Trends and Future Directions in Automated Ransomware Detection
DOI:
https://doi.org/10.33736/jcsi.4932.2022Keywords:
machine learning, deep learning, neural network, ransomware attack, ransomware detection, securityAbstract
Ransomware attacks constitute major security threats to personal and corporate data and information. A successful ransomware attack results in significant security and privacy violations with attendant financial losses and reputational damages to owners of computer-based resources. This makes it imperative for accurate, timely and reliable detection of ransomware. Several techniques have been proposed for ransomware detection and each technique has its strengths and limitations. The aim of this paper is to discuss the current trends and future directions in automated ransomware detection. The paper provides a background discussion on ransomware as well as historical background and chronology of ransomware attacks. It also provides a detailed and critical review of recent approaches to ransomware detection, prevention, mitigation and recovery. A major strength of the paper is the presentation of the chronology of ransomware attacks from its inception in 1989 to the latest attacks occurring in 2021. Another strength of the study is that a large proportion of the studies reviewed were published between 2015 and 2022. This provides readers with an up-to-date knowledge of the state-of-the-art in ransomware detection. It also provides insights into advances in strategies for preventing, mitigating and recovering from ransomware attacks. Overall, this paper presents researchers with open issues and possible research problems in ransomware detection, prevention, mitigation and recovery.
References
Acronis International (2021). How machine learning can be used to prevent ransomware. Retrieved from https://www.acronis.com/en-eu/articles/machine-learning-prevent-ransomware.
Adamov, A. & Carlsson A. (2017). The state of ransomware. Trends and mitigation techniques. IEEE East-West Design & Test Symposium (EWDTS), 1-8, doi: 10.1109/EWDTS.2017.8110056.
Adamu, U. & Awan, I. (2019). Ransomware prediction using supervised learning algorithms. FiCloud 2019, Istanbul, Turkey, 57–63. doi: 10.1109/FiCloud.2019.00016.
Agrawal R., Stokes J.W., Selvaraj K. & Marinescu, M. (2019). Attention in recurrent neural networks for ransomware detection. ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 3222-3226, doi: 10.1109/ICASSP.2019.8682899.
Ahmad, A., Kaiiali, M., Sezer, S. & O’kane P. (2019). A multi-classifier network-based crypto ransomware detection system: a case study of locky ransomware. IEEE Access, vol. 7, doi: 10.1109/ACCESS.2019.2907485.
Ahmed, U., Lin J.C.W. & Srivastava, G. (2022). Mitigating adversarial evasion attacks of ransomware using
ensemble learning. Computers and Electrical Engineering, 100 (2022) 107903.
Ahmed Y.A., Huda S., Al-rimy B.A.S., Alharbi N., Saeed F, Ghaleb F.A. & Ali I.M. (2022). A weighted minimum redundancy maximum relevance technique for ransomware early detection in industrial iot sustainability. MDPI. 14(1231), 1-15. Retrieved from https://doi.org/10.3390/su14031231.
Aidan J., Zeenia, S. & Garg, U. (2018). Advanced petya ransomware and mitigation strategies. First International Conference on Secure Cyber Computing and Communication (ICSCCC). 23-28, doi: 10.1109/ICSCCC.2018.8703323.
Al-Dwairi M., Shatnawi A.S., Al-Khaleel, O. & Al-Duwairi, B. (2022). Ransomware-resilient self-healing XML documents. Future Internet, 14(115), 1-19. Retrieved from https://doi.org/10.3390/fi14040115.
Alzahrani A. (2018). RanDroid: structural similarity approach for detecting ransomware applications in android platform. IEEE International Conference on Electro/Information Technology (EIT), 0892-0897. doi: 10.1109/EIT.2018.8500161.
Ameer, M. (2019). Android Ransomware Detection using Machine Learning Techniques to Mitigate Adversarial Evasion Attacks. (Capital University of Science and Technology, Islamabad, Pakistan).
Andronio N., Zanero S. & Maggi F. (2015). HelDroid: dissecting and detecting mobile ransomware. In Research in Attacks, Intrusions, and Defenses. Lect. Notes Comput. Sci., vol. 9404, 382–404.
Aragorn, T., Yun-chun, C., YiHsiang, K., & Tsungnan, L. (2016). Deep learning for ransomware detection. Retrieved from https://www.semanticscholar.org/paper/Deep-Learning-for-Ransomware-Detection-Aragorn-Yun-chun/cc3a41b37230861cfe429632744e0d1db19256b7.
Arslan A., Abdul A., Umme Z., & Asifullah, K. (2020). Ransomware analysis using feature engineering and deep neural networks. Retrieved from https://arxiv.org/abs/1910.00286v2.
Azmoodeh A., Dehghantanha A., Conti M, & Choo K. R (2018). Detecting crypto Ransomware in IoT networks based on energy consumption footprint. Ambient Intell Human Comput 9, 1141–1152, Retrieved from https://doi.org/10.1007/s12652-017-0558-5.
Bazrafshan, Z., Hashemi, H, Fard, S.M.H. & Hamzeh, A. (2013). A survey on heuristic malware detection techniques. The 5th Conference on Information and Knowledge Technology, 113-120, doi: 10.1109/IKT.2013.6620049.
Brewer, R. (2016), Ransomware attacks: detection, prevention and cure. Netw. Secur, 1–6.
Cabaj, K., Gregorczyk, M., & Mazurczyk, W. (2017). Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. Comput. Electr. Eng., 353-368.
Celdrán A.H, Sánchez P.M.S, Castillo M.A, Gérôme B, Gregorio M.P. & Burkhard S (2022). Intelligent and behavioral-based detection of malware in IoT spectrum sensors. Int. J. Inf. Secur, 1-21. Retrieved from https://doi.org/10.1007/s10207-022-00602-w.
Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R. & G.-J. Ahn (2018). Uncovering the face of android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forensics Secur. 1286–1300.
Crowdstrike (2022a). How ransomware works. Retrieved from https://www.crowdstrike.com/resources/infographics/
how-fileless-ransomware-works/
Crowdstrike (2022b). Fileless Malware Explained. Retrieved from https://www.crowdstrike.com/cybersecurity-101/malware/fileless-malware/
Dargahi, T., Dehghantanha, A., Bahrami, P. N., Conti, M., Bianchi, G., & Benedetto, L. (2019). A cyber-kill-chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15(4), 277-305. Retrieved from https://doi.org/10.1007/s11416-019-00338-7.
Dehghantanha, A., Baldwin, J., & Alhawi. O. M. K. (2018). Leveraging machine learning techniques for windows ransomware network traffic detection. Retrieved from https://doi.org/10.1007/978-3-319-73951-95.
Dontov, D. (2019). Ransomware detection using machine learning. Retrieved from https://spinbackup.com/blog/
ransomware-detection-using-machine-learning/
Du, J., Raza, S.H., Ahmad, M., Alam, I., Dar, S.H, & Habib, M.A, (2022). Digital forensics as advanced ransomware pre-attack detection algorithm for endpoint data protection. Security and Communication Networks. 1-16. Retrieved from https://doi.org/10.1155/2022/1424638.
eScan (2017). Antivirus reports.
F-Secure Labs (2013). Threat Report H1, Helsinki, Finland.
Fingers, J. (2020). Ransomware may have led to the death of a German hospital patient. Retrieved from www.google.com/amp/s/www.engadget.com/amp/ransomware-death-at-german-hospital-210309749.html.
Fitzpatrick, D. & Griffin, D. (2016). Cyber-extortion losses skyrocket, says FBI. Retrieved from http://money.cnn.com/2016/04/15/technology/ransomwarecyber-security.
Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F.
& Jara-Saltos J.D. (2017). Social engineering as an attack vector for ransomware. CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), 1-6, doi: 10.1109/CHILECON.2017.8229528.
Gers, F.A., Schmidhuber, J. & Cummins, F.A (2000). Learning to forget: Continual prediction with lstm, Neural Computation. Neural Comput 2000. 12(10) 2451–2471. Retrieved from https://doi.org/10.1162/
Gómez‐Hernández, J.A., Sánchez‐Fernández, R. & García‐Teodoro, A. (2022). Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker. IET Inf. Secur. 16(1), 64–74. Retrieved from https://doi.org/10.1049/ise2.12042.
Gopinath, S. & Olmstead, A. (2022). Mitigating the effects of ransomware attacks on healthcare systems.
Hwang J, Kim J, L. S, & Kim K (2020). Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wireless Pers Commun 112, 2597–2609, Retrieved from https://doi.org/10.1007/s11277-020-07166-9.
Jasmin, M. (2019). Detecting ransomware in encrypted network traffic using machine learning. (University of Victoria, Canada). Retrieved from http://hdl.handle.net/1828/11076.
Juan, A., Silver, H., & Hernández-Alvarez, M. (2017). Ransomware detection by cognitive security, IEEE, 346–363.
Khammas, B. (2020). Ransomware detection using random forest technique. ICT Express, 6(4), 325–331.
Khammas, B.M. (2022). Comparative analysis of various machine learning algorithms for ransomware detection. TELKOMNIKA Telecommunication Computing Electronics and Control, 20(1), 43~51.
Kharraz A., Robertson W, Balzarotti D, Leyla Bilge & Kirda E (2015). Cutting the gordian knot: a look under the hood of ransomware attacks In: M. Almgren., V. Gulisano, F. Maggi. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA Lecture Notes in Computer Science, vol 9148. Springer, Cham. Retrieved from https://doi.org/10.1007/978-3-319-20550-2_1.
Kim, G., Kim, S., Kang, J. & Kim, J. (2022). A method for decrypting data infected with hive ransomware. arXiv:2202.08477v1 [cs.CR], 1-23.
Kim, G.Y., Paik J.Y. & Kim Y. (2022). Byte frequency-based indicators for crypto-ransomware detection from empirical analysis. Journal of Computer Science and Technology, 37(2). DOI 10.1007/s11390-021-0263-x.
Lalson, E.R., Shony, K.M, & Netto, D.F. (2019). An integrated approach for detecting ransomware using static and dynamic analysis. FiCloud 2019, 410–414. doi: 10.1109/FiCloud.2019.00016.
Lee, K., Lee, S,, & Yim, K, (2019). Machine learning based file entropy analysis for ransomware detection in backup systems. IEEE Access, 110205–110215, doi: 10.1109/ACCESS.2019.2931136.
Lee, S., Jho, N., Chung D, Kang, Y. & Kim, M. (2022). Rcryptect: real-time detection of cryptographic function in the user-space filesystem. Computers & Security. 112, 1-13.
Makinde, O., Sangodoyin, A., Mohammed, B., Neagu, D., & Adamu, U. (2019). Distributed network behaviour prediction using machine learning and agent-based micro simulation. FiCloud 2019, 182-188.
Maniath S, Ashok A., Poornachandran P., Sujadevi G., Sankar,. A.U. & Jan, S (2017). Deep learning LSTM based ransomware detection. Recent Dev. Control Autom. Power Eng., 442–446, doi: 10.1109/RDCAPE.2017.8358312.
Matthias, H. (2018). Detecting ransomware. (Universität Konstanz).
McIntosh, T., Kayes, A.S.M., Chen, Y.P.P., Ng, A. & Watters, P, (2021). Ransomware mitigation in the modern era: a comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), 54(9), 1-36. Retrieved from https://doi.org/10.1145/3479393.
Microsoft Ignite (2022). What is ransomware? Retrieved from https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware.
Mohurle, S., & Patil, S. (2017). Brief study of wannacry ransomware attack. Int. J. Adv. Res. Comput. Sci., vol. 8, 1938–1940.
Moore, C. (2016), Detecting ransomware with honeypot techniques. Cybersecurity and Cyberforensics Conference (CCC). 77-81. doi: 10.1109/CCC.2016.14.
Morato, D., Berrueta, E., Magaña E., & Izal, M. (2018). Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl., 14–32.
Nazarovs, J., Stokes, J.W, Turcotte, M., Carroll, J. & Grady, I. (2022). Radial spike and slab bayesian neural networks for sparse data in ransomware attacks. arXiv:2205.14759v1 [cs.CR] 1-17.
Olani, G., Wu, C-F. & Chang, Y-H. (2022). DeepWare: imaging performance counters with deep learning to detect ransomware. IEEE Transactions on Computers, Vol. X, No. X, XXX 20XX, pp. 1-15.
Oz, H., Aris, A., Levi, A., & Uluagac, A. S. (2021). A survey on ransomware: evolution, taxonomy, and defense solutions. ACM Computing Surveys (CSUR). Retrieved from https://doi.org/10.1145/3514229.
Patel, A. & Tailor, J, (2020). A malicious activity monitoring mechanism to detect and prevent ransomware. Comput. Fraud Secur, 14–19.
Potoroaca, A. (2020). Over 41% of cyber insurance claims in 2020 came from ransomware attacks. Retrieved from https://www.techspot.com/amp/news/86714-over-41-percent-cyber-insurance-claims-2020-came.html.
Poudyal, S., Subedi, K.P. & Dasgupta, D. (2018). A framework for analyzing ransomware using machine learning. IEEE Symposium Series on Computational Intelligence (SSCI), 1692-1699. doi: 10.1109/SSCI.2018.8628743.
Rahman, M. & Hasan, M. (2017). A support vector machine-based ransomware analysis framework with integrated feature set. 20th International Conference of Computer and Information Technology, Dhaka, 1–7. doi: 10.1109/ICCITECHN.2017.8281835.
Rani, N. & Dhavale, S.V. (2022). Leveraging machine learning for ransomware detection. arXiv:2206.01919v1 [cs.CR], 1-13.
Ransomware attacks. (2021). Top 5 ransomware attacks to watch out for in 2020-2021. Retrieved from https://www.google.com/amp/s/top-5-ransomware-attacks-to- watch-out-for-in-2020-2021/amp.
Richardson, R. & North, M. (2017). Ransomware: evolution, mitigation and prevention. Int. Manag. Rev., vol. 13, 10–21.
Savage, K., Coogan P, & Lau, H. (2015). The evolution of ransomware. Secur. Response, Symantec. Retrieved from https://its.fsu.edu/sites/g/files/imported/storage/images/information-security-and-privacy-office/the-evolution-of-ransomware.pdf.
Scaife, N., Carter, H., Traynor, P, & Kevin, B. (2016). CryptoLock (and drop it): stopping ransomware attacks on user data. IEEE 36th Int. Conf. Distrib. Comput. Syst.
Schmidhuber, J. & Sepp, H. (1997). Long short term memory. Neural Computation. 1735–1780.
Sgandurra D., Muñoz-González, L., Mohsen, R., & Lupu, E. (2016). Automated dynamic analysis of ransomware: benefits, limitations and use for detection. Retrieved from https://arxiv.org/abs/1609.03020, 1–12.
Sharmeen, S., Ahmed, Y.A., Huda, S., Koçer, B.S., & Hassan, M.M. (2020). Avoiding future digital extortion through
robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access, vol. 8, 24522–24534, doi: 10.1109/ACCESS.2020.2970466.
Shaukat, S., & Ribeiro, V. (2018). RansomWall: a layered defense system against cryptographic ransomware attacks using machine learning. 10th International Conference on Communication Systems and Networks, 356-363.
Sheen, S. & Yadav, A. (2018). Ransomware detection by mining api call usage. International Conference on Advances in Computing, Communications and Informatics (ICACCI), 983-987, doi: 10.1109/ICACCI.2018.8554938.
Singh, A., Ikuesan, R.A. & Venter, H. (2022). Ransomware detection using process memory. ICCWS 2022: 17th International Conference on Cyber Warfare and Security, 1-10.
Symantec Corporation (2016). Internet security threat report.
Talabani, H.S. & Abdulhadi, H.M.T. (2022). Bitcoin ransomware detection employing rule-based algorithms.
Science Journal of University of Zakho, 10(1), 5– 10.
Vehabovic, A., Ghani, N., Bou-Harb, E., Crichigno, J. & Yayimli, A. (2022). Ransomware detection and classification strategies. IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom), 316-324, doi: 10.1109/BlackSeaCom54372.2022.9858296.
Vinayakumar, R., Soman, K.P., Senthil, M., Velan, K. K. & Ganorkar, S. (2017). Evaluating shallow and deep networks for ransomware detection and classification. International Conference on Advances in Computing, Communications and Informatics (ICACCI), 259-265. doi: 10.1109/ICACCI.2017.8125850.
Wan, Y., Chang, J., Chen, R. & Wang, S. (2018). Feature-selection-based ransomware detection with machine learning of data analysis. 3rd International Conference on Computer and Communication Systems (ICCCS), 85-88, doi: 10.1109/CCOMS.2018.8463300.
Weckstén, M., Frick, J., Sjöström, A. & Järpe, E. (2016). A novel method for recovery from crypto ransomware infections. 2nd IEEE International Conference on Computer and Communications (ICCC). 1354-1358, doi: 10.1109/CompComm.2016.7924925.
Wongsupa, P. (2018). Deep learning for android application ransomware detection. MSc Dissertation. (Florida Atlantic University).
Yang, T., Yang, Y., Qian K., Lo, D.C, Qian, Y. & Tao, L. (2015). Automated detection and analysis for android
ransomware. IEEE 17th International Conference on High Performance Computing and Communications, IEEE 7th International Symposium on Cyberspace Safety and Security, and IEEE 12th International Conference on Embedded Software and Systems, 1338-1343, doi: 10.1109/HPCC-CSS-ICESS.2015.39.
Zahra, A. & Shah, M. (2017). IoT based ransomware growth rate evaluation and detection using command and control blacklisting. Proceedings of the 23rd International Conference on Automation & Computing, (University of Huddersfield, Huddersfield), 1–6.
Zetter, K. (2015). Hacker lexicon: A guide to ransomware, the scary hack that’s on the rise. Retrieved from: https://www.wired.com/2015/09/hacker-lexicon-guideransomware- scary-hack-thats-rise/
Zimba, A., Wang, Z., & Chen, H. (2018). Multi-stage crypto ransomware attacks: a new emerging cyber threat to critical infrastructure and industrial control systems. ICT Express, vol. 4, 14–18.
Downloads
Published
How to Cite
Issue
Section
License
Copyright Transfer Statement for Journal
1) In signing this statement, the author(s) grant UNIMAS Publisher an exclusive license to publish their original research papers. The author(s) also grant UNIMAS Publisher permission to reproduce, recreate, translate, extract or summarise, and to distribute and display in any forms, formats, and media. The author(s) can reuse their papers in their future printed work without first requiring permission from UNIMAS Publisher, provided that the author(s) acknowledge and reference publication in the Journal.
2) For open access articles, the author(s) agree that their articles published under UNIMAS Publisher are distributed under the terms of the CC-BY-NC-SA (Creative Commons Attribution-Non Commercial-Share Alike 4.0 International License) which permits unrestricted use, distribution, and reproduction in any medium, for non-commercial purposes, provided the original work of the author(s) is properly cited.
3) For subscription articles, the author(s) agree that UNIMAS Publisher holds copyright, or an exclusive license to publish. Readers or users may view, download, print, and copy the content, for academic purposes, subject to the following conditions of use: (a) any reuse of materials is subject to permission from UNIMAS Publisher; (b) archived materials may only be used for academic research; (c) archived materials may not be used for commercial purposes, which include but not limited to monetary compensation by means of sale, resale, license, transfer of copyright, loan, etc.; and (d) archived materials may not be re-published in any part, either in print or online.
4) The author(s) is/are responsible to ensure his or her or their submitted work is original and does not infringe any existing copyright, trademark, patent, statutory right, or propriety right of others. Corresponding author(s) has (have) obtained permission from all co-authors prior to submission to the journal. Upon submission of the manuscript, the author(s) agree that no similar work has been or will be submitted or published elsewhere in any language. If submitted manuscript includes materials from others, the authors have obtained the permission from the copyright owners.
5) In signing this statement, the author(s) declare(s) that the researches in which they have conducted are in compliance with the current laws of the respective country and UNIMAS Journal Publication Ethics Policy. Any experimentation or research involving human or the use of animal samples must obtain approval from Human or Animal Ethics Committee in their respective institutions. The author(s) agree and understand that UNIMAS Publisher is not responsible for any compensational claims or failure caused by the author(s) in fulfilling the above-mentioned requirements. The author(s) must accept the responsibility for releasing their materials upon request by Chief Editor or UNIMAS Publisher.
6) The author(s) should have participated sufficiently in the work and ensured the appropriateness of the content of the article. The author(s) should also agree that he or she has no commercial attachments (e.g. patent or license arrangement, equity interest, consultancies, etc.) that might pose any conflict of interest with the submitted manuscript. The author(s) also agree to make any relevant materials and data available upon request by the editor or UNIMAS Publisher.