Trends and Future Directions in Automated Ransomware Detection

Abayomi Jegede; Ayotinde Fadele; Monday  Onoja; Gilbert Aimufua; Ismaila Jesse Mazadu

doi:10.33736/jcsi.4932.2022

Abayomi Jegede University of Jos, Nigeria
Ayotinde Fadele Federal College of Education Zaria, Nigeria
Monday Onoja Federal University of Health Sciences, Nigeria
Gilbert Aimufua Nasarawa State University, Keffi Nigeria
Ismaila Jesse Mazadu Federal University, Wukari Nigeria

DOI: https://doi.org/10.33736/jcsi.4932.2022

Keywords: machine learning, deep learning, neural network, ransomware attack, ransomware detection, security

Abstract

Ransomware attacks constitute major security threats to personal and corporate data and information. A successful ransomware attack results in significant security and privacy violations with attendant financial losses and reputational damages to owners of computer-based resources. This makes it imperative for accurate, timely and reliable detection of ransomware. Several techniques have been proposed for ransomware detection and each technique has its strengths and limitations. The aim of this paper is to discuss the current trends and future directions in automated ransomware detection. The paper provides a background discussion on ransomware as well as historical background and chronology of ransomware attacks. It also provides a detailed and critical review of recent approaches to ransomware detection, prevention, mitigation and recovery. A major strength of the paper is the presentation of the chronology of ransomware attacks from its inception in 1989 to the latest attacks occurring in 2021. Another strength of the study is that a large proportion of the studies reviewed were published between 2015 and 2022. This provides readers with an up-to-date knowledge of the state-of-the-art in ransomware detection. It also provides insights into advances in strategies for preventing, mitigating and recovering from ransomware attacks. Overall, this paper presents researchers with open issues and possible research problems in ransomware detection, prevention, mitigation and recovery.

References

Acronis International (2021). How machine learning can be used to prevent ransomware. Retrieved from https://www.acronis.com/en-eu/articles/machine-learning-prevent-ransomware.

Adamov, A. & Carlsson A. (2017). The state of ransomware. Trends and mitigation techniques. IEEE East-West Design & Test Symposium (EWDTS), 1-8, doi: 10.1109/EWDTS.2017.8110056.

Adamu, U. & Awan, I. (2019). Ransomware prediction using supervised learning algorithms. FiCloud 2019, Istanbul, Turkey, 57–63. doi: 10.1109/FiCloud.2019.00016.

Agrawal R., Stokes J.W., Selvaraj K. & Marinescu, M. (2019). Attention in recurrent neural networks for ransomware detection. ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 3222-3226, doi: 10.1109/ICASSP.2019.8682899.

Ahmad, A., Kaiiali, M., Sezer, S. & O’kane P. (2019). A multi-classifier network-based crypto ransomware detection system: a case study of locky ransomware. IEEE Access, vol. 7, doi: 10.1109/ACCESS.2019.2907485.

Ahmed, U., Lin J.C.W. & Srivastava, G. (2022). Mitigating adversarial evasion attacks of ransomware using

ensemble learning. Computers and Electrical Engineering, 100 (2022) 107903.

Ahmed Y.A., Huda S., Al-rimy B.A.S., Alharbi N., Saeed F, Ghaleb F.A. & Ali I.M. (2022). A weighted minimum redundancy maximum relevance technique for ransomware early detection in industrial iot sustainability. MDPI. 14(1231), 1-15. Retrieved from https://doi.org/10.3390/su14031231.

Aidan J., Zeenia, S. & Garg, U. (2018). Advanced petya ransomware and mitigation strategies. First International Conference on Secure Cyber Computing and Communication (ICSCCC). 23-28, doi: 10.1109/ICSCCC.2018.8703323.

Al-Dwairi M., Shatnawi A.S., Al-Khaleel, O. & Al-Duwairi, B. (2022). Ransomware-resilient self-healing XML documents. Future Internet, 14(115), 1-19. Retrieved from https://doi.org/10.3390/fi14040115.

Alzahrani A. (2018). RanDroid: structural similarity approach for detecting ransomware applications in android platform. IEEE International Conference on Electro/Information Technology (EIT), 0892-0897. doi: 10.1109/EIT.2018.8500161.

Ameer, M. (2019). Android Ransomware Detection using Machine Learning Techniques to Mitigate Adversarial Evasion Attacks. (Capital University of Science and Technology, Islamabad, Pakistan).

Andronio N., Zanero S. & Maggi F. (2015). HelDroid: dissecting and detecting mobile ransomware. In Research in Attacks, Intrusions, and Defenses. Lect. Notes Comput. Sci., vol. 9404, 382–404.

Aragorn, T., Yun-chun, C., YiHsiang, K., & Tsungnan, L. (2016). Deep learning for ransomware detection. Retrieved from https://www.semanticscholar.org/paper/Deep-Learning-for-Ransomware-Detection-Aragorn-Yun-chun/cc3a41b37230861cfe429632744e0d1db19256b7.

Arslan A., Abdul A., Umme Z., & Asifullah, K. (2020). Ransomware analysis using feature engineering and deep neural networks. Retrieved from https://arxiv.org/abs/1910.00286v2.

Azmoodeh A., Dehghantanha A., Conti M, & Choo K. R (2018). Detecting crypto Ransomware in IoT networks based on energy consumption footprint. Ambient Intell Human Comput 9, 1141–1152, Retrieved from https://doi.org/10.1007/s12652-017-0558-5.

Bazrafshan, Z., Hashemi, H, Fard, S.M.H. & Hamzeh, A. (2013). A survey on heuristic malware detection techniques. The 5th Conference on Information and Knowledge Technology, 113-120, doi: 10.1109/IKT.2013.6620049.

Brewer, R. (2016), Ransomware attacks: detection, prevention and cure. Netw. Secur, 1–6.

Cabaj, K., Gregorczyk, M., & Mazurczyk, W. (2017). Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. Comput. Electr. Eng., 353-368.

Celdrán A.H, Sánchez P.M.S, Castillo M.A, Gérôme B, Gregorio M.P. & Burkhard S (2022). Intelligent and behavioral-based detection of malware in IoT spectrum sensors. Int. J. Inf. Secur, 1-21. Retrieved from https://doi.org/10.1007/s10207-022-00602-w.

Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R. & G.-J. Ahn (2018). Uncovering the face of android ransomware: characterization and real-time detection. IEEE Trans. Inf. Forensics Secur. 1286–1300.

Crowdstrike (2022a). How ransomware works. Retrieved from https://www.crowdstrike.com/resources/infographics/

how-fileless-ransomware-works/

Crowdstrike (2022b). Fileless Malware Explained. Retrieved from https://www.crowdstrike.com/cybersecurity-101/malware/fileless-malware/

Dargahi, T., Dehghantanha, A., Bahrami, P. N., Conti, M., Bianchi, G., & Benedetto, L. (2019). A cyber-kill-chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques, 15(4), 277-305. Retrieved from https://doi.org/10.1007/s11416-019-00338-7.

Dehghantanha, A., Baldwin, J., & Alhawi. O. M. K. (2018). Leveraging machine learning techniques for windows ransomware network traffic detection. Retrieved from https://doi.org/10.1007/978-3-319-73951-95.

Dontov, D. (2019). Ransomware detection using machine learning. Retrieved from https://spinbackup.com/blog/

ransomware-detection-using-machine-learning/

Du, J., Raza, S.H., Ahmad, M., Alam, I., Dar, S.H, & Habib, M.A, (2022). Digital forensics as advanced ransomware pre-attack detection algorithm for endpoint data protection. Security and Communication Networks. 1-16. Retrieved from https://doi.org/10.1155/2022/1424638.

eScan (2017). Antivirus reports.

F-Secure Labs (2013). Threat Report H1, Helsinki, Finland.

Fingers, J. (2020). Ransomware may have led to the death of a German hospital patient. Retrieved from www.google.com/amp/s/www.engadget.com/amp/ransomware-death-at-german-hospital-210309749.html.

Fitzpatrick, D. & Griffin, D. (2016). Cyber-extortion losses skyrocket, says FBI. Retrieved from http://money.cnn.com/2016/04/15/technology/ransomwarecyber-security.

Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F.

& Jara-Saltos J.D. (2017). Social engineering as an attack vector for ransomware. CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), 1-6, doi: 10.1109/CHILECON.2017.8229528.

Gers, F.A., Schmidhuber, J. & Cummins, F.A (2000). Learning to forget: Continual prediction with lstm, Neural Computation. Neural Comput 2000. 12(10) 2451–2471. Retrieved from https://doi.org/10.1162/

Gómez‐Hernández, J.A., Sánchez‐Fernández, R. & García‐Teodoro, A. (2022). Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker. IET Inf. Secur. 16(1), 64–74. Retrieved from https://doi.org/10.1049/ise2.12042.

Gopinath, S. & Olmstead, A. (2022). Mitigating the effects of ransomware attacks on healthcare systems.

Hwang J, Kim J, L. S, & Kim K (2020). Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wireless Pers Commun 112, 2597–2609, Retrieved from https://doi.org/10.1007/s11277-020-07166-9.

Jasmin, M. (2019). Detecting ransomware in encrypted network traffic using machine learning. (University of Victoria, Canada). Retrieved from http://hdl.handle.net/1828/11076.

Juan, A., Silver, H., & Hernández-Alvarez, M. (2017). Ransomware detection by cognitive security, IEEE, 346–363.

Khammas, B. (2020). Ransomware detection using random forest technique. ICT Express, 6(4), 325–331.

Khammas, B.M. (2022). Comparative analysis of various machine learning algorithms for ransomware detection. TELKOMNIKA Telecommunication Computing Electronics and Control, 20(1), 43~51.

Kharraz A., Robertson W, Balzarotti D, Leyla Bilge & Kirda E (2015). Cutting the gordian knot: a look under the hood of ransomware attacks In: M. Almgren., V. Gulisano, F. Maggi. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA Lecture Notes in Computer Science, vol 9148. Springer, Cham. Retrieved from https://doi.org/10.1007/978-3-319-20550-2_1.

Kim, G., Kim, S., Kang, J. & Kim, J. (2022). A method for decrypting data infected with hive ransomware. arXiv:2202.08477v1 [cs.CR], 1-23.

Kim, G.Y., Paik J.Y. & Kim Y. (2022). Byte frequency-based indicators for crypto-ransomware detection from empirical analysis. Journal of Computer Science and Technology, 37(2). DOI 10.1007/s11390-021-0263-x.

Lalson, E.R., Shony, K.M, & Netto, D.F. (2019). An integrated approach for detecting ransomware using static and dynamic analysis. FiCloud 2019, 410–414. doi: 10.1109/FiCloud.2019.00016.

Lee, K., Lee, S,, & Yim, K, (2019). Machine learning based file entropy analysis for ransomware detection in backup systems. IEEE Access, 110205–110215, doi: 10.1109/ACCESS.2019.2931136.

Lee, S., Jho, N., Chung D, Kang, Y. & Kim, M. (2022). Rcryptect: real-time detection of cryptographic function in the user-space filesystem. Computers & Security. 112, 1-13.

Makinde, O., Sangodoyin, A., Mohammed, B., Neagu, D., & Adamu, U. (2019). Distributed network behaviour prediction using machine learning and agent-based micro simulation. FiCloud 2019, 182-188.

Maniath S, Ashok A., Poornachandran P., Sujadevi G., Sankar,. A.U. & Jan, S (2017). Deep learning LSTM based ransomware detection. Recent Dev. Control Autom. Power Eng., 442–446, doi: 10.1109/RDCAPE.2017.8358312.

Matthias, H. (2018). Detecting ransomware. (Universität Konstanz).

McIntosh, T., Kayes, A.S.M., Chen, Y.P.P., Ng, A. & Watters, P, (2021). Ransomware mitigation in the modern era: a comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), 54(9), 1-36. Retrieved from https://doi.org/10.1145/3479393.

Microsoft Ignite (2022). What is ransomware? Retrieved from https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware.

Mohurle, S., & Patil, S. (2017). Brief study of wannacry ransomware attack. Int. J. Adv. Res. Comput. Sci., vol. 8, 1938–1940.

Moore, C. (2016), Detecting ransomware with honeypot techniques. Cybersecurity and Cyberforensics Conference (CCC). 77-81. doi: 10.1109/CCC.2016.14.

Morato, D., Berrueta, E., Magaña E., & Izal, M. (2018). Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl., 14–32.

Nazarovs, J., Stokes, J.W, Turcotte, M., Carroll, J. & Grady, I. (2022). Radial spike and slab bayesian neural networks for sparse data in ransomware attacks. arXiv:2205.14759v1 [cs.CR] 1-17.

Olani, G., Wu, C-F. & Chang, Y-H. (2022). DeepWare: imaging performance counters with deep learning to detect ransomware. IEEE Transactions on Computers, Vol. X, No. X, XXX 20XX, pp. 1-15.

Oz, H., Aris, A., Levi, A., & Uluagac, A. S. (2021). A survey on ransomware: evolution, taxonomy, and defense solutions. ACM Computing Surveys (CSUR). Retrieved from https://doi.org/10.1145/3514229.

Patel, A. & Tailor, J, (2020). A malicious activity monitoring mechanism to detect and prevent ransomware. Comput. Fraud Secur, 14–19.

Potoroaca, A. (2020). Over 41% of cyber insurance claims in 2020 came from ransomware attacks. Retrieved from https://www.techspot.com/amp/news/86714-over-41-percent-cyber-insurance-claims-2020-came.html.

Poudyal, S., Subedi, K.P. & Dasgupta, D. (2018). A framework for analyzing ransomware using machine learning. IEEE Symposium Series on Computational Intelligence (SSCI), 1692-1699. doi: 10.1109/SSCI.2018.8628743.

Rahman, M. & Hasan, M. (2017). A support vector machine-based ransomware analysis framework with integrated feature set. 20th International Conference of Computer and Information Technology, Dhaka, 1–7. doi: 10.1109/ICCITECHN.2017.8281835.

Rani, N. & Dhavale, S.V. (2022). Leveraging machine learning for ransomware detection. arXiv:2206.01919v1 [cs.CR], 1-13.

Ransomware attacks. (2021). Top 5 ransomware attacks to watch out for in 2020-2021. Retrieved from https://www.google.com/amp/s/top-5-ransomware-attacks-to- watch-out-for-in-2020-2021/amp.

Richardson, R. & North, M. (2017). Ransomware: evolution, mitigation and prevention. Int. Manag. Rev., vol. 13, 10–21.

Savage, K., Coogan P, & Lau, H. (2015). The evolution of ransomware. Secur. Response, Symantec. Retrieved from https://its.fsu.edu/sites/g/files/imported/storage/images/information-security-and-privacy-office/the-evolution-of-ransomware.pdf.

Scaife, N., Carter, H., Traynor, P, & Kevin, B. (2016). CryptoLock (and drop it): stopping ransomware attacks on user data. IEEE 36th Int. Conf. Distrib. Comput. Syst.

Schmidhuber, J. & Sepp, H. (1997). Long short term memory. Neural Computation. 1735–1780.

Sgandurra D., Muñoz-González, L., Mohsen, R., & Lupu, E. (2016). Automated dynamic analysis of ransomware: benefits, limitations and use for detection. Retrieved from https://arxiv.org/abs/1609.03020, 1–12.

Sharmeen, S., Ahmed, Y.A., Huda, S., Koçer, B.S., & Hassan, M.M. (2020). Avoiding future digital extortion through

robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access, vol. 8, 24522–24534, doi: 10.1109/ACCESS.2020.2970466.

Shaukat, S., & Ribeiro, V. (2018). RansomWall: a layered defense system against cryptographic ransomware attacks using machine learning. 10th International Conference on Communication Systems and Networks, 356-363.

Sheen, S. & Yadav, A. (2018). Ransomware detection by mining api call usage. International Conference on Advances in Computing, Communications and Informatics (ICACCI), 983-987, doi: 10.1109/ICACCI.2018.8554938.

Singh, A., Ikuesan, R.A. & Venter, H. (2022). Ransomware detection using process memory. ICCWS 2022: 17th International Conference on Cyber Warfare and Security, 1-10.

Symantec Corporation (2016). Internet security threat report.

Talabani, H.S. & Abdulhadi, H.M.T. (2022). Bitcoin ransomware detection employing rule-based algorithms.

Science Journal of University of Zakho, 10(1), 5– 10.

Vehabovic, A., Ghani, N., Bou-Harb, E., Crichigno, J. & Yayimli, A. (2022). Ransomware detection and classification strategies. IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom), 316-324, doi: 10.1109/BlackSeaCom54372.2022.9858296.

Vinayakumar, R., Soman, K.P., Senthil, M., Velan, K. K. & Ganorkar, S. (2017). Evaluating shallow and deep networks for ransomware detection and classification. International Conference on Advances in Computing, Communications and Informatics (ICACCI), 259-265. doi: 10.1109/ICACCI.2017.8125850.

Wan, Y., Chang, J., Chen, R. & Wang, S. (2018). Feature-selection-based ransomware detection with machine learning of data analysis. 3rd International Conference on Computer and Communication Systems (ICCCS), 85-88, doi: 10.1109/CCOMS.2018.8463300.

Weckstén, M., Frick, J., Sjöström, A. & Järpe, E. (2016). A novel method for recovery from crypto ransomware infections. 2nd IEEE International Conference on Computer and Communications (ICCC). 1354-1358, doi: 10.1109/CompComm.2016.7924925.

Wongsupa, P. (2018). Deep learning for android application ransomware detection. MSc Dissertation. (Florida Atlantic University).

Yang, T., Yang, Y., Qian K., Lo, D.C, Qian, Y. & Tao, L. (2015). Automated detection and analysis for android

ransomware. IEEE 17th International Conference on High Performance Computing and Communications, IEEE 7th International Symposium on Cyberspace Safety and Security, and IEEE 12th International Conference on Embedded Software and Systems, 1338-1343, doi: 10.1109/HPCC-CSS-ICESS.2015.39.

Zahra, A. & Shah, M. (2017). IoT based ransomware growth rate evaluation and detection using command and control blacklisting. Proceedings of the 23rd International Conference on Automation & Computing, (University of Huddersfield, Huddersfield), 1–6.

Zetter, K. (2015). Hacker lexicon: A guide to ransomware, the scary hack that’s on the rise. Retrieved from: https://www.wired.com/2015/09/hacker-lexicon-guideransomware- scary-hack-thats-rise/

Zimba, A., Wang, Z., & Chen, H. (2018). Multi-stage crypto ransomware attacks: a new emerging cyber threat to critical infrastructure and industrial control systems. ICT Express, vol. 4, 14–18.