Abstract
Ransomware is considered one of the most threatening cyberattacks. Existing solutions have focused mainly on discriminating ransomware by analyzing the apps themselves, but they have overlooked possible ways of hiding ransomware apps and making them difficult to be detected and then analyzed. Therefore, this paper proposes a novel ransomware hiding model by utilizing a block-based High-Efficiency Video Coding (HEVC) steganography approach. The main idea of the proposed steganography approach is the division of the secret ransomware data and cover HEVC frames into different blocks. After that, the Least Significant Bit (LSB) based Hamming Distance (HD) calculation is performed amongst the secret data’s divided blocks and cover frames. Finally, the secret data bits are hidden into the marked bits of the cover HEVC frame-blocks based on the calculated HD value. The main advantage of the suggested steganography approach is the minor impact on the cover HEVC frames after embedding the ransomware while preserving the histogram attributes of the cover video frame with a high imperceptibility. This is due to the utilization of an adaptive steganography cost function during the embedding process. The proposed ransomware hiding approach was heavily examined using subjective and objective tests and applying different HEVC streams with diverse resolutions and different secret ransomware apps of various sizes. The obtained results prove the efficiency of the proposed steganography approach by achieving high capacity and successful embedding process while ensuring the hidden ransomware’s undetectability within the video frames. For example, in terms of embedding quality, the proposed model achieved a high peak signal-to-noise ratio that reached 59.3 dB and a low mean-square-error of 0.07 for the examined HEVC streams. Also, out of 65 antivirus engines, no engine could detect the existence of the embedded ransomware app.
Highlights
One of the main challenges facing the digital transformation of almost all our life aspects is cybersecurity attacks
A lower value of the Mean Square Error (MSE) metric means that the video frame has a good quality, and there is a higher similarity between the cover and stego video frames
Tab. 4 presents the subjective findings of the tested High-Efficiency Video Coding (HEVC) frames with distinct resolutions in case of hiding five ransomware samples with different sizes, while Tab. 5 introduces the histogram findings
Summary
One of the main challenges facing the digital transformation of almost all our life aspects is cybersecurity attacks. Many research solutions have been proposed to detect ransomware attacks [5,6,7] These solutions have either utilized permissions [5] or API package calls [7] or both [8] to apply static or dynamic analysis for applications, whether benign or ransomware. The current ransomware detection solutions have assumed that the application is visible to be analysed They did not investigate the possibility of hiding this ransomware and making it difficult to apply static or dynamic analysis. One of the utilized techniques was malicious components or activity hiding using steganography, which concealed the presence and communication between the active malware application and the attacker [10].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
