Sibel Gulmez,Arzu Gorgulu Kakisim,Ibrahim Sogukpinar

DOI: https://doi.org/10.1016/j.cose.2024.103703

IF: 5.105

2024-01-10

Computers & Security

Abstract:Recently, the frequency and complexity of ransomware attacks have been increasing steadily, posing significant threats to individuals and organizations alike. While traditional signature-based antiransomware systems are effective in the detection of known threats, they struggle to identify new ransomware samples. To address this limitation, many researchers have focused on analyzing the behavior and actions of executables. During this dynamic analysis process, various dynamic-based features emerge, offering different perspectives on the executable's behavior, including Application Program Interface (API) call sequences, dynamic link libraries (DLLs), and mutual exclusions. Existing methods mostly perform machine or deep learning models for feature engineering and detection. These methods usually perform learning according to a single perspective or by combining data from different perspectives into the frequency domain. In this case, they may ignore the information from the other aspects or the sequence relationship between the features. In addition, learning models used in these solutions are mostly incomprehensible to humans, which could be an obstacle in terms of having an insight through the model's mentality and also ransomware's way of work. In this study, we provide XRan (eXplainable deep learning-based RANsomware detection using dynamic analysis), an Explainable Artificial Intelligence (XAI) supported ransomware detection system that combines different dynamic analysis-based sequences, each representing a different view of the executable, in order to enrich the feature space. XRan employs a Convolutional Neural Network (CNN) architecture to detect ransomware and two XAI models as Interpretable Model-Agnostic Explanations (LIME), and SHapley Additive exPlanations (SHAP) to provide local and global explanations for detection. Experimental results demonstrate that XRan provides up to 99.4% True Positive Rate (TPR), and outperforms the state-of-the-art methods.

computer science, information systems

Boyang Ma,Yilin Yang,Jinku Li,Fengwei Zhang,Wenbo Shen,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1145/3576915.3616665

2023-01-01

Abstract:Ransomware has evolved from an economic nuisance to a national security threat nowadays, which poses a significant risk to users. To address this problem, we propose RansomTag, a tag-based approach against crypto ransomware with fine-grained data recovery. Compared to state-of-the-art SSD-based solutions, RansomTag makes progress in three aspects. First, it decouples the ransomware detection functionality from the firmware of the SSD and integrates it into a lightweight hypervisor of Type I. Thus, it can leverage the powerful computing capability of the host system and the rich context information, which is introspected from the operating system, to achieve accurate detection of ransomware attacks and defense against potential targeted attacks on SSD characteristics. Further, RansomTag is readily deployed onto desktop personal computers due to its parapass-through architecture. Second, RansomTag bridges the semantic gap between the hypervisor and the SSD through the tag-based approach proposed by us. Third, RansomTag is able to keep 100% of the user data overwritten or deleted by ransomware, and restore any single or multiple user files to any versions based on timestamps. To validate our approach, we implement a prototype of RansomTag and collect 3,123 recent ransomware samples to evaluate it. The evaluation results show that our prototype effectively protects user data with minimal scale data backup and acceptable performance overhead. In addition, all the attacked files can be completely restored in fine-grained.

Juan A Herrera-Silva,Myriam Hernández-Álvarez

DOI: https://doi.org/10.3390/s23031053

2023-01-17

Abstract:Ransomware-related cyber-attacks have been on the rise over the last decade, disturbing organizations considerably. Developing new and better ways to detect this type of malware is necessary. This research applies dynamic analysis and machine learning to identify the ever-evolving ransomware signatures using selected dynamic features. Since most of the attributes are shared by diverse ransomware-affected samples, our study can be used for detecting current and even new variants of the threat. This research has the following objectives: (1) Execute experiments with encryptor and locker ransomware combined with goodware to generate JSON files with dynamic parameters using a sandbox. (2) Analyze and select the most relevant and non-redundant dynamic features for identifying encryptor and locker ransomware from goodware. (3) Generate and make public a dynamic features dataset that includes these selected parameters for samples of different artifacts. (4) Apply the dynamic feature dataset to obtain models with machine learning algorithms. Five platforms, 20 ransomware, and 20 goodware artifacts were evaluated. The final feature dataset is composed of 2000 registers of 50 characteristics each. This dataset allows for a machine learning detection with a 10-fold cross-evaluation with an average accuracy superior to 0.99 for gradient boosted regression trees, random forest, and neural networks.

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Zi-hao XIANG,Wei-dong QIU

DOI: https://doi.org/10.13274/j.cnki.hdzj.2018.05.019

2018-01-01

Abstract:Ransomware is a kind of malware that locks the desktop,limits user access,or encrypts,overwrites,and deletes user files for ransom.Although the concept of ransomware dates back to the 1980s,this malware has attracted widespread attention in recent years.By the end of 2016,more than 9000000 ransomware samples were found.Compared to 2015,the number of new ransomware nearly doubled,and the total ransom jumped from $ 24 million in 2015 to $1 billion now.Although many generic malware detection methods are proposed,none has attempted to detect ransomware.This paper presents a method to detect this kind of malware based on machine learning.Through real-time monitoring of program operation,features are extracted from API call and registry operation.Then the supervised learning method is used to classify and detect the samples of the ransomware and the normal software.

Jan von der Assen,Alberto Huertas Celdrán,Janik Luechinger,Pedro Miguel Sánchez Sánchez,Gérôme Bovet,Gregorio Martínez Pérez,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2306.15559

2023-06-27

Abstract:Cybersecurity solutions have shown promising performance when detecting ransomware samples that use fixed algorithms and encryption rates. However, due to the current explosion of Artificial Intelligence (AI), sooner than later, ransomware (and malware in general) will incorporate AI techniques to intelligently and dynamically adapt its encryption behavior to be undetected. It might result in ineffective and obsolete cybersecurity solutions, but the literature lacks AI-powered ransomware to verify it. Thus, this work proposes RansomAI, a Reinforcement Learning-based framework that can be integrated into existing ransomware samples to adapt their encryption behavior and stay stealthy while encrypting files. RansomAI presents an agent that learns the best encryption algorithm, rate, and duration that minimizes its detection (using a reward mechanism and a fingerprinting intelligent detection system) while maximizing its damage function. The proposed framework was validated in a ransomware, Ransomware-PoC, that infected a Raspberry Pi 4, acting as a crowdsensor. A pool of experiments with Deep Q-Learning and Isolation Forest (deployed on the agent and detection system, respectively) has demonstrated that RansomAI evades the detection of Ransomware-PoC affecting the Raspberry Pi 4 in a few minutes with >90% accuracy.

Cryptography and Security,Artificial Intelligence,Machine Learning

Aldin Vehabovic,Nasir Ghani,Elias Bou-Harb,Jorge Crichigno,Aysegul Yayimli

DOI: https://doi.org/10.1109/BlackSeaCom54372.2022.9858296

2023-04-10

Abstract:Ransomware uses encryption methods to make data inaccessible to legitimate users. To date a wide range of ransomware families have been developed and deployed, causing immense damage to governments, corporations, and private users. As these cyberthreats multiply, researchers have proposed a range of ransomware detection and classification schemes. Most of these methods use advanced machine learning techniques to process and analyze real-world ransomware binaries and action sequences. Hence this paper presents a survey of this critical space and classifies existing solutions into several categories, i.e., including network-based, host-based, forensic characterization, and authorship attribution. Key facilities and tools for ransomware analysis are also presented along with open challenges.

Cryptography and Security

Augusto Parisot,Raphael C. S. Machado,L. Bento

DOI: https://doi.org/10.1109/MetroInd4.0IoT61288.2024.10584155

2024-05-29

Abstract:With the significant rise in ransomware attacks in recent years, these malwares have emerged as one of the top threats to global cybersecurity. This article introduces a dynamic methodology for ransomware classification, leveraging the advanced analysis capabilities of the Cuckoo Sandbox combined with widely used machine learning techniques. We constructed three novel datasets focusing on API calls, network interactions, and string information extracted from malware samples, applying the TF-IDF technique for essential feature extraction. The efficacy of six machine learning (ML) classification algorithms is evaluated, with the Random Forest and Support Vector Machine models standing out for their exceptional robustness and adaptability across various preprocessing scenarios.

Computer Science

Eduardo Berrueta,Daniel Morato,Eduardo Magaña,Mikel Izal

DOI: https://doi.org/10.48550/arXiv.2202.07583

2022-02-16

Abstract:Ransomware is considered as a significant threat for most enterprises since the past few years. In scenarios wherein users can access all files on a shared server, one infected host can lock the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. The proposal is designed to work for clear text and for encrypted file-sharing protocols. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different strains and more than 2500 hours of not infected traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in training phase (unseen). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected.

Cryptography and Security,Networking and Internet Architecture

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence

Wenjia Song,Sanjula Karanam,Ya Xiao,Jingyuan Qi,Nathan Dautenhahn,Na Meng,Elena Ferrari,Danfeng

2024-11-19

Abstract:Crypto-ransomware has caused an unprecedented scope of impact in recent years with an evolving level of sophistication. An extensive range of studies have been on defending against ransomware and reviewing the efficacy of various protections. However, for practical defenses, deployability holds equal significance as detection accuracy. Therefore, in this study, we review 117 published ransomware defense works, categorize them by the level they are implemented at, and discuss the deployability. API-based solutions are easy to deploy and most existing works focus on machine learning-based classification. To provide more insights, we quantitively characterize the runtime behaviors of real-world ransomware samples. Based on our experimental findings, we present a possible future detection direction with our consistency analysis and API-contrast-based refinement. Moreover, we experimentally evaluate various commercial defenses and identify the security gaps. Our findings help the field understand the deployability of ransomware defenses and create more effective, practical solutions.

Cryptography and Security

Aldin Vehabovic,Hadi Zanddizari,Nasir Ghani,Farooq Shaikh,Elias Bou-Harb,Morteza Safaei Pour,Jorge Crichigno

DOI: https://doi.org/10.1109/NOMS56928.2023.10154378

2023-05-23

Abstract:Researchers have proposed a wide range of ransomware detection and analysis schemes. However, most of these efforts have focused on older families targeting Windows 7/8 systems. Hence there is a critical need to develop efficient solutions to tackle the latest threats, many of which may have relatively fewer samples to analyze. This paper presents a machine learning(ML) framework for early ransomware detection and attribution. The solution pursues a data-centric approach which uses a minimalist ransomware dataset and implements static analysis using portable executable(PE) files. Results for several ML classifiers confirm strong performance in terms of accuracy and zero-day threat detection.

Cryptography and Security

Chijin Zhou,Lihua Guo,Yiwei Hou,Zhenya Ma,Quan Zhang,Mingzhe Wang,Zhe Liu,Yu Jiang

DOI: https://doi.org/10.1109/SP46215.2023.10179372

2023-01-01

Abstract:By encrypting the data of infected hosts, cryptographic ransomware has caused billions of dollars in financial losses to a wide range of victims. Many detection techniques have been proposed to counter ransomware threats over the past decade. Their common approach is to monitor I/O behaviors from user space and apply custom heuristics to discriminate ransomware. These techniques implicitly assume that ransomware behaves very differently from benign programs in terms of heuristics. However, when we investigated the behavior of benign and ransomware programs, we found that the boundary between their behaviors was blurred. A ransomware program can still achieve its goal even though it follows the behavior patterns of benign programs. In this paper, we aim to explore the limits of ransomware detection techniques that based on I/O behaviors. To this end, we present ANIMAGUS, an imitation-based ransomware attack that imitates behaviors of benign programs to disguise its encryption tasks. It first learns behavior patterns from a benign program, and then spawns and orchestrates child processes to perform encryption tasks behaving the same as the benign program. We evaluate its effectiveness against six state-of-the-art detection techniques, and the results show that it can successfully evade these defenses. We investigate in detail why they are ineffective and how ANIMAGUS is different from existing ransomware samples. In the end, we discuss potential countermeasures and the benefits that detection tools can gain from our work.

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

R. Davies Simon,Macfarlane Richard,J. Buchanan William,Simon R. Davies,Richard Macfarlane,William J. Buchanan

DOI: https://doi.org/10.4236/jis.2023.144016

2023-01-01

Journal of Information Security

Abstract:Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection. The results achieved by this research demonstrate that many of the proposed tests achieved a high degree of accuracy in differentiating between benign and malicious targets and suggestions are offered as to how these tests, and combinations of tests, could be adapted to further improve the detection accuracy.

Adrian Brodzik,Tomasz Malec-Kruszyński,Wojciech Niewolski,Mikołaj Tkaczyk,Krzysztof Bocianiak,Sok-Yen Loui

2024-09-10

Abstract:Linux-based cloud environments have become lucrative targets for ransomware attacks, employing various encryption schemes at unprecedented speeds. Addressing the urgency for real-time ransomware protection, we propose leveraging the extended Berkeley Packet Filter (eBPF) to collect system call information regarding active processes and infer about the data directly at the kernel level. In this study, we implement two Machine Learning (ML) models in eBPF - a decision tree and a multilayer perceptron. Benchmarking latency and accuracy against their user space counterparts, our findings underscore the efficacy of this approach.

Cryptography and Security,Machine Learning

Simon R Davies,Richard Macfarlane,William J Buchanan

2023-05-30

Abstract:Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection.

Cryptography and Security

Iman Almomani,Aala Alkhayer,Walid El-Shafai

DOI: https://doi.org/10.3390/s23094467

2023-05-04

Abstract:Nowadays, ransomware is considered one of the most critical cyber-malware categories. In recent years various malware detection and classification approaches have been proposed to analyze and explore malicious software precisely. Malware originators implement innovative techniques to bypass existing security solutions. This paper introduces an efficient End-to-End Ransomware Detection System (E2E-RDS) that comprehensively utilizes existing Ransomware Detection (RD) approaches. E2E-RDS considers reverse engineering the ransomware code to parse its features and extract the important ones for prediction purposes, as in the case of static-based RD. Moreover, E2E-RDS can keep the ransomware in its executable format, convert it to an image, and then analyze it, as in the case of vision-based RD. In the static-based RD approach, the extracted features are forwarded to eight various ML models to test their detection efficiency. In the vision-based RD approach, the binary executable files of the benign and ransomware apps are converted into a 2D visual (color and gray) images. Then, these images are forwarded to 19 different Convolutional Neural Network (CNN) models while exploiting the substantial advantages of Fine-Tuning (FT) and Transfer Learning (TL) processes to differentiate ransomware apps from benign apps. The main benefit of the vision-based approach is that it can efficiently detect and identify ransomware with high accuracy without using data augmentation or complicated feature extraction processes. Extensive simulations and performance analyses using various evaluation metrics for the proposed E2E-RDS were investigated using a newly collected balanced dataset that composes 500 benign and 500 ransomware apps. The obtained outcomes demonstrate that the static-based RD approach using the AB (Ada Boost) model achieved high classification accuracy compared to other examined ML models, which reached 97%. While the vision-based RD approach achieved high classification accuracy, reaching 99.5% for the FT ResNet50 CNN model. It is declared that the vision-based RD approach is more cost-effective, powerful, and efficient in detecting ransomware than the static-based RD approach by avoiding feature engineering processes. Overall, E2E-RDS is a versatile solution for end-to-end ransomware detection that has proven its high efficiency from computational and accuracy perspectives, making it a promising solution for real-time ransomware detection in various systems.

Gavin Hull,Henna John,Budi Arief

DOI: https://doi.org/10.1186/s40163-019-0097-9

2019-02-12

Crime Science

Abstract:Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response.

Hsiao-Chung Lin,Ping Wang,Wen-Hui Lin,Yu-Hsiang Lin,Yi-Sian Yu,Jing-Huei Dai

DOI: https://doi.org/10.1109/icasi60819.2024.10547899

2024-01-01

Abstract:The prevalence of malicious software (Malware) in recent years has led to many major information security incidents. Tens of millions of computers around the world are infected by malware and cause significant losses to individuals and businesses. RaaS (Ransomware-as-a-Service) is a new type of cybercrime model. Ransomware has caused losses exceeding billions of dollars every year, making it a major threat to network security. Due to the diversity of ransomware, it is difficult to extract features from ransomware, which make ransomware detection not conductive to the application of AI technology. Ransomware detection can get help from graph neural network (GNN) to learn the characteristics of ransomware. In this research, the graph convolutional network (GCN) and graph attention network (GAT) are employed for malware detection, and compare their performance with each other. Cuckoo Sandbox is deployed to log malicious behaviors generated by ransomware, and the JSON report generated by Cuckoo Sandbox is employed to extract API call sequences for ransomware detection. To evaluate the effectiveness of GCN-based and GAT-based model, the modes are evaluated with ransomware samples downloaded from Malware Bazaar Database and examined with accuracy, precision, recall and ROC curve. Experimental results show that the GCN-based and GAT-based models can detect ransomware effectively. The GCN-based model reaches better results than the GAT-based model.