Crypto-ransomware remains a significant threat to governments and
companies alike, with high-profile cyber security incidents regularly making
headlines. Many different detection systems have been proposed as solutions to
the ever-changing dynamic landscape of ransomware detection. In the majority of
cases, these described systems propose a method based on the result of a single
test performed on either the executable code, the process under investigation,
its behaviour, or its output. In a small subset of ransomware detection
systems, the concept of a scorecard is employed where multiple tests are
performed on various aspects of a process under investigation and their results
are then analysed using machine learning.The
purpose of this paper is to propose a new majority voting approach to
ransomware detection by developing a method that uses a cumulative score
derived from discrete tests based on calculations using algorithmic rather than
heuristic techniques. The paper describes 23 candidate tests, as well as 9
Windows API tests which are validated to determine both their accuracy and
viability for use within a ransomware detection system.Using a
cumulative score calculation approach to ransomware detection has several
benefits, such as the immunity to the occasional inaccuracy of individual tests
when making its final classification. The system can also leverage multiple
tests that can be both comprehensive and complimentary in an attempt to achieve
a broader, deeper, and more robust analysis of the program under investigation.
Additionally, the use of multiple collaborative tests also significantly
hinders ransomware from masking or modifying
its behaviour in an attempt to bypass detection.The results achieved by this research demonstrate that many of the proposed tests achieved a
high degree of accuracy in differentiating between benign and malicious targets
and suggestions are offered as to how these tests, and combinations of tests,
could be adapted to further improve the detection accuracy.
References
[1]
MalwareBytes (2023) ION Starts Bringing Customers Back Online after LockBit Ransomware Attack. https://www.malwarebytes.com/blog/news/2023/02/ion-starts-bringing-customers-back-online-after-lockbit-ransomware-attack
[2]
The Telegraph Media Group (2023) Royal Mail Turned down £66m Ransom Demand from Lockbit Hackers. https://www.telegraph.co.uk/business/2023/02/14/royal-mail-turned-66m-ransom-demand-lockbit-hackers/
[3]
Oz, H., Aris, A., Levi, A. and Uluagac, A.S. (2021) A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ArXiv: 2102.06249. http://arxiv.org/abs/2102.06249
[4]
Yamany, B., Elsayed, M.S., Jurcut, A.D., Abdelbaki, N. and Azer, M.A. (2022) A New Scheme for Ransomware Classification and Clustering Using Static Features. Electronics, 11, Article No. 3307. https://doi.org/10.3390/electronics11203307
[5]
Dutta, N., Jadav, N., Tanwar, S., Sarma, H.K.D. and Pricop, E. (2022) Introduction to Malware Analysis. In: Cyber Security: Issues and Current Trends. Studies in Computational Intelligence, Vol. 995, Springer, Singapore, 129-141. https://doi.org/10.1007/978-981-16-6597-4_7
[6]
Lebbie, M., Prabhu, S.R. and Agrawal, A.K. (2022) Comparative Analysis of Dynamic Malware Analysis Tools. In: Dua, M., Jain, A.K., Yadav, A., Kumar, N. and Siarry, P., Eds., Proceedings of the International Conference on Paradigms of Communication, Computing and Data Sciences, Springer, Singapore, 359-368. https://doi.org/10.1007/978-981-16-5747-4_31
[7]
De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L. and Mancini, L.V. (2020) THE NAKED SUN: Malicious Cooperation between Benign-Looking Processes. In: Conti, M., Zhou, J., Casalicchio, E. and Spognardi, A., Eds., Applied Cryptography and Network Security. ACNS 2020. Lecture Notes in Computer Science, Vol. 12147, Springer, Cham, 254-274. https://doi.org/10.1007/978-3-030-57878-7_13
[8]
Moser, A., Kruegel, C. and Kirda, E. (2007) Limits of Static Analysis for Malware Detection. 23rd Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, 10-14 December 2007, 421-430. https://doi.org/10.1109/ACSAC.2007.21
[9]
O’Kane, P., Sezer, S. and McLaughlin, K. (2011) Obfuscation: The Hidden Malware. IEEE Security & Privacy, 9, 41-47. https://doi.org/10.1109/MSP.2011.98
[10]
Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S. (2021) Peeler: Profiling Kernel-Level Events to Detect Ransomware. In: Bertino, E., Shulman, H. and Waidner, M., Eds., Computer Security—ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science, Vol. 12972, Springer, Cham, 240-260. https://doi.org/10.1007/978-3-030-88418-5_12
[11]
Ahmed, Y.A., Koçer, B. and Al-Rimy, B.A.S. (2020) Automated Analysis Approach for the Detection of High Survivable Ransomware. KSII Transactions on Internet and Information Systems, 14, 2236-2257. https://doi.org/10.3837/tiis.2020.05.021
[12]
Kim, G.Y., Paik, J.-Y., Kim, Y. and Cho, E.S. (2022) Byte Frequency Based Indicators for Crypto-Ransomware Detection from Empirical Analysis. Journal of Computer Science and Technology, 37, 423-442. https://doi.org/10.1007/s11390-021-0263-x
[13]
Salehi, S., Shahriari, H., Ahmadian, M.M. and Tazik, L. (2018) A Novel Approach for Detecting DGA-Based Ransomwares. 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), Tehran, 28-29 August 2018, 1-7. https://doi.org/10.1109/ISCISC.2018.8546941
[14]
Scaife, N., Carter, H., Traynor, P. and Butler, K.R. (2016) CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), Nara, 27-30 June 2016, 303-312. https://doi.org/10.1109/ICDCS.2016.46
[15]
Alam, M., Sinha, S., Bhattacharya, S., Dutta, S., Mukhopadhyay, D. and Chattopadhyay, A. (2020) RAPPER: Ransomware Prevention via Performance Counters. ArXiv: 2004.01712. http://arxiv.org/abs/2004.01712
[16]
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S. and Khayami, R. (2020) Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Transactions on Emerging Topics in Computting, 8, 341-351. https://doi.org/10.1109/TETC.2017.2756908
[17]
Lokuketagoda, B., Weerakoon, M.P., Kuruppu, U.M., Senarathne, A.N., Yapa Abeywardena, K. (2018) R-Killer: An Email Based Ransomware Protection Tool. 2018 13th International Conference on Computer Science and Education, Colombo, 8-11 August 2018, 1-7. https://doi.org/10.1109/ICCSE.2018.8468807
[18]
McDonald, G., Papadopoulos, P., Pitropakis, N., Ahmad, J. and Buchanan, W.J. (2022) Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors, 22, Article No. 953. https://doi.org/10.3390/s22030953
[19]
Hall, G.A., Hall, G.A. and Davis, W. (2007) Sliding Window Measurement for File Type Identification. https://api.semanticscholar.org/CorpusID:14149550
[20]
Lee, K., Lee, S.-Y. and Yim, K. (2019) Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services. In: Esposito, C., Hong, J. and Choo, K.-K., Eds., Pervasive Systems, Algorithms and Networks. I-SPAN 2019. Communications in Computer and Information Science, Vol. 1080, Springer, Cham, 133-139. https://doi.org/10.1007/978-3-030-30143-9_11
[21]
Lee, K., Lee, S.-Y. and Yim, K. (2019) Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems. IEEE Access, 7, 110205-110215. https://doi.org/10.1109/ACCESS.2019.2931136
[22]
VandenBrink, R. (2016) Using File Entropy to Identify “Ransomwared” Files. https://isc.sans.edu/forums/diary/Using+FileEn-tropy+to+Identify+Ransomwared+Files/21351/
[23]
Al-Rimy, B.A.S., Maarof, M.A. and Shaid, S.Z.M. (2019) Crypto-Ransomware Early Detection Model Using Novel Incremental Bagging with Enhanced Semi-Random Subspace Selection. Future Generation Computer Systems, 101, 476-491. https://doi.org/10.1016/j.future.2019.06.005
[24]
Bottazzi, G., Italiano, G.F. and Spera, D. (2018) Preventing Ransomware Attacks through File System Filter Drivers. Proceedings of the 2nd Italian Conference on Cyber Security (ITASEC18), Milan, 6-9 February 2018. https://www.researchgate.net/publication/323125541_Preventing_Ransomware_Attacks_Through_File_System_Filter_Drivers
[25]
Ki, Y., Kim, E. and Kim, H.K. (2015) A Novel Approach to Detect Malware Based on API Call Sequence Analysis. International Journal of Distributed Sensor Networks, 11. https://doi.org/10.1155/2015/659101
[26]
Song, S., Kim, B. and Lee, S. (2016) The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mobile Information Systems, 2016, Article ID: 2946735. https://doi.org/10.1155/2016/2946735
[27]
Berrueta, E., Morato, D., Magana, E. and Izal, M. (2019) A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access, 7, 144925-144944. https://doi.org/10.1109/ACCESS.2019.2945839
[28]
Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G. and Benedetto, L. (2019) A Cyber-Kill-Chain Based Taxonomy of Crypto-Ransomware Features. Journal of Computer Virology and Hacking Techniques, 15, 277-305. https://doi.org/10.1007/s11416-019-00338-7
[29]
Maigida, A.M., Abdulhamid, S.M., Olalere, M., Alhassan, J.K., Chiroma, H. and Dada, E.G. (2019) Systematic Literature Review and Metadata Analysis of Ransomware Attacks and Detection Mechanisms. Journal of Reliable Intelligent Environments, 5, 67-89. https://doi.org/10.1007/s40860-019-00080-3
[30]
Kharraz, A. and Kirda, E. (2017) Redemption: Real-Time Protection against Ransomware at End-Hosts. In: Dacier, M., Bailey, M., Polychronakis, M. and Antonakakis, M., Eds., Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science, Vol. 10453, Springer, Cham, 98-119. https://doi.org/10.1007/978-3-319-66332-6_5
[31]
Abbasi, M.S., Al-Sahaf, H. and Welch, I. (2021) Automated Behavior-Based Malice Scoring of Ransomware Using Genetic Programming. 2021 IEEE Symposium Series on Computational Intelligence, Orlando, 5-7 December 2021. https://doi.org/10.1109/SSCI50451.2021.9660009
[32]
Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S. and Maggi, F. (2016) ShieldFS: A Self-Healing, Ransomware-Aware Filesystem. Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, 5-8 December2016, 336-347. https://doi.org/10.1145/2991079.2991110
[33]
John, T.C., Abbasi, M.S., Al-Sahaf, H. and Welch, I. (2022) Automatically Evolving Malice Scoring Models through Utilisation of Genetic Programming: A Cooperative Coevolution Approach. Proceedings of the Genetic and Evolutionary Computation Conference Companion, Boston, 9-13 July 2022, 562-565. https://doi.org/10.1145/3520304.3529063
[34]
Kharaz, A., Arshad, S., Mulliner, C., Robertson, W. and Mulliner, C. (2016) UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware. 25th USENIX Security Symposium (USENIX Security 16), Austin, 10-12 August 2016, 757-772. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/kharaz
[35]
Mehnaz, S., Mudgerikar, A. and Bertino, E. (2018) RWGuard: A Real-Time Detection System against Cryptographic Ransomware. In: Bailey, M., Holz, T., Stamatogiannakis, M. and Ioannidis, S., Eds., Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science, Vol. 11050, Springer, Cham, 114-136. https://doi.org/10.1007/978-3-030-00470-5_6
[36]
Davies, S.R., Macfarlane, R. and Buchanan, W.J. (2022) NapierOne: A Modern Mixed File Data Set Alternative to Govdocs1. Forensic Science International: Digital Investigation, 40, Article ID: 301330. https://doi.org/10.1016/j.fsidi.2021.301330
[37]
McIntosh, T., Jang-Jaccard, J., Watters, P. and Susnjak, T. (2019) The Inadequacy of Entropy-Based Ransomware Detection. In: Gedeon, T., Wong, K. and Lee, M., Eds., Neural Information Processing. ICONIP 2019. Communications in Computer and Information Science, Vol. 1143, Springer, Cham, 181-189. https://doi.org/10.1007/978-3-030-36802-9_20
[38]
Ganfure, G.O., Wu, C.-F., Chang, Y.-H. and Shih, W.-K. (2020) DeepGuard: Deep Generative User-Behavior Analytics for Ransomware Detection. 2020 IEEE International Conference on Intelligence and Security Informatics, Arlington, 9-10 November 2020, 181-189. https://doi.org/10.1109/ISI49825.2020.9280508
[39]
Manavi, F. and Hamzeh, A. (2022) A Novel Approach for Ransomware Detection Based on PE Header Using Graph Embedding. Journal of Computer Virology and Hacking Techniques, 18, 285-296. https://doi.org/10.1007/s11416-021-00414-x
[40]
Prachi and Kumar, S. (2022) An Effective Ransomware Detection Approach in a Cloud Environment Using Volatile Memory Features. Journal of Computer Virology and Hacking Techniques, 18, 407-424. https://doi.org/10.1007/s11416-022-00425-2
[41]
Sheen, S., Asmitha, K.A. and Venkatesan, S. (2022) R-Sentry: Deception Based Ransomware Detection Using File Access Patterns. Computers and Electrical Engineering, 103, Article ID: 108346. https://doi.org/10.1016/j.compeleceng.2022.108346
[42]
De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L. and Mancini, L.V. (2022) Evading Behavioral Classifiers: A Comprehensive Analysis on Evading Ransomware Detection Techniques. Neural Computing and Applications, 34, 12077-12096. https://doi.org/10.1007/s00521-022-07096-6
[43]
Lee, J. and Lee, K. (2022)A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms. Entropy, 24, Article No. 239. https://doi.org/10.3390/e24020239
[44]
Scaife, N., Carter, H., Traynor, P. and Butler, K.R. (2016)CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. 2016 IEEE 36th International Conference on Distributed Computing Systems, Nara, 27-30 June 2016. https://doi.org/10.1109/ICDCS.2016.46
[45]
Gharib, A. and Ghorbani, A. (2017) DNA-Droid: A Real-Time Android Ransomware Detection Framework. In: Yan, Z., Molva, R., Mazurczyk, W. and Kantola, R., Eds., Network and System Security. NSS 2017. Lecture Notes in Computer Science, Vol. 10394, Springer, Cham, 184-198. https://doi.org/10.1007/978-3-319-64701-2_14
[46]
Davies, S.R., Macfarlane, R. and Buchanan, W.J. (2021) NapierOne. http://napierone.com/Website/index.html
[47]
Nieuwenhuizen, D. (2017) A Behavioural-Based Approach to Ransomware Detection. https://api.semanticscholar.org/CorpusID:20947416
[48]
Wikipedia. List of File Formats. https://en.wikipedia.org/wiki/Listoffilefor-mats
[49]
Buchanan. Digital Forensics Magic Numbers. https://asecuritysite.com/forensics/magic
[50]
Google (2015) File Types Indexable by Google. https://support.google.com/webmasters/answer/35287?hl=en
[51]
Kessler, G. GCK’S File Signature Table. https://www.garykessler.net/library/file_sigs.html
Wikipedia. List of File Signatures. https://en.wikipedia.org/wiki/List_of_file_signatures
[54]
Genç, Z.A., Lenzini, G. and Ryan, P.Y.A. (2018) No Random, No Ransom: A Key to Stop Cryptographic Ransomware. In: Giuffrida, C., Bardin, S. and Blanc, G., Eds., Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science, Vol. 10885, Springer, Cham, 234-255. https://doi.org/10.1007/978-3-319-93411-2_11
[55]
Genç, Z.A., Lenzini, G. and Ryan, P.Y.A. (2020) NOCRY: No More Secure Encryption Keys for Cryptographic Ransomware. In: Saracino, A. and Mori, P., Eds., Emerging Technologies for Authorization and Authentication. ETAA 2019. Lecture Notes in Computer Science, Vol. 11967, Springer, Cham, 69-85. https://doi.org/10.1007/978-3-030-39749-4_5
[56]
Kharraz, A. and Kirda, E. (2017) Redemption: Real-Time Protection against Ransomware at End-Hosts. In: Dacier, M., Bailey, M., Polychronakis, M. and Antonakakis, M., Eds., Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science, Vol. 10453, Springer, Cham, 98-119. https://doi.org/10.1007/978-3-319-66332-6_5
[57]
Choudhury, P., Kumar, K.R.P., Nandi, S. and Athithan, G. (2019) An Empirical Approach towards Characterization of Encrypted and Unencrypted VoIP Traffic. Multimedia Tools and Applications, 79, 603-631. https://doi.org/10.1007/s11042-019-08088-w
[58]
Shannon, C.E. (1948) A Mathematical Theory of Communication. The Bell System Technical Journal, 27, 379-423. https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
[59]
Karl Pearson, F.R.S. (2009) X. On the Criterion That a Given System of Deviations From the Probable in the Case of a Correlated System of Variables is Such That It Can Be Reasonably Supposed to Have Arisen From Random Sampling. The London, Edinburgh, and Dublin Philosophical Magazine and Journal of Science, 50, 157-175. https://www.tandfonline.com/doi/abs/10.1080/14786440009463897 https://doi.org/10.1080/14786440009463897
[60]
Davies, S.R., Macfarlane, R. and Buchanan, W.J. (2022) Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification. Entropy, 24, Article No. 1503. https://doi.org/10.3390/e24101503
[61]
Walker, J. (2008) A Pseudorandom Number Sequence Test Program. Pseudorandom Number Sequence Test Program. https://www.fourmilab.ch/random/
[62]
Davies, S.R., Macfarlane, R. and Buchanan, W.J. (2021) Differential Area Analysis for Ransomware Attack Detection within Mixed File Datasets. Computers and Security, 108, Article ID: 102377. https://doi.org/10.1016/j.cose.2021.102377
[63]
Lemmou, Y., Lanet, J.-L. and Souidi, E.M. (2021) In-Depth Analysis of Ransom Note Files. Computers, 10, Article No. 145. https://doi.org/10.3390/computers10110145
[64]
Andronio, N., Zanero, S. and Maggi, F. (2015) HELDROID: Dissecting and Detecting Mobile Ransomware. In: Bos, H., Monrose, F. and Blanc, G., Eds., Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science, Vol. 9404, Springer, Cham, 382-404 https://doi.org/10.1007/978-3-319-26362-5_18
[65]
Li, W.-J., Wang, K., Stolfo, S.J. and Herzog, B. (2005) Fileprints: Identifying File Types by N-Gram Analysis. Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, West Point, 15-17 June 2005, 64-71. https://doi.org/10.1109/IAW.2005.1495935
[66]
Scalas, M., Maiorca, D., Mercaldo, F., Visaggio, C.A., Martinelli, F. and Giacinto, G. (2018) R-PackDroid: Practical on-Device Detection of Android Ransomware. https://www.researchgate.net/publication/325358530_R-PackDroid_Practical_On-Device_Detection_of_Android_Ransomware
[67]
Kara, I. (2023) Fileless Malware Threats: Recent Advances, Analysis Approach through Memory Forensics and Research Challenges. Expert Systems with Applications, 214, Article ID: 119133. https://doi.org/10.1016/j.eswa.2022.119133 https://www.sciencedirect.com/science/article/pii/S0957417422021510
[68]
Balogh, Š. and Pondelik, M. (2011) Capturing Encryption Keys for Digital Analysis. Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems, Prague, 15-17 September 2011, 759-763. https://doi.org/10.1109/IDAACS.2011.6072872
[69]
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J. and Felten, E.W. (2009) Lest We Remember: Cold-Boot Attacks on Encryption Keys. Communications of the ACM, 52, 91-98. https://doi.org/10.1145/1506409.1506429
[70]
Maartmann-Moe, C., Thorkildsen, S.E. and Årnes, A. (2009) The Persistence of Memory: Forensic Identification and Extraction of Cryptographic Keys. Digital Investigation, 6, S132-S140. https://doi.org/10.1016/j.diin.2009.06.002
[71]
Heninger, N. and Feldman, A. (2008) AESKeyFind. https://github.com/makomk/aeskeyfind
[72]
Kornblum, J. (2017) Findaes. https://sourceforge.net/u/jessekornblum/profile/
[73]
de Loaysa Babiano, L.F., Macfarlane, R. and Davies, S.R. (2023) Evaluation of live forensic techniques, towards Salsa20-Based cryptographic ransomware mitigation. Forensic Science International: Digital Investigation, 46, Article ID: 301572. https://doi.org/10.1016/j.fsidi.2023.301572
[74]
Joseph, P. and Norman, J. (2020) Systematic Memory Forensic Analysis of Ransomware Using Digital Forensic Tools. International Journal of Natural Computing Research, 9, 61-81. https://doi.org/10.4018/IJNCR.2020040105
[75]
Klein, T. (2006) All Your Private Keys Are Belong to Us. https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=cf85042cca0da125b860db7c2fefb38012396cbc
[76]
Sai, R.L.P. and Kumar, T.P. (2019) Reverse Engineering the Behaviour of NotPetya Ransomware. International Journal of Recent Technology and Engineering, 7, 574-578. https://www.ijrte.org/wp-content/uploads/papers/v7i6s/F03120376S19.pdf
[77]
Chadha, S. and Kumar, U. (2017) Ransomware: Let’s Fight Back! 2017 International Conference on Computing, Communication and Automation (ICCCA), Greater Noida, 5-6 May 2017, 925-930. https://doi.org/10.1109/CCAA.2017.8229926
