ShadowCrypt: Bridging the Usability Gap in Link - Based Ransomware Defense through Seamless Copying of Protected Files

Abstract

Ransomware continues to pose a significant threat to user data, often rendering files irrecoverable even after a ransomware infection has been identified. Existing solutions primarily focus on detection or recovery through backups, which are reactive and often insufficient against advanced threats. This paper presents ShadowCrypt, a proactive defense system that protects sensitive files by rendering them invisible to ransomware. Rather than relying on signature-based detection or behavioral heuristics, ShadowCrypt utilizes a novel combination of file redirection, extension obfuscation, metadata encryption, and shortcut-based access to make files undiscoverable and unmodifiable. Once protected, files are relocated to system-reserved, non-indexed directories, renamed with benign extensions, and replaced with hashed shortcuts that enable seamless user access without revealing the actual location or identity of the data. The system maintains integrity and usability through a secure encrypted database and offers a resilient recovery framework—even in the aftermath of ransomware attacks that delete access points. To address usability limitations inherent in shortcut-based architectures, ShadowCrypt introduces a clipboard monitoring mechanism that allows users to securely copy and paste protected files, enabling true duplication without compromising security. Experimental results demonstrate negligible performance overhead and high reliability across a range of attack scenarios. ShadowCrypt effectively bridges the gap between robust protection and practical usability, positioning itself as a forward-thinking model for future ransomware-resilient systems.

Introduction

Overview:
ShadowCrypt is a proactive, usability-driven defense system designed to protect sensitive files from ransomware by making them invisible, rather than relying on detection or post-infection recovery. It moves and disguises files using system-reserved directories and ignored extensions (.dll, .exe), making them undetectable to ransomware.

Key Contributions:

1. Proactive File Concealment:

   • Files are hidden in system-safe, non-indexed directories.

   • Renamed with random hashes and assigned ignored extensions.

   • Metadata is encrypted using AES-256 and stored securely.

2. Seamless User Access:

   • Original files are replaced with .lnk (shortcut) files.

   • Shortcuts point to a secure launcher that resolves hashes to hidden paths.

   • Files open normally with their associated applications.

3. Robust Recovery Mechanism:

   • Supports recovery via shortcut or encrypted metadata.

   • Automatically redirects recovery to a secure backup folder if ransomware activity is detected.

   • Includes heuristics for detecting ransomware-compromised environments.

4. Clipboard-Integrated Copy-Paste:

   • Enables secure duplication of hidden files using standard shortcuts (Ctrl+C, Ctrl+V).

   • Background service intercepts clipboard operations to manage secure copies.

Comparative Literature Insights:

• Existing Approaches:

  • Behavioral detection (ML, static/dynamic analysis) is probabilistic and prone to false positives.

  • Moving target defenses and honey files focus on disruption or baiting but are still reactive.

  • Hardware-based and network-isolated systems are effective but impractical for everyday users.

• ShadowCrypt’s Advantage:

  • Avoids reliance on attack signatures or behavior modeling.

  • Doesn’t expose or engage with ransomware—files remain hidden.

  • Offers user-centric design with GUI, context menus, and recovery flexibility.

Architecture Components:

1. Initialization Phase:

   • User sets a password to derive AES encryption key.

   • Generates encrypted mapping and hash tables.

2. File Concealment:

   • Files are renamed, moved, and obfuscated.

   • Mapping and hash entries are created and encrypted.

3. Shortcut Launcher:

   • Hash passed to launcher script; decrypted to find file.

   • File opened with proper application; true path stays hidden.

4. Recovery System:

   • Supports file-by-file or bulk restoration.

   • Heuristic-driven to detect ransomware signs and adjust behavior accordingly.

5. Clipboard Support:

   • Copy-paste handler securely duplicates hidden files.

   • Clipboard monitoring ensures secure metadata reuse with expiry controls.

Conclusion

In this work, we proposed a preemptive and usability-aware solution to defend against ransomware by removing sensitive files from the attack surface altogether. Instead of relying on traditional detection, backup, or access control mechanisms, our system camouflages user files within system-reserved directories, renames them with benign extensions, and securely maps them using encrypted metadata. Access is restored seamlessly through dynamically generated shortcut files that reference hidden paths using hash-based redirection. By encrypting internal configurations and maintaining the integrity of file mappings, the system ensures both confidentiality and resilience even in the event of active ransomware presence or link file corruption. To enhance practicality, ShadowCrypt incorporates a clipboard-driven duplication feature, allowing users to securely copy and paste protected files via familiar interactions such as Ctrl+C and Ctrl+V. A background monitoring service intercepts and validates link-based copy operations, securely duplicates the hidden file, and generates a new functional shortcut without compromising metadata or access controls. Performance metrics demonstrate that this functionality introduces negligible overhead, preserving system responsiveness. Overall, the proposed approach demonstrates that strong ransomware defense need not come at the cost of usability—security can be embedded invisibly into everyday workflows while maintaining proactive resilience and full data recoverability.

References

[1] S. Lee, S. Lee, J. Park, K. Kim and K. Lee, \"Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy With the Link File,\" in IEEE Access, vol. 11, pp. 92693-92704, 2023, doi: https://doi.org/10.1109/ACCESS.2023.3309879 [2] Urooj, Umara, Bander Ali Saleh Al-rimy, Anazida Zainal, Fuad A. Ghaleb, and Murad A. Rassam. 2022. \"Ransomware Detection Using the Dynamic Analysis and Machine Learning: A Survey and Research Directions\" Applied Sciences 12, no. 1: 172. https://doi.org/10.3390/app12010172 [3] Reidys, Benjamin & Liu, Peng & Huang, Jian. (2022). RSSD: Defend against Ransomware with Hardware-Isolated Network-Storage Codesign and Post-Attack Analysis. https://doi.org/10.48550/arXiv.2206.05821 [4] Von der Assen, Jan & Huertas, Alberto & Sefa, Rinor & Bovet, Gérôme & Stiller, Burkhard. (2023). MTFS: a Moving Target Defense-Enabled File System for Malware Mitigation. https://doi.org/10.48550/arXiv.2306.15566 [5] Çal??kan, Bü?ra & Gülata?, Ibrahim & Kilinc, Hakan & Zaim, A.. (2024). The Recent Trends in Ransomware Detection and Behaviour Analysis. 1-8. https://doi.org/10.1109/SIN63213.2024.10871663 [6] Harun Oz, Ahmet Aris, Albert Levi, and A. Selcuk Uluagac. 2022. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. 54, 11s, Article 238 (January 2022), 37 pages. http://dx.doi.org/10.1145/3514229 [7] Khan MM, Hyder MF, Khan SM, Arshad J, Khan MM. Ransomware prevention using moving target defense based approach. Concurrency and Computation: Practice and Experience. 2022 Dec 27. doi: https://doi.org/10.1002/cpe.7592 [8] Sudheer, Sooraj. (2024). Ransomware Attacks and Their Evolving Strategies: A Systematic Review of Recent Incidents. Journal of Technology and Systems. 6. 32-59. https://doi.org/10.47941/jts.2399 [9] Singh, Avinash & Adeyemi, Ikuesan & Venter, Hein. (2022). Ransomware Detection using Process Memory. https://doi.org/10.48550/arXiv.2203.16871 [10] Shina Sheen, K A Asmitha, Sridhar Venkatesan,R-Sentry: Deception based ransomware detection using file access patterns,Computers and Electrical Engineering, Volume 103, 2022, 108346, ISSN 0045-7906, https://doi.org/10.1016/j.compeleceng.2022.108346 [11] Huertas, Alberto & Sánchez, Pedro Miguel & von der Assen, Jan & Schenk, Timo & Bovet, Gérôme & Martinez Perez, Gregorio & Stiller, Burkhard. (2022). RL and Fingerprinting to Select Moving Target Defense Mechanisms for Zero-day Attacks in IoT. https://doi.org/10.48550/arXiv.2212.14647 [12] J. von der Assen, A. H. Celdran, R. Sefa, B. Stiller and G. Bovet, \"MTFS: a Moving Target Defense-Enabled File System for Malware Mitigation,\" in 2024 IEEE 49th Conference on Local Computer Networks (LCN), Normandy, France, 2024, pp. 1-6, doi: https://doi.org/10.1109/LCN60385.2024.10639803 [13] Commey, Daniel & Appiah, Benjamin & Frimpong, Bill & Osei, Isaac & Hammond, Ebenezer & Crosby, Garth. (2024). EGAN: Evolutional GAN for Ransomware Evasion. https://doi.org/10.48550/arXiv.2405.12266

Copyright

Copyright © 2025 Mohammed Abdul Raqeeb, Mohammed Fasiuddin Arsalaan, Abdul Samad, Mohammed Asjad. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.