An Accurate Ransomware Detection Framework Based on Monitoring The Interaction of Ransomware Attacks with Infected Systems

Abstract

One of the most dangerous cyberattacks targeting users’ files on electronic devices is the Ransomware attack. Ransomware attacks can be divided into crypto ransomware and locker ransomware. Crypto ransomware is the most prevalent one, and works by encrypting users’ files and data, resulting in files becoming useless. Locker ransomware does not encrypt data itself but denies users access to their devices by locking the device or preventing logging on, and files therefore become unreachable. After encrypting files or locking devices, victims’ are asked to pay ransom in order to restore their data. However, the problem with ransomware attacks is that there is no guarantee for the victims that the data will be restored; they can end up paying the ransom and still lose the data. The losses resulting from this attack can be very large, especially if it targets large organisations and companies. This work targeted crypto-ransomware attacks and aimed to find the differences between ransomware attacks and benign programs that share the same behaviour, in terms of file system activities and I/O traces and, in addition, to find indicators to detect ransomware attacks in their early stages with minimal cost, and to propose a framework to obtain a high true positive rate and a low false positive rate accurately. An accurate framework for detecting ransomware attacks in its early stages with minimal cost and no data loss is presented in this work. The framework was based on analysing ransomware attacks using the Cuckoo sandbox to create a safe and isolated environment, and the Process Monitor tool to observe ransomware samples in terms of system file activities and I/O traces. The analysis showed that, although ransomware attacks from different families and their variations have technical differences, they all shared the same I/O access pattern of behaviour for encrypting victims files. The proposed framework accurately obtained a high true positive rate of 96.5% and a low false positive rate of 0%, with 98.25% accuracy, and an error rate of 1.75%, by using Shannon Entropy as an indicator for ransomware attacks.