Ransomware Detection Research Articles

Zero day ransomware detection with Pulse: Function classification with Transformer models and assembly language

Finding automated AI techniques to proactively defend against malware has become increasingly critical. The ability of an AI model to correctly classify novel malware is dependent on the quality of the features it is trained with and the authenticity of the features is dependent on the analysis tool. Peekaboo, a Dynamic Binary Instrumentation tool defeats evasive malware to capture its genuine behaviour. The ransomware Assembly instructions captured by Peekaboo, follow Zipf’s law, a principle also observed in natural languages, indicating Transformer models are particularly well-suited to binary classification. We propose Pulse, a novel framework for zero day ransomware detection with Transformer models and Assembly language. Pulse, trained with the Peekaboo ransomware and benign software data, uniquely identify truly new samples with high accuracy. Pulse eliminates any familiar functionality across the test and training samples, forcing the Transformer model to detect malicious behaviour based solely on context and novel Assembly instruction combinations.

Enhancing Cybersecurity: Ransomware Detection - A Proof of Concept Study

Presently, our digital landscape faces a pervasive onslaught of diverse cyber threats, encompassing distributed denial of service (DDoS), phishing, ransomware, and smishing, all orchestrated with malicious intent. Counteracting these malicious incursions poses a formidable challenge, particularly in devising efficacious detection solutions. Ransomware incidents are on the ascent, particularly within critical sectors such as healthcare, finance, and telecommunications. Consequently, this paper introduces a proof of concept (POC) aimed at detecting ransomware activities targeting Internet of Medical Things (IoMT) devices. The primary objective of this paper revolves around the identification and evaluation of factors correlating with ransomware attacks on IoMT and then developing a ransomware detector. The experimental framework involves the utilization of a simulated environment mirroring real-world IoMT devices and networks. The methodology integrates diverse approaches, encompassing data collection from IoMT devices, analysis of ransomware behaviour through the study of encryption patterns, and anomaly detection. The POC assesses the efficacy of these methodologies in detecting and responding to ransomware threats, with the experimentation conducted through hybrid analysis within a controlled laboratory setting. The dataset consists of 13 families with a total malware of 9251 taken from GitHub. For POC, a total of 3459 ransomware dataset samples have been selected. As a result of the experiment, thirteen (13) distinct features have been identified as trigger factors for ransomware attacks. These features are obtained by capturing of the processes initiated by the ransomware samples using a process monitor (procmon). A temporal pattern of the processes which include the file system, API, and access based on their frequency of occurrence were used to develop a ransomware detection model. The proposed approach achieved an accuracy of 99.2% and an error rate of 0.8 %, when evaluated on temporal pattern dataset and by using an enhanced artificial neural network (EANN).

Towards Superior Android Ransomware Detection: An Ensemble Machine Learning Perspective

Ransomware remains a pervasive threat to Android devices, with its ability to encrypt critical data and demand ransoms causing significant disruptions to users and organizations alike. This research proposes a novel ensemble-based machine learning approach for the detection of Android ransomware, leveraging the strengths of multiple classifiers to enhance detection accuracy and robustness. Utilizing a comprehensive dataset comprising 203,556 network traffic records across 10 distinct ransomware types and benign traffic, we meticulously preprocess and feature-engineer the data to ensure optimal model performance. The methodology integrates various ensemble classifiers, evaluating each through rigorous cross-validation. Feature importance analysis using Random Forest identifies key indicators of ransomware activity, enabling us to refine our models and focus on the most predictive features. The results demonstrate that the ensemble models, particularly Bagging, achieve near-perfect detection rates, with precision, recall, and F1 scores consistently exceeding 99% for different binary attacks and multi-class classification. Finally, in-depth statistical analysis further validates the superiority of our approach, showcasing significant improvements over traditional machine learning methods. This research sets a new benchmark for Android ransomware detection, offering a robust, scalable, and highly accurate solution that enhances the security and resilience of mobile networks against evolving cyber threats.

RansomGuard: a framework for proactive detection and mitigation of cryptographic windows ransomware

RansomGuard: a framework for proactive detection and mitigation of cryptographic windows ransomware

Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review

Cybersecurity is normally defined as protecting systems against all kinds of cyberattacks; however, due to the rapid and permanent expansion of technology and digital transformation, the threats are also increasing. One of those new threats is ransomware, which is a form of malware that aims to steal user’s money. Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon a large payment. Ransomware is a way of stealing money in which a user’s files are encrypted and the decrypted key is held by the attacker until a ransom amount is paid by the victim. This systematic literature review (SLR) highlights recent papers published between 2020 and 2024. This paper examines existing research on early ransomware detection methods, focusing on the signs, frameworks, and techniques used to identify and detect ransomware before it causes harm. By analyzing a wide range of academic papers, industry reports, and case studies, this review categorizes and assesses the effectiveness of different detection methods, including those based on signatures, behavior patterns, and machine learning (ML). It also looks at new trends and innovative strategies in ransomware detection, offering a classification of detection techniques and pointing out the gaps in current research. The findings provide useful insights for cybersecurity professionals and researchers, helping guide future efforts to develop strong and proactive ransomware detection systems. This review emphasizes the need for ongoing improvements in detection technologies to keep up with the constantly changing ransomware threat landscape.

RD-FAXID: Ransomware Detection with FPGA-Accelerated XGBoost

Over the last decade, there has been a rise in cyberattacks, particularly ransomware, causing significant disruption and financial repercussions across public and private sectors. Tremendous efforts have been spent on developing techniques to detect ransomware to, ideally, protect data or have as minimum data loss as possible. Ransomware attacks are becoming more frequent and sophisticated as there is a constant tussle between attackers and cybersecurity defenders. Machine Learning (ML) approaches have proven more effective in detecting ransomware than classical signature-based detection. In particular, tree-based algorithms such as Decision Trees (DT), Random Forest (RF), and eXtreme Gradient Boosting (XGBoost) spike up interest among cybersecurity researchers. However, due to the nature of the problem, traditional CPUs and GPUs fail to keep up with the desired performance, especially for large data workloads. Thus, the problem demands a customized solution to detect the ransomware. Here, we propose an FPGA accelerated tree-based ML model for multi-dataset ransomware detection. We show the capability of the proposed prototype to address the problem from more than one set of features, reducing false positive and negative rates to have robust predictions by looking at Hardware Performance Counters (HPCs), Operating System (OS) calls, and network traffic information simultaneously. With 1000 samples per batch, the FPGA prototype has 65.8x and 4.1x lower latency over the CPU and GPU, respectively. Moreover, the FPGA design is up to 11.3x cost-effective and 643x energy-efficient compared to the CPU and 3x cost-effective and 16.8x energy-efficient over the GPU.

Early Ransomware Detection with Deep Learning Models

Ransomware is a growing-in-popularity type of malware that restricts access to the victim’s system or data until a ransom is paid. Traditional detection methods rely on analyzing the malware’s content, but these methods are ineffective against unknown or zero-day malware. Therefore, zero-day malware detection typically involves observing the malware’s behavior, specifically the sequence of application programming interface (API) calls it makes, such as reading and writing files or enumerating directories. While previous studies have used machine learning (ML) techniques to classify API call sequences, they have only considered the API call name. This paper systematically compares various subsets of API call features, different ML techniques, and context-window sizes to identify the optimal ransomware classifier. Our findings indicate that a context-window size of 7 is ideal, and the most effective ML techniques are CNN and LSTM. Additionally, augmenting the API call name with the operation result significantly enhances the classifier’s precision. Performance analysis suggests that this classifier can be effectively applied in real-time scenarios.

Ransomware Detection Using Machine Learning Techniques

The proliferation of ransomware attacks is a critical cybersecurity threat that organizations globally face. This situation necessitates effective prevention and mitigation strategies. These malicious programs encrypt data and extort payments, impacting various industries. They highlight the urgent need for robust defense mechanisms. Despite advancements in machine learning for ransomware detection, there is a notable gap in the comparative analysis of individual algorithms such as Decision Tree (DT), Support Vector Machine (SVM), and Multi-Layer Perceptron (MLP). This study aims to fill the gap by providing a comparative analysis of these algorithms. It focuses on using the UG Ransome dataset and key metrics including accuracy, precision, recall, and F-measure. The experiments were conducted using Python. The results demonstrate that the Decision Tree outperforms SVM and MLP across all metrics. It achieves an accuracy of 98.83%, precision of 99.41%, recall of 99.41%, and F-measure of 99.41%. SVM and MLP, on the other hand, achieved lower scores. These results highlight the Decision Tree's superior performance in capturing non-linear data relationships, which is crucial for ransomware detection. The major contribution of this study is the identification of the Decision Tree as a highly effective model for ransomware detection. It significantly outperforms other models. The findings suggest that the Decision Tree's ability to model complexities within the data makes it a robust and reliable tool for safeguarding systems against ransomware attacks. Future research should explore the Decision Tree's performance across diverse ransomware datasets, integrate ensemble learning, investigate adversarial machine learning techniques, and enhance real-time detection methods. These efforts will improve the robustness and applicability of machine learning-based ransomware detection systems.

Early mitigation of CPU-optimized ransomware using monitoring encryption instructions

Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

Behavioral based detection of android ransomware using machine learning techniques

Behavioral based detection of android ransomware using machine learning techniques

Enhancing Ransomware Detection in Cybersecurity: A Comprehensive Ensemble Approach

Enhancing Ransomware Detection in Cybersecurity: A Comprehensive Ensemble Approach

Ransomware Classification with Deep Neural Network and Bi-LSTM

Malicious attacks, malware, and ransomware families present essential risks to cybersecurity and may result in significant harm to computer systems, data clusters, networks, and mobile apps across a range of industries. Recently, there has been interest in ransomware classification using DNN and Bi-LSTM. DNN, a subset of machine learning techniques, has been found to improve ransomware detection and classification precision and efficacy. Ransomware has been affecting commercial, public, and governmental organizations' networks and computer systems for more than a decade, enabling new dynamic detection techniques to help DNNs detect ransomware. However, deep neural network-based architectures and DL classifiers (such as DNN, and Bi-LSTM classifiers) will be employed to detect ransomware. These networks may learn to correctly identify and categorize new ransomware incidents by integrating various datasets, including known and unknown ransomware samples. The classification of ransomware detection has been thoroughly investigated, and a model incorporating classic DL techniques with DNN and Bi-LSTM-based architecture will be proposed. A model execution experiment will be carried out to facilitate comparative testing of various approaches. This study focuses on the detection and classification of ransomware using DNN and Bi-LSTM. This study provides the groundwork for future investigations into the issues with ransomware detection. To protect against several ransomware attack types, deep neural networks have become an effective tool for ransomware detection. These networks combine machine learning and deep learning techniques.

Ransomware Early Detection using Machine Learning Approach and Pre-Encryption Boundary Identification

The escalating ransomware threat has catalysed the formation of a sophisticated network of cybercriminal enterprises. Addressing this issue, our research provides a detailed exploration of the ransomware menace and an evaluation of contemporary detection methodologies. A successful ransomware attack leverages many factors: robust encryption methods that defy decryption, the anonymity of cyber currencies, and the widespread availability of ransomware kits that enable even inexperienced actors to launch attacks. Such dynamics have cultivated a niche for cybercriminal specialists in the digital underworld. In response to these challenges, our study proposes a detection framework based on machine learning, a domain where regression algorithms have gained popularity without yielding a definitive protective model. We employ API call analysis as the foundation to assess various machine learning classifiers' efficiency in identifying ransomware. The evaluation demonstrates that the Naive Bayes classifier underperforms due to suboptimal accuracy, making it unsuitable for this application. Conversely, Logistic Regression, with an AUC of 0.951, minimal training time, and substantial efficacy gains, emerges as a strong contender. The Decision Tree and Random Forest classifiers exhibit comparable proficiency; however, the Decision Tree's interpretability and Random Forest's computational swiftness present unique advantages. Superior still, SVM and Gradient Boosted Trees command the highest AUC and gains, albeit at the cost of increased training duration. Our findings affirm the pivotal role of API call analysis in ransomware detection and the potency of machine learning approaches in learning from extensive datasets to identify novel malware strains. Given the continual evolution of malware, detection methodologies must adapt correspondingly. This study's comparative analysis elucidates the trade-offs between accuracy, computational speed, and training time, guiding the selection of the optimal machine learning algorithm for robust ransomware detection.

Ransomware Detection and Prevention Using Machine Learning and Honeypots: A Short Review

Ransomware is a type of computer malware that is currently widespread and highly dangerous. Ransomware attacks have become a major cybersecurity risk, posing significant risks to individuals and organizations alike. Also, traditional techniques for malware analysis, such as signature matching and heuristics, are no longer viable due to the exponential growth of malware. Researchers have explored various approaches to address this issue, but there is a lack of proper documentation and comparison of existing works. This paper presents an analysis of ransomware detection systems, which is part of an ongoing research project aiming to develop an open-source ransomware detection system to address the identified gaps in the field. To prevent such attacks, it is recommended to regularly backup files and avoid clicking on untrusted email links and attachments. Machine learning has been suggested by researchers as a more effective method of detecting malware. With internet use on the rise, honeypots offer a viable option for reducing security threats and safeguarding classified data from hackers. Honeypots are regarded as valuable resources for thwarting attacks and giving important insight about the origin and behavior of such attacks, which is useful for analysts who conduct such investigations. This paper provides a general view of cybersecurity, machine learning (ML), cyber threats, and honeypot systems towards mitigating system attacks and understanding their origin and behavior. Index Terms— Cybersecurity, Ransomware, Honeypots, Machine Learning, Detection.

Leveraging application permissions and network traffic attributes for Android ransomware detection

The increase in ransomware threats targeting Android devices necessitates the development of advanced techniques to strengthen the effectiveness of detection and prevention methods. Existing studies use Machine Learning (ML) techniques to detect and classify ransomware attacks, however, the ransomware landscape's rapid evolution hinders the effectiveness of these approaches. Moreover, the potential of Deep Reinforcement Learning (DRL) for this purpose remains unexplored. This study investigates the application of various DRL models for Android ransomware detection, leveraging permissions and network traffic attributes-labeled datasets. The paper provides a detailed explanation of implementing supervised learning within a DRL context. Secondly, the challenge of devising a reward function in Android ransomware detection is addressed, given the lack of an automated method for Android ransomware identification. The conventional DRL framework, which relies on the agent's interaction with a real-time environment, is conceptually modified in a new approach. We exhaustively tested the efficiency and accuracy of DRL-based models against other ML techniques, and results show that the A2C model has a better comparable detection performance than other DRL and ML models. Moreover, when DRL models are implemented with minor parameter modifications, they expedite and improve Android ransomware detection's speed, efficiency, and accuracy relative to existing ML strategies.

Ransomware Detection Model Based on Adaptive Graph Neural Network Learning

Ransomware Detection Model Based on Adaptive Graph Neural Network Learning

Ransomware Threat Analysis Using Machine Learning

With the advancement and easy accessibility of computer and internet technology, network security has become vulnerable to hacker threats, including ransomware attacks targeting smartphone operating systems (e.g., Android) and applications. Despite efforts to detect malicious URLs, lexical features sometimes need to be improved. This document provides an overview of ransomware, a timeline of assaults, and comprehensive research on methods for identifying, avoiding, minimising, and recovering from ransomware attacks. Analysing studies between 2017 and 2024 offers up-to- date knowledge on developments in ransomware detection and advancements in combating ransomware attacks, highlighting unanswered concerns and potential research challenges. KEYWORDS: Machine Learning; Ransomware, Cybers-attacks; Android; Malware; Hacker; Ransomware detection.

Novel Ransomware Detection Exploiting Uncertainty and Calibration Quality Measures Using Deep Learning

Ransomware poses a significant threat by encrypting files or systems demanding a ransom be paid. Early detection is essential to mitigate its impact. This paper presents an Uncertainty-Aware Dynamic Early Stopping (UA-DES) technique for optimizing Deep Belief Networks (DBNs) in ransomware detection. UA-DES leverages Bayesian methods, dropout techniques, and an active learning framework to dynamically adjust the number of epochs during the training of the detection model, preventing overfitting while enhancing model accuracy and reliability. Our solution takes a set of Application Programming Interfaces (APIs), representing ransomware behavior as input we call “UA-DES-DBN”. The method incorporates uncertainty and calibration quality measures, optimizing the training process for better more accurate ransomware detection. Experiments demonstrate the effectiveness of UA-DES-DBN compared to more conventional models. The proposed model improved accuracy from 94% to 98% across various input sizes, surpassing other models. UA-DES-DBN also decreased the false positive rate from 0.18 to 0.10, making it more useful in real-world cybersecurity applications.

Malware Detection and Prevention Using Machine Learning

Abstract: The malware became a serious threat challenge the computing world that requires an immediate consideration to avoid financial and moral blackmail. So, there is a real need for a new method that can detect and stop this type of attack. Most of the previous detection methods followed a dynamic analysis technique which involves a complicated process. The present study proposes a novel method based on static analysis to detect ransomware. The significant characteristic of proposed method is dispensing of disassemble process by direct extraction of features from raw byte with the use of frequent pattern mining which remarkably increases the detection speed. The Gain Ratio technique was used for feature selection which exhibited that 1000 features was the optimal number for detection process. The current study involved using random forest classifier with a comprehensive analysis to the effect of both tree and seed numbers on the ransomware detection. The results showed that tree numbers of 100 with seed number of 1 achieved best results in terms of time-consuming and accuracy. The experimental evaluation revealed that the proposed method could achieve a high accuracy of 97.74% for detection ransomware.

Lightweight Crypto-Ransomware Detection in Android Based on Reactive Honeyfile Monitoring.

Given the high relevance and impact of ransomware in companies, organizations, and individuals around the world, coupled with the widespread adoption of mobile and IoT-related devices for both personal and professional use, the development of effective and efficient ransomware mitigation schemes is a necessity nowadays. Although a number of proposals are available in the literature in this line, most of them rely on machine-learning schemes that usually involve high computational cost and resource consumption. Since current personal devices are small and limited in capacities and resources, the mentioned schemes are generally not feasible and usable in practical environments. Based on a honeyfile detection solution previously introduced by the authors for Linux and Window OSs, this paper presents a ransomware detection tool for Android platforms where the use of trap files is combined with a reactive monitoring scheme, with three main characteristics: (i) the trap files are properly deployed around the target file system, (ii) the FileObserver service is used to early alert events that access the traps following certain suspicious sequences, and (iii) the experimental results show high performance of the solution in terms of detection accuracy and efficiency.