Aldin Vehabovic,Nasir Ghani,Elias Bou-Harb,Jorge Crichigno,Aysegul Yayimli

DOI: https://doi.org/10.1109/BlackSeaCom54372.2022.9858296

2023-04-10

Abstract:Ransomware uses encryption methods to make data inaccessible to legitimate users. To date a wide range of ransomware families have been developed and deployed, causing immense damage to governments, corporations, and private users. As these cyberthreats multiply, researchers have proposed a range of ransomware detection and classification schemes. Most of these methods use advanced machine learning techniques to process and analyze real-world ransomware binaries and action sequences. Hence this paper presents a survey of this critical space and classifies existing solutions into several categories, i.e., including network-based, host-based, forensic characterization, and authorship attribution. Key facilities and tools for ransomware analysis are also presented along with open challenges.

Cryptography and Security

Sana Aurangzeb,Haris Anwar,Muhammad Asif Naeem,Muhammad Aleem

DOI: https://doi.org/10.1007/s10586-022-03569-4

2022-03-15

Cluster Computing

Abstract:Ransomware is a subcategory of malware whose specific goal is to hold the victim's data by using encryption techniques until a ransom is paid. With mainstream usage of the Windows platform, Windows-based ransomware has become a great threat. With the rise of new malware categories and the huge volume of big data emerging, it has now become difficult to identify ransomware from benign applications. At the same time, ransomware detection and classification play a crucial role in computer security. Therefore, it is essential to analyze the behavior of ransomware samples to know their malicious nature that differs from clean applications. Due to the shortcomings of static analysis, we propose BigRC-EML for ransomware detection and classification based on several static and dynamic features. We use ensemble machine learning methods on big data to enhance the accuracy of the ransomware detection. Although, many machine learning models have been used in the detection of ransomware, yet, the evaluation of ensemble methods has not been investigated. Moreover, a new feature selection approach based on Principle Component Analysis (PCA) is presented to decrease the dimensions of the features. The datasets employed in the study comprised of two types: the first one is dynamic that comprises of 582 ransomware and 942 clean applications while the second one is hybrid that comprises of 500 applications. The classification models used are SVM, Random Forests, KNN, XGBoost, and Neural Network. Our experimental results show that Neural Network outperforms the other models and that BigRC-EML achieves an accuracy of 98% as well as can work under all types of data i.e. balanced, imbalanced, static, and dynamic. The experimental results successfully validate the effectiveness of the proposed approach by improving the classification accuracy of new ransomware.

Amnah Albin Ahmed,Afrah Shaahid,Fatima Alnasser,Shahad Alfaddagh,Shadha Binagag,Deemah Alqahtani

DOI: https://doi.org/10.3390/s24010189

2023-12-28

Abstract:In today's digitalized era, the usage of Android devices is being extensively witnessed in various sectors. Cybercriminals inevitably adapt to new security technologies and utilize these platforms to exploit vulnerabilities for nefarious purposes, such as stealing users' sensitive and personal data. This may result in financial losses, discredit, ransomware, or the spreading of infectious malware and other catastrophic cyber-attacks. Due to the fact that ransomware encrypts user data and requests a ransom payment in exchange for the decryption key, it is one of the most devastating types of malicious software. The implications of ransomware attacks can range from a loss of essential data to a disruption of business operations and significant monetary damage. Artificial intelligence (AI)-based techniques, namely machine learning (ML), have proven to be notable in the detection of Android ransomware attacks. However, ensemble models and deep learning (DL) models have not been sufficiently explored. Therefore, in this study, we utilized ML- and DL-based techniques to build efficient, precise, and robust models for binary classification. A publicly available dataset from Kaggle consisting of 392,035 records with benign traffic and 10 different types of Android ransomware attacks was used to train and test the models. Two experiments were carried out. In experiment 1, all the features of the dataset were used. In experiment 2, only the best 19 features were used. The deployed models included a decision tree (DT), support vector machine (SVM), k-nearest neighbor (KNN), ensemble of (DT, SVM, and KNN), feedforward neural network (FNN), and tabular attention network (TabNet). Overall, the experiments yielded excellent results. DT outperformed the others, with an accuracy of 97.24%, precision of 98.50%, and F1-score of 98.45%. Whereas, in terms of the highest recall, SVM achieved 100%. The acquired results were thoroughly discussed, in addition to addressing limitations and exploring potential directions for future work.

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence

Arslan Ashraf,Abdul Aziz,Umme Zahoora,Muttukrishnan Rajarajan,Asifullah Khan

DOI: https://doi.org/10.48550/arXiv.1910.00286

2019-10-01

Cryptography and Security

Abstract:Detection and analysis of a potential malware specifically, used for ransom is a challenging task. Recently, intruders are utilizing advanced cryptographic techniques to get hold of digital assets and then demand a ransom. It is believed that generally, the files comprise of some attributes, states, and patterns that can be recognized by a machine learning technique. This work thus focuses on the detection of Ransomware by performing feature engineering, which helps in analyzing vital attributes and behaviors of the malware. The main contribution of this work is the identification of important and distinct characteristics of Ransomware that can help in detecting them. Finally, based on the selected features, both conventional machine learning techniques and Transfer Learning based Deep Convolutional Neural Networks have been used to detect Ransomware. In order to perform feature engineering and analysis, two separate datasets (static and dynamic) were generated. The static dataset has 3646 samples (1700 Ransomware and 1946 Goodware). On the other hand, the dynamic dataset comprised of 3444 samples (1455 Ransomware and 1989 Goodware). Through various experiments, it is observed that the Registry changes, API calls, and DLLs are the most important features for Ransomware detection. Additionally, important sequences are found with the help of the N-Gram technique. It is also observed that in the case of Registry Delete operation, if a malicious file tries to delete registries, it follows a specific and repeated sequence. However, for the benign file, it doesnt follow any specific sequence or repetition. Similarly, an interesting observation made through this study is that there is no common Registry deleted sequence between malicious and benign files. And thus this discernible fact can be readily exploited for Ransomware detection.

Augusto Parisot,Raphael C. S. Machado,L. Bento

DOI: https://doi.org/10.1109/MetroInd4.0IoT61288.2024.10584155

2024-05-29

Abstract:With the significant rise in ransomware attacks in recent years, these malwares have emerged as one of the top threats to global cybersecurity. This article introduces a dynamic methodology for ransomware classification, leveraging the advanced analysis capabilities of the Cuckoo Sandbox combined with widely used machine learning techniques. We constructed three novel datasets focusing on API calls, network interactions, and string information extracted from malware samples, applying the TF-IDF technique for essential feature extraction. The efficacy of six machine learning (ML) classification algorithms is evaluated, with the Random Forest and Support Vector Machine models standing out for their exceptional robustness and adaptability across various preprocessing scenarios.

Computer Science

Aldin Vehabovic,Hadi Zanddizari,Nasir Ghani,Farooq Shaikh,Elias Bou-Harb,Morteza Safaei Pour,Jorge Crichigno

DOI: https://doi.org/10.1109/NOMS56928.2023.10154378

2023-05-23

Abstract:Researchers have proposed a wide range of ransomware detection and analysis schemes. However, most of these efforts have focused on older families targeting Windows 7/8 systems. Hence there is a critical need to develop efficient solutions to tackle the latest threats, many of which may have relatively fewer samples to analyze. This paper presents a machine learning(ML) framework for early ransomware detection and attribution. The solution pursues a data-centric approach which uses a minimalist ransomware dataset and implements static analysis using portable executable(PE) files. Results for several ML classifiers confirm strong performance in terms of accuracy and zero-day threat detection.

Cryptography and Security

Omar Dib,Zhenghan Nan,Jinkua Liu

DOI: https://doi.org/10.1016/j.jksuci.2024.101925

IF: 9.006

2024-01-01

Journal of King Saud University - Computer and Information Sciences

Abstract:Ransomware presents a significant threat to the security and integrity of cryptocurrency transactions. This research paper explores the intricacies of ransomware detection in cryptocurrency transactions using the Bitcoinheist dataset. The dataset encompasses 28 distinct families classified into three ransomware categories: Princeton, Montreal, and Padua, along with a white category representing legitimate transactions. We propose a novel hybrid supervised and semi-supervised multistage machine learning framework to tackle this challenge. Our framework effectively classifies known ransomware families by leveraging ensemble learning techniques such as Decision Tree, Random Forest, XGBoost, and Stacking. Additionally, we introduce a novel semi-supervised approach to accurately identify previously unseen ransomware instances within the dataset. Through rigorous evaluation employing comprehensive classification metrics, including accuracy, precision, recall, F1 score, RoC score, and prediction time, our proposed approach demonstrates promising results in ransomware detection within cryptocurrency transactions.

computer science, information systems

Omar M. K. Alhawi,James Baldwin,Ali Dehghantanha

DOI: https://doi.org/10.48550/arXiv.1807.10440

2018-07-27

Cryptography and Security

Abstract:Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper, we introduce NetConverse, a machine learning analysis of Windows ransomware network traffic to achieve a high, consistent detection rate. Using a dataset created from conversation-based network traffic features we achieved a true positive detection rate of 97.1% using the Decision Tree (J48) classifier.

Ali Mehrban,Shirin Karimi Geransayeh

2024-02-04

Abstract:In recent years, there has been a noticeable increase in cyberattacks using ransomware. Attackers use this malicious software to break into networks and harm computer systems. This has caused significant and lasting damage to various organizations, including government, private companies, and regular users. These attacks often lead to the loss or exposure of sensitive information, disruptions in normal operations, and persistent vulnerabilities. This paper focuses on a method for recognizing and identifying ransomware in computer networks. The approach relies on using machine learning algorithms and analyzing the patterns of network traffic. By collecting and studying this traffic, and then applying machine learning models, we can accurately identify and detect ransomware. The results of implementing this method show that machine learning algorithms can effectively pinpoint ransomware based on network traffic, achieving high levels of precision and accuracy.

Cryptography and Security,Machine Learning

Jamil Ispahany,Md. Rafiqul Islam,Md. Zahidul Islam,M. Arif Khan

DOI: https://doi.org/10.1109/access.2024.3397921

IF: 3.9

2024-05-22

IEEE Access

Abstract:Ransomware attacks are on the rise in terms of both frequency and impact. The shift to remote work due to the COVID-19 pandemic has led more people to work online, prompting companies to adapt quickly. Unfortunately, this increased online activity has provided cybercriminals numerous opportunities to carry out devastating attacks. One recent method employed by malicious actors involves infecting corporate networks with ransomware to extract millions of dollars in profits. Ransomware falls into the category of malware. It works by encrypting sensitive data and demanding payments from victims to receive the encryption keys necessary for decrypting their data. The prevalence of this type of attack has prompted governments and organisations worldwide to intensify their efforts to combat ransomware. In response, the research community has also focused on ransomware detection, leveraging technologies such as machine learning. Despite this increased attention, practical solutions for real-world applications remain scarce in the existing literature. Numerous surveys have explored literature within the domain. Still, there is a notable lack of emphasis on the design of ransomware detection systems and the practical aspects of detection, including real-time and early detection. Against this backdrop, our review delves into the existing literature on ransomware detection, specifically examining the machine-learning techniques, detection approaches, and designs employed. Finally, we highlight the limitations of prior studies and propose future research directions in this crucial area.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jaehyuk Lee,Jinseo Yun,Kyungroul Lee

DOI: https://doi.org/10.3390/electronics13061030

IF: 2.9

2024-03-10

Electronics

Abstract:Ransomware, which emerged in 1989, has evolved to the present in numerous variants and new forms. For this reason, serious damage caused by ransomware has occurred not only within our country but around the world, and, according to the analysis of ransomware trends, ransomware poses an ongoing and significant threat, with major damage expected to continue to occur in the future. To address this problem, various approaches to detect ransomware have been explored, with a recent focus on file entropy estimation methods. These methods exploit the characteristic increase in file entropy that is caused by ransomware encryption. In response, a method was developed to neutralize entropy-based ransomware detection technology by manipulating entropy using encoding methods from the attacker's perspective. Consequently, from the defender's standpoint, countermeasures are essential to minimize the damage caused by ransomware. Therefore, this article proposes a methodology that utilizes diverse machine learning models such as K-Nearest Neighbors (KNN), logistic regression, decision tree, random forest, gradient boosting, support vector machine (SVM), and multi-layer perception (MLP) to detect files infected with ransomware. The experimental results demonstrate empirically that files infected with ransomware can be detected with approximately 98% accuracy, and the results of this research are expected to provide valuable information for developing countermeasures against various ransomware detection technologies.

engineering, electrical & electronic,computer science, information systems,physics, applied

Juan A Herrera-Silva,Myriam Hernández-Álvarez

DOI: https://doi.org/10.3390/s23031053

2023-01-17

Abstract:Ransomware-related cyber-attacks have been on the rise over the last decade, disturbing organizations considerably. Developing new and better ways to detect this type of malware is necessary. This research applies dynamic analysis and machine learning to identify the ever-evolving ransomware signatures using selected dynamic features. Since most of the attributes are shared by diverse ransomware-affected samples, our study can be used for detecting current and even new variants of the threat. This research has the following objectives: (1) Execute experiments with encryptor and locker ransomware combined with goodware to generate JSON files with dynamic parameters using a sandbox. (2) Analyze and select the most relevant and non-redundant dynamic features for identifying encryptor and locker ransomware from goodware. (3) Generate and make public a dynamic features dataset that includes these selected parameters for samples of different artifacts. (4) Apply the dynamic feature dataset to obtain models with machine learning algorithms. Five platforms, 20 ransomware, and 20 goodware artifacts were evaluated. The final feature dataset is composed of 2000 registers of 50 characteristics each. This dataset allows for a machine learning detection with a 10-fold cross-evaluation with an average accuracy superior to 0.99 for gradient boosted regression trees, random forest, and neural networks.

Jinting Zhu,Julian Jang-Jaccard,Amardeep Singh,Ian Welch,Harith AI-Sahaf,Seyit Camtepe

DOI: https://doi.org/10.1016/j.cose.2022.102691

2022-06-01

Abstract:Ransomware defense solutions that can quickly detect and classify different ransomware classes to formulate rapid response plans have been in high demand in recent years. Though the applicability of adopting deep learning techniques to provide automation and self-learning provision has been proven in many application domains, the lack of data available for ransomware (and other malware) samples has been raised as a barrier to developing effective deep learning-based solutions. To address this concern, we propose a few-shot meta-learning based Siamese Neural Network that not only detects ransomware attacks but is able to classify them into different classes. Our proposed model utilizes the entropy feature directly obtained from ransomware binary files to retain more fine-grained features associated with different ransomware signatures. These entropy features are used further to train and optimize our model using a pre-trained network (e.g. VGG-16) in a meta-learning fashion. This approach generates more accurate weight factors, compared to feature images are used, to avoid the bias typically associated with a model trained with a limited number of training samples. Our experimental results show that our proposed model is highly effective in providing a weighted F1-score exceeding the rate >86% compared to other similar methods.

computer science, information systems

Erik Larsen,David Noever,Korey MacVittie

DOI: https://doi.org/10.48550/arXiv.2110.07636

2021-10-15

Abstract:A survey of machine learning techniques trained to detect ransomware is presented. This work builds upon the efforts of Taylor et al. in using sensor-based methods that utilize data collected from built-in instruments like CPU power and temperature monitors to identify encryption activity. Exploratory data analysis (EDA) shows the features most useful from this simulated data are clock speed, temperature, and CPU load. These features are used in training multiple algorithms to determine an optimal detection approach. Performance is evaluated with accuracy, F1 score, and false-negative rate metrics. The Multilayer Perceptron with three hidden layers achieves scores of 97% in accuracy and F1 and robust data preparation. A random forest model produces scores of 93% accuracy and 92% F1, showing that sensor-based detection is currently a viable option to detect even zero-day ransomware attacks before the code fully executes.

Machine Learning,Cryptography and Security

Rawshan Ara Mowri,Madhuri Siddula,Kaushik Roy

DOI: https://doi.org/10.48550/arXiv.2210.11235

2022-11-14

Abstract:Ransomware has appeared as one of the major global threats in recent days. The alarming increasing rate of ransomware attacks and new ransomware variants intrigue the researchers to constantly examine the distinguishing traits of ransomware and refine their detection strategies. Application Programming Interface (API) is a way for one program to collaborate with another; API calls are the medium by which they communicate. Ransomware uses this strategy to interact with the OS and makes a significantly higher number of calls in different sequences to ask for taking action. This research work utilizes the frequencies of different API calls to detect and classify ransomware families. First, a Web-Crawler is developed to automate collecting the Windows Portable Executable (PE) files of 15 different ransomware families. By extracting different frequencies of 68 API calls, we develop our dataset in the first phase of the two-phase feature engineering process. After selecting the most significant features in the second phase of the feature engineering process, we deploy six Supervised Machine Learning models: Na"ive Bayes, Logistic Regression, Random Forest, Stochastic Gradient Descent, K-Nearest Neighbor, and Support Vector Machine. Then, the performances of all the classifiers are compared to select the best model. The results reveal that Logistic Regression can efficiently classify ransomware into their corresponding families securing 99.15% overall accuracy. Finally, instead of relying on the 'Black box' characteristic of the Machine Learning models, we present the post-hoc analysis of our best-performing model using 'SHapley Additive exPlanations' or SHAP values to ascertain the transparency and trustworthiness of the model's prediction.

Cryptography and Security,Machine Learning

Hashida Haidros Rahima Manzil,S. Manohar Naik

DOI: https://doi.org/10.1007/s11416-023-00495-w

2023-08-23

Journal of Computer Virology and Hacking Techniques

Abstract:Ransomware is a serious cyberthreat for Android users, with devastating consequences for its victims. By locking or encrypting the targeted device, victims are often left unable to access their data, with attackers demanding payment in bitcoins in exchange for decryption. These attacks can occur across various sectors, including government, business, and health systems. Therefore, effective measures to mitigate this threat are critical. This paper proposes a novel hamming distance-based feature selection technique for detecting Android ransomware through static analysis. The detection approach involves four phases: feature extraction, binary feature vector generation, feature selection, and classification. A Python tool is used to automatically extract static features from Android applications, which are then processed for feature vector generation and selection. The effectiveness of the proposed technique is evaluated using various experiments, including machine learning and deep learning techniques. In addition, this article outlines a threat scenario of ransomware on the Android platform. The proposed system achieves a maximum detection accuracy of 99% with Random Forest and Decision Tree classifiers, surpassing state-of-the-art studies. Overall, the proposed technique offers an efficient solution for detecting Android ransomware, which could help prevent future attacks and reduce the impact of this serious cyberthreat.

Eduardo Berrueta,Daniel Morato,Eduardo Magaña,Mikel Izal

DOI: https://doi.org/10.48550/arXiv.2202.07583

2022-02-16

Abstract:Ransomware is considered as a significant threat for most enterprises since the past few years. In scenarios wherein users can access all files on a shared server, one infected host can lock the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. The proposal is designed to work for clear text and for encrypted file-sharing protocols. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different strains and more than 2500 hours of not infected traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in training phase (unseen). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected.

Cryptography and Security,Networking and Internet Architecture

Hanqi Zhang,Xi Xiao,Francesco Mercaldo,Shiguang Ni,Fabio Martinelli,Arun Kumar Sangaiah

DOI: https://doi.org/10.1016/j.future.2018.07.052

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Ransomware is a special type of malware that can lock victims’ screen and/or encrypt their files to obtain ransoms, resulting in great damage to users. Mapping ransomware into families is useful for identifying the variants of a known ransomware sample and for reducing analysts’ workload. However, ransomware that can fingerprint the environment can evade the precious work of dynamic analysis. To the best of our knowledge, to overcome this shortcoming, we are the first to propose an approach based on static analysis to classifying ransomware. First, opcode sequences from ransomware samples are transformed into N-gram sequences. Then, Term frequency-Inverse document frequency (TF-IDF) is calculated for each N-gram to select feature N-grams so that these N-grams exhibit better discrimination between families. Finally, we treat the vectors composed of the TF values of the feature N-grams as the feature vectors and subsequently feed them to five machine-learning methods to perform ransomware classification. Six evaluation criteria are employed to validate the model. Thorough experiments performed using real datasets demonstrate that our approach can achieve the best Accuracy of 91.43%. Furthermore, the average F1-measure of the “wannacry” ransomware family is up to 99%, and the Accuracy of binary classification is up to 99.3%. The proposed method can detect and classify ransomware that can fingerprint the environment. In addition, we discover that different feature dimensions are required for achieving similar classifier performance with feature N-grams of diverse lengths.

Peace Azugo,Hein Venter,Mike Wa Nkongolo

2024-04-19

Abstract:Cybersecurity faces challenges in identifying and mitigating ransomware, which is important for protecting critical infrastructures. The absence of datasets for distinguishing normal versus abnormal network behaviour hinders the development of proactive detection strategies against ransomware. An obstacle in proactive prevention methods is the absence of comprehensive datasets for contrasting normal versus abnormal network behaviours. The dataset enabling such contrasts would significantly expedite threat anomaly mitigation. In this study, we introduce UGRansome2024, an optimised dataset for ransomware detection in network traffic. This dataset is derived from the UGRansome data using an intuitionistic feature engineering approach that considers only relevant patterns in network behaviour analysis. The study presents an analysis of ransomware detection using the UGRansome2024 dataset and the Random Forest algorithm. Through encoding and feature relevance determination, the Random Forest achieved a classification accuracy of 96% and effectively identified unusual ransomware transactions. Findings indicate that certain ransomware variants, such as those utilising Encrypt Decrypt Algorithms (EDA) and Globe ransomware, have the highest financial impact. These insights have significant implications for real-world cybersecurity practices, highlighting the importance of machine learning in ransomware detection and mitigation. Further research is recommended to expand datasets, explore alternative detection methods, and address limitations in current approaches.

Cryptography and Security