
FIGURE 2. The proposed method of linking the user layer to a hidden
layer.
As displayed in Fig. 2, the proposed method involves
hiding files in the hidden layer and creating link files in the
user layer to access the hidden files. In this case, even if
ransomware is executed, only link files in the user layer are
encrypted, whereas hidden files in the hidden layer remain
protected. Thus, the effect of ransomware can be avoided and
files can be easily restored without any decryption process.
In the case that files in the user layer are encrypted, or if
the user needs the original file for tasks such as file transfer,
a recovery function is necessary to retrieve files from the
hidden layer and restore them to the user layer. Therefore,
we store a pair of [original file path] and [hidden file path]
in the mapping table when hiding a file. This mapping table
enables us to retrieve the original file path corresponding to
the hidden file path and recover the original file in the user
layer. The details for the hiding and recovery functions are
described in Algorithm 1.
C. ENCRYPTED DATABASE AND LINKER
The methods used to avoid ransomware targeting are vul-
nerable to advanced attackers who may have knowledge of
the internal design. Since these methods assume that the
device has already been compromised, attackers can easily
bypass countermeasures. Therefore, it is crucial to design
92698 VOLUME 11, 2023

7. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
Algorithm 1 Hiding and Recovery Function
Data: P, the list of excluded paths
Data: E, the list of excluded file extensions
Data: T, mapping table
1: function HideFile(file)
2: fileName ← RandomGenName()
3: path ← RandomSelect(P)
4: ext ← RandomSelect(E)
5: hiddenFile ← path + fileName + ext
6: MoveFile(file, hiddenFile)
7: linkFile ← MakeLinkFile(file, hiddenFile)
8: UpdateTable(T, hiddenFile, file, linkFile)
9: end function
10: function RecoverFile(hiddenFile)
11: file, linkFile ← PopTable(T, hiddenFile)
12: MoveFile(hiddenFile, file)
13: Delete(linkFile)
14: end function
our method as an open design, considering that the enemy
knows the system [40]. We first identified potential design
vulnerabilities that could arise from advanced attackers and
then applied hardening to our approach.
FIGURE 3. Differences in the link file considering open design.
Fig. 3(a) displays a hex dump of the link file generated by
our previous approach, which reveals the path of the hidden
file. This vulnerability could potentially enable advanced
attackers to encrypt valuable files using the exposed infor-
mation. Additionally, storing the mapping table for recovery
could allow attackers to acquire the table and locate hidden
files. Attackers may exploit our recovery function to retrieve
hidden files before encryption.
In response to these challenges, we proposed a secure
version of the previous method, as shown in Fig. 4. The secure
version references the hash value of the hidden file path,
as displayed in Fig. 3(b), instead of directly linking to the
hidden file. The hash value and the hidden file path are stored
in a separate hash table. This approach involves the addition
of a linker, which redirects users to the hidden file upon
accessing the link file. The linker retrieves the hidden file path
using the hash value from the hash table and determines the
file type by referencing a mapping table. Then, it associates
the hidden file with the corresponding program based on its
file type. The one-way hash function conceals the location of
the hidden files, making it challenging for attackers to access
valuable data.
Since the mapping table and hash table both contain
critical information about hidden files, attackers can poten-
tially exploit data by obtaining access to these databases.
To mitigate this risk, we add encryption to the database
to prevent unauthorized access. Additionally, we insert an
authentication process within the recovery function to prevent
attackers from recovering files before encryption. Although
we perform hardening to reduce the attack surface, vulner-
abilities that can be exploited during the implementation
or operation of our approach may still exist. For instance,
attackers can obtain the database key or deduce the pattern
of the hidden files. Further weaknesses that might emerge
when implementing or operating our approach are discussed
in Section VI.
V. EVALUATION
In this section, we describe our experiment design and
demonstrate the validity of the proposed method against a
variety of ransomware families.
A. IMPLEMENTATION
We conducted an experiment to verify the effectiveness of the
method and addressed the following research questions:
RQ1. Is our method valid for real-world ransomware?
RQ2. Is our method reasonable in terms of performance?
Before conducting the experiments, we implemented the
method described in Fig. 4. For evaluation, we selected the
extensions and paths commonly excluded by ransomware
in the targeting phase. In particular, as shown in Table 4,
we selected the .dll and .exe extensions and the subdirectory
of the Windows directory for simplicity. Next, we selected
seven file types (word, ppt, excel, photo, pdf, text, and zip)
commonly encrypted by ransomware in the user layer.
Subsequently, we implemented the prototype of the pro-
posed method with Python3 to camouflage and hide files. The
prototype comprises three functions: hiding, recovery, and
linker. The hiding function generates link files that include the
hash value of each hidden file path, which allows access to the
file through the linker as usual. The linker function retrieves
VOLUME 11, 2023 92699

8. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
FIGURE 4. A secure version of the proposed method considering an advanced attacker.
TABLE 4. Selected features in this experiment.
the path of the hidden file by referring to the hash table and
connects the hidden file to the corresponding application. The
recovery function refers to the mapping table and restores the
hidden file to its original location as the original file.
To enhance the security of the method, we encrypted a
database containing critical information, such as the excluded
extensions, excluded paths, hash table, and mapping table.
We used AES256 for database encryption and SHA256 for
hashing the hidden file path. The detailed proof-of-concept
codes are available on Github.1
Executing the hiding function of the prototype demon-
strated that files were successfully disguised with excluded
extensions and stored in a hidden layer. Additionally, link
files were created in the user layer, enabling users to access
the hidden files by simply clicking on the link files, thereby
replicating the experience of accessing the original files.
Finally, we executed real-world ransomware samples to
verify that selected files were preserved (not encrypted) and
recovered normally (RQ1). We also conducted a perfor-
mance test to check whether the method is reasonable (RQ2).
1https://github.com/hanXen/ransomware_protect_linkers
The experiment was conducted on a virtual image of Win-
dows OS 10 for repeated ransomware executions, and the
performance test was conducted on 16 GB RAM and AMD
Ryzen 5 3600 6-Core Processor running at 3.60 GHz.
FIGURE 5. Process of sorting dataset in the experiment.
B. DATASET
We tested multiple ransomware families in our experiment to
evaluate the effectiveness of the proposed method. Fig. 5 dis-
plays the dataset selection process. We initially collected
samples mainly from databases such as VirusTotal, referring
to ransomware-related reports. To select functional samples,
we tested the collected samples in a sandbox environment.
Some samples did not function owing to reasons such as
unreachable command and control (C&C) servers or the use
of anti-analysis tactics. During analysis, we evaded anti-
analysis tactics without disrupting the core functionality if
possible. For example, we bypassed input validation for
samples that required an active token. Thus, we selected
36 ransomware families that have been actively operating in
recent years. While multiple samples were available for each
family, we prioritized family diversity over sample quantity
based on research and analysis because all samples selected
from the same family led to identical results owing to signif-
icant similarities in the core logic.
92700 VOLUME 11, 2023

9. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
TABLE 5. Results of the experiment.
FIGURE 6. Time and storage required for hiding/recovering files based on the number of files.
C. RESULTS
The proposed approach protected valuable files from var-
ious ransomware variants, including Agenda, AvosLocker,
BlackBasta, BlackCat/ALPHV, CLOP, Conti, Cuba, Dagon,
DarkSide/BlackMatter, FarGo/TargetCompany, GandCrab,
H0lyGh0st, Hive, K0xic, Lilith, LockBit, Magniber, Maze,
Medusa, Moisha, NightSky, Nokoyawa, ONYX, Phobos,
Pysa, REvil, Ragnarok, Ryuk, SolidBit, STOP/Djvu, Sugar,
SunCrypt, Surtr, WannaCry, and Yashma/Chaos. The major-
ity of ransomware families do not encrypt link files (.lnk),
which allowed us to access files normally even after being
infected. The recovery function successfully recovered files,
demonstrating the effectiveness of our approach in providing
universal defense against ransomware in a cost-effective man-
ner, as presented in Table 5. However, the proposed method
cannot protect against Phosphorus, which utilizes BitLocker,
built-in functions in Windows OS that support full-volume
encryption. Most ransomware targets the files of the victim,
but BitLocker targets the entire disk to render the device
inoperable, which is similar to the function of locker ran-
somware. Because our method focuses on protecting files,
locker ransomware is beyond the scope of our protection.
The performance of our method was evaluated based on
two factors: usability degradation during hiding/recovering
files and accessing a hidden file through the link file. First,
we measured the time and storage required in the system
for hiding/recovering files based on the number of files.
As displayed in Fig. 6(a), our approach requires an average of
0.003 s per file for hiding and 0.0004 s per file for recovery.
This indicates that the proposed method can be used without
significant performance degradation and recover files quickly
after a ransomware attack, which reduces the effect on system
operations. Furthermore, Fig. 6(b) reveals that the method
requires 2 KB per link file, which is smaller than the default
minimum size that the Windows OS allocates for files in
disks. Compared with the size of the original files, the pro-
posed method can more efficiently recover files than backing
up files, such as using a volume shadow copy.
We then measured the time required to access a file through
the link file and compared it with accessing a file directly
before applying the proposed method. Each experiment was
conducted 300 times, and the distribution of the time required
to open the file was expressed through a histogram. The
measurement is performed from the time when a user clicks
on a file and the CreateFile function of File Explorer occurs
to the time when the application that opens the hidden file
invokes the CreateFile function. Fig. 7(a) displays that a delay
of approximately 0.45 s occurs compared with accessing the
VOLUME 11, 2023 92701

10. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
FIGURE 7. Comparison of file access time when applying the proposed method with general access.
file directly before applying the method. The time delays
occur due to the process of the link file calling the linker
function, the linker function decrypting the database, and
the linker function referring to the hash table to open hid-
den files through the application. These causes were con-
firmed by measuring the time before the linker was adopted
and when the database was not encrypted, as displayed
in Fig. 7(b).
Even in the current prototype, access through a link file
did not cause inconveniences compared with when accessing
a file directly. Considering that the prototype is implemented
in Python3 and not optimized, access latency can be reduced
by optimizing both its algorithm and implementation.
VI. DISCUSSION
In this section, we discuss the usability and security consid-
erations of our approach when applied to the real world.
A. IMPROVE USABILITY
Usability is a significant factor in the adoption of defense
mechanisms. Even the best defense technique may not
be used if it is not user-friendly. However, the security-
usability trade-off typically forces the sacrifice of usability
for strengthened security. Therefore, it is essential to explore
ways to improve usability within the constraints of the sys-
tem. Although we demonstrate the effectiveness of the pro-
posed method for accessing hidden files through a link file
in Section V, it may still inconvenience users because hidden
files are not easily visible. If a user requires the retrieval of
the original files for sharing purposes, the user may need to
execute the file recovery function first.
One possible solution to improving usability is to lever-
age the right-click context menu in the Windows OS by
editing the registry. To add a recovery function to the
right-click menu, the command can be specified in the
registry as follows: ‘‘HKEY_CLASSES_ROOT*shell
RecoverFilecommand’’. Since the hiding function
requires administrator privileges, the command can be
specified in the registry: ‘‘HKEY_CLASSES_ROOT*
shellrunascommand’’. These registry edits enable
users to conveniently execute the features of the proposed
method with a simple one-click action. While we have
made efforts to enhance usability through the implementa-
tion of practical methods, we recognize that our approach
may still present usability challenges. We will continue to
explore ways to improve the user experience through the
implementation.
B. APPLICATION IN THE REAL WORLD
The proposed method effectively protects files against real-
world ransomware, as described in Section V. By making
it difficult for ransomware to classify files, our approach
increases the attacker’s cost during the targeting phase, such
as acquiring relationships from the mapping table. That is,
the crux of the proposed method lies in the security of
database encryption and key management. As described
in Section IV-C, we limit the scope of hardening to vulner-
abilities that may arise from the design of our approach.
However, security issues can occur during the implementa-
tion or operation phases. For instance, if the decryption key is
stored within a program or device, a skilled advanced persis-
tent threat attacker with sufficient privileges can potentially
extract the key through analysis.
Externalizing the key would be a recommended approach
to enhance security. In our current implementation, the key
was externalized by requiring a password input for database
decryption. Combining our approach with other effective key
management methods would improve the proposed method.
Periodically moving and hiding databases from an MTD
perspective can be an effective security control to safeguard
against various types of attacks.
Moreover, attackers may be able to deduce the pattern
of hidden files. Our prototype synchronizes the MAC time
92702 VOLUME 11, 2023

11. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
to show a mapping relationship and randomly generates an
eight-letter name for simplicity. However, this result could
provide clues to attackers, such as identifying hidden files
based on the MAC time of link files or figuring out the name
pattern. Therefore, adjusting such details when implementing
our approach in the real world is necessary. In an enterprise
environment, separating hidden layers from the device can
be a viable option. While current remote file systems can be
affected by ransomware due to direct file access, separating
the layers using link files can prevent file damage through
infections on particular devices.
The proposed method can be combined with other mech-
anisms to complement each other’s limitations. For instance,
our method can be used in conjunction with decoy files or
behavior-based ransomware detection methods, which are
constantly studied to minimize file loss before detection [12].
By using the proposed method in combination with these
techniques, ransomware can be detected and blocked with-
out any loss of files during the execution process. Even if
ransomware is not detected or the monitoring process is
terminated before detection, the proposed method can be
used as a secondary line of defense. Furthermore, the pro-
posed approach can be additionally effective against double
extortion strategies because attackers cannot determine which
files are valuable. Attackers may steal all files including
system-related files for double extortion, which can be a
substantial burden in terms of size and time that increases
detection risk.
VII. CONCLUSION
This study proposes a novel defensive strategy against ran-
somware attacks, which adopts a hiding strategy for valuable
files, leveraging insights from the attacker’s perspective.
The strategy effectively obfuscates target files, making it
challenging for ransomware to locate and encrypt critical
information. The addition of an encrypted database and a
linker enhances the method, further reducing the attack sur-
face. While maintaining security, we have also considered
usability, which is often a determining factor in the success-
ful adoption of defensive mechanisms. Through experiments
with real-world ransomware samples, the proposed method
demonstrated effectiveness in protecting valuable files in a
cost-effective manner, suggesting its potential as a secondary
line of defense in scenarios where previous detection mech-
anisms might fail. We expect further improvements in areas
such as enhancing usability or real-world applications to be
addressed in future work. Our method can be effectively
combined with other mechanisms such as utilizing decoy files
or behavior-based ransomware detection to create a compre-
hensive and robust defense system.
REFERENCES
[1] Verizon Business. (2022). 2022 Data Breach Investigations Report.
Accessed: Apr. 3, 2023. [Online]. Available: https://www.verizon.
com/business/en-gb/resources/2022-data-breach-investigations-report-
dbir.pdf
[2] M. Paquet-Clouston, B. Haslhofer, and B. Dupont, ‘‘Ransomware pay-
ments in the Bitcoin ecosystem,’’ J. Cybersec., vol. 5, no. 1, pp. 1–11,
Jan. 2019, doi: 10.1093/cybsec/tyz003.
[3] S. Corbet and J. W. Goodell, ‘‘The reputational contagion effects of ran-
somware attacks,’’ Finance Res. Lett., vol. 47, Jun. 2022, Art. no. 102715,
doi: 10.1016/j.frl.2022.102715.
[4] P. O’Kane, S. Sezer, and D. Carlin, ‘‘Evolution of ransomware,’’ IET Netw.,
vol. 7, no. 5, pp. 321–327, Sep. 2018, doi: 10.1049/iet-net.2017.0207.
[5] A. A. M. A. Alwashali, N. A. A. Rahman, and N. Ismail, ‘‘A survey
of ransomware as a service (RaaS) and methods to mitigate the attack,’’
in Proc. 14th Int. Conf. Develop. eSyst. Eng. (DeSE), Sharjah, UAE,
Dec. 2021, pp. 92–96, doi: 10.1109/DeSE54285.2021.9719456.
[6] P. H. Meland, Y. F. F. Bayoumy, and G. Sindre, ‘‘The ransomware-as-a-
service economy within the darknet,’’ Comput. Secur., vol. 92, May 2020,
Art. no. 101762, doi: 10.1016/j.cose.2020.101762.
[7] H. Oz, A. Aris, A. Levi, and A. S. Uluagac, ‘‘A survey on ransomware:
Evolution, taxonomy, and defense solutions,’’ ACM Comput. Surv., vol. 54,
no. 11s, pp. 1–37, Sep. 2022, doi: 10.1145/3514229.
[8] Ö. A. Aslan and R. Samet, ‘‘A comprehensive review on malware
detection approaches,’’ IEEE Access, vol. 8, pp. 6249–6271, 2020, doi:
10.1109/ACCESS.2019.2963724.
[9] A. Moser, C. Kruegel, and E. Kirda, ‘‘Limits of static analysis for malware
detection,’’ in Proc. 23rd Annu. Comput. Secur. Appl. Conf. (ACSAC ),
Dec. 2007, pp. 421–430, doi: 10.1109/ACSAC.2007.21.
[10] Q. Chen and R. A. Bridges, ‘‘Automated behavioral analysis of malware: A
case study of WannaCry ransomware,’’ in Proc. 16th IEEE Int. Conf. Mach.
Learn. Appl. (ICMLA), Miami Beach, FL, USA, Dec. 2017, pp. 454–460,
doi: 10.1109/ICMLA.2017.0-119.
[11] A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier, ‘‘Detecting ran-
somware using process behavior analysis,’’ Proc. Comput. Sci., vol. 168,
pp. 289–296, Jan. 2020, doi: 10.1016/j.procs.2020.02.249.
[12] G. O. Ganfure, C.-F. Wu, Y.-H. Chang, and W.-K. Shih, ‘‘RTrap:
Trapping and containing ransomware with machine learning,’’ IEEE
Trans. Inf. Forensics Security, vol. 18, pp. 1433–1448, 2023, doi:
10.1109/TIFS.2023.3240025.
[13] S. Poudyal and D. Dasgupta, ‘‘Analysis of crypto-ransomware using ML-
based multi-level profiling,’’ IEEE Access, vol. 9, pp. 122532–122547,
2021, doi: 10.1109/ACCESS.2021.3109260.
[14] S. Sheen, K. A. Asmitha, and S. Venkatesan, ‘‘R-Sentry:
Deception based ransomware detection using file access patterns,’’
Comput. Electr. Eng., vol. 103, Oct. 2022, Art. no. 108346, doi:
10.1016/j.compeleceng.2022.108346.
[15] Y. Lemmou, J. Lanet, and E. M. Souidi, ‘‘A behavioural in-depth analy-
sis of ransomware infection,’’ IET Inf. Secur., vol. 15, no. 1, pp. 38–58,
Jan. 2021, doi: 10.1049/ise2.12004.
[16] S. Sharma, R. Kumar, and C. R. Krishna, ‘‘RansomAnalysis: The evolu-
tion and investigation of Android ransomware,’’ in Proc. Int. Conf. IoT
Inclusive Life (ICIIL). Chandigarh, India: NITTTR, 2020, pp. 33–41, doi:
10.1007/978-981-15-3020-3_4.
[17] J. Yuste and S. Pastrana, ‘‘Avaddon ransomware: An in-depth analysis
and decryption of infected systems,’’ Comput. Secur., vol. 109, Oct. 2021,
Art. no. 102388, doi: 10.1016/j.cose.2021.102388.
[18] F. Björck, M. Henkel, J. Stirna, and J. Zdravkovic, ‘‘Cyber resilience—
Fundamentals for a definition,’’ in New Contributions in Information
Systems and Technologies, vol. 1. Cham, Switzerland: Springer, 2015,
pp. 311–316.
[19] A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, ‘‘UNVEIL:
A large-scale, automated approach to detecting ransomware,’’ in Proc. 25th
USENIX Secur. Symp. (USENIX Security). Austin, TX, USA: USENIX
Association, 2016, pp. 757–772.
[20] S. Poudyal, K. P. Subedi, and D. Dasgupta, ‘‘A framework for ana-
lyzing ransomware using machine learning,’’ in Proc. IEEE Symp. Ser.
Comput. Intell. (SSCI), Bengaluru, India, Nov. 2018, pp. 1692–1699, doi:
10.1109/SSCI.2018.8628743.
[21] E. B. Karbab, M. Debbabi, and A. Derhab, ‘‘SwiftR: Cross-platform
ransomware fingerprinting using hierarchical neural networks on hybrid
features,’’ Expert Syst. Appl., vol. 225, Sep. 2023, Art. no. 120017, doi:
10.1016/j.eswa.2023.120017.
[22] J. A. Gómez-Hernández, L. Álvarez-González, and P. García-Teodoro,
‘‘R-locker: Thwarting ransomware action through a honeyfile-based
approach,’’ Comput. Secur., vol. 73, pp. 389–398, Mar. 2018, doi:
10.1016/j.cose.2017.11.019.
VOLUME 11, 2023 92703

12. S. Lee et al.: Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy
[23] E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, ‘‘PayBreak: Defense
against cryptographic ransomware,’’ in Proc. ACM Asia Conf. Com-
put. Commun. Secur., Abu Dhabi, UAE, Apr. 2017, pp. 599–611, doi:
10.1145/3052973.3053035.
[24] A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi,
S. Zanero, and F. Maggi, ‘‘ShieldFS: A self-healing, ransomware-aware
filesystem,’’ in Proc. 32nd Annu. Conf. Comput. Secur. Appl., Los Angeles,
CA, USA, Dec. 2016, pp. 336–347, doi: 10.1145/2991079.2991110.
[25] J. Yun, J. Hur, Y. Shin, and D. Koo, ‘‘CLDSafe: An efficient
file backup system in cloud storage against ransomware,’’ IEICE
Trans. Inf. Syst., vol. E100.D, no. 9, pp. 2228–2231, 2017, doi:
10.1587/transinf.2017EDL8052.
[26] Q. Kerns, B. Payne, and T. Abegaz, ‘‘Double-extortion ransomware: A
technical analysis of maze ransomware,’’ in Proc. Future Technol. Conf.
(FTC), vol. 3, 2021, pp. 82–94, doi: 10.1007/978-3-030-89912-7_7.
[27] Microsoft. (2023). Protect Important Folders With Controlled
Folder Access. Accessed: Jun. 4, 2023. [Online]. Available: https://
learn.microsoft.com/en-us/microsoft-365/security/defender-
endpoint/controlled-folders?view=o365-worldwide
[28] J. Choi, J. Lee, G. Lee, J. Yu, and A. Park, ‘‘A defense mechanism against
attacks on files by hiding files,’’ J. Korea Soc. Ind. Inf. Syst., vol. 27, no. 2,
pp. 1–10, 2022, doi: 10.9723/jksiis.2022.27.2.001.
[29] S. Alzahrani, Y. Xiao, and W. Sun, ‘‘An analysis of conti ransomware
leaked source codes,’’ IEEE Access, vol. 10, pp. 100178–100193, 2022,
doi: 10.1109/ACCESS.2022.3207757.
[30] S. Lee, H. K. Kim, and K. Kim, ‘‘Ransomware protection using the moving
target defense perspective,’’ Comput. Electr. Eng., vol. 78, pp. 288–299,
Sep. 2019, doi: 10.1016/j.compeleceng.2019.07.014.
[31] M. M. Khan, M. F. Hyder, S. M. Khan, J. Arshad, and M. M. Khan, ‘‘Ran-
somware prevention using moving target defense based approach,’’ Con-
currency Comput., Pract. Exp., vol. 35, no. 7, Dec. 2022, Art. no. e7592,
doi: 10.1002/cpe.7592.
[32] I. Kara and M. Aydos, ‘‘The rise of ransomware: Forensic analysis for win-
dows based ransomware attacks,’’ Expert Syst. Appl., vol. 190, Mar. 2022,
Art. no. 116198, doi: 10.1016/j.eswa.2021.116198.
[33] A. Kapoor, A. Gupta, R. Gupta, S. Tanwar, G. Sharma, and I. E. Davidson,
‘‘Ransomware detection, avoidance, and mitigation scheme: A review and
future directions,’’ Sustainability, vol. 14, no. 1, p. 8, Dec. 2021, doi:
10.3390/su14010008.
[34] B. Yamany, M. S. Elsayed, A. D. Jurcut, N. Abdelbaki, and M. A. Azer,
‘‘A new scheme for ransomware classification and clustering using
static features,’’ Electronics, vol. 11, no. 20, p. 3307, Oct. 2022, doi:
10.3390/electronics11203307.
[35] D. J. Bernstein, ‘‘ChaCha, a variant of Salsa20,’’ in Proc. Workshop Rec.
SASC, Jan. 2008, vol. 8, no. 1, pp. 3–5.
[36] G. Hull, H. John, and B. Arief, ‘‘Ransomware deployment methods and
analysis: Views from a predictive model and human responses,’’ Crime
Sci., vol. 8, no. 1, pp. 1–22, Feb. 2019, doi: 10.1186/s40163-019-0097-9.
[37] N. Kshetri and J. Voas, ‘‘Ransomware as a business (RaaB),’’ IT Prof.,
vol. 24, no. 2, pp. 83–87, Mar. 2022, doi: 10.1109/MITP.2022.3157208.
[38] Microsoft. (2021). [MS-SHLLINK]: Shell Link (.LNK) Binary File Format.
Accessed: Apr. 3, 2023. [Online]. Available: https://learn.microsoft.
com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-
4d0c-a68d-bf1d6cc0f943
[39] Microsoft. (2023). Create Symbolic Links (Windows 10). Accessed:
Apr. 3, 2023. [Online]. Available: https://learn.microsoft.com/en-
us/windows/security/threat-protection/security-policy-settings/create-
symbolic-links
[40] C. E. Shannon, ‘‘Communication theory of secrecy systems,’’ Bell Syst.
Tech. J., vol. 28, no. 4, pp. 656–715, Oct. 1949, doi: 10.1002/j.1538-
7305.1949.tb00928.x.
SOOHAN LEE received the B.E. degree in cyber
defense and the M.S. degree in cybersecurity from
Korea University, in 2020 and 2023, respectively.
From 2020 to 2023, he was a Red Team Oper-
ator and a Cyber Training Instructor at ROK
Cyber Operations Command. He is currently a
Researcher with the Cyber Technology Center,
Agency for Defense Development (ADD). His
research interests include usable security, security
engineering, and red teaming.
SUHYEON LEE (Member, IEEE) received the
B.E. degree in cyber defense and the Ph.D. degree
in cybersecurity from Korea University. Currently,
he completed his military duty with honor as an
Army Captain in the Republic of Korea Army.
He was with ROK Cyber Operations Command
and Agency for Defense Development (ADD),
where he developed expertise in cybersecurity
practice. His research interests include blockchain
security and game theory.
JIWON PARK received the B.E. degree in cyber
defense from Korea University, in 2021, where he
is currently pursuing the Ph.D. degree with the
Department of Cyber Security. He is also a Red
Team Operator and a Cyber Training Instructor
with ROK Cyber Operations Command, focus-
ing primarily on research related to artificial
intelligence security.
KYOUNGMIN KIM received the B.E. degree in
cyber defense from Korea University, in 2019,
where is currently pursuing the Ph.D. degree with
the Department of Cyber Security. From 2019
to 2022, he was a Malware Researcher with ROK
Cyber Operations Command. Since 2022, he has
been a Cyber Specialized Officer with the Defense
Counterintelligence Command. His research inter-
ests include cyber threat intelligence, malware
analysis, and cyber warfare.
KYUNGHO LEE received the Ph.D. degree from
Korea University. He has been leading the Risk
Management Laboratory, Korea University, since
2012. He was a former CISO with Naver Corpora-
tion. He was a CIO, a CISO, and a CPO with Korea
University, where he is currently a Professor with
the Graduate School of Information Security.
92704 VOLUME 11, 2023