Early Detection of Windows Cryptographic Ransomware Based on Pre-Attack API Calls Features and Machine Learning

Authors

  • Wira Zanoramy A. Zakaria MyCERT, Cybersecurity Malaysia, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor, Malaysia
  • Nur Mohammad Kamil Mohammad Alta MyCERT, Cybersecurity Malaysia, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor, Malaysia
  • Mohd Faizal Abdollah Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia
  • Othman Abdollah Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia
  • S.M. Warusia Mohamed S.M.M Yassin Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia

DOI:

https://doi.org/10.37934/araset.39.2.110131

Keywords:

Ransomware, Crypto-Ransomware, Early Detection, Ransomware Lifecycle

Abstract

Ransomware attacks are currently one of cybersecurity's greatest and most alluring threats. Antivirus software is frequently ineffective against zero-day malware and ransomware attacks; consequently, significant network infections could result in substantial data loss. Such attacks are also becoming more dynamic and capable of altering their signatures, resulting in a race to the bottom regarding weaponry. Cryptographic ransomware exploits crypto-viral extortion techniques. The malware encrypts the victim's data and demands payment in exchange. The attacker would release the data decryption key after accepting payment. After data encryption, the user has two options: pay the ransom or lose the data. Cryptographic ransomware causes damage that is nearly impossible to undo. Detection at an early stage of a ransomware attack's lifecycle is vital for preventing unintended consequences for the victim. Most ransomware detection technologies concentrate on detection during encryption and post-attack stages. Due to the absence of early behaviour signs, it is challenging to detect ransomware before it begins the unwanted process of mass file encryption. This study examines the relationship between API calls pattern and their nature to determine whether it is ransomware early behaviour. The purpose of this paper is to determine whether this technique can be used to early detect the presence of ransomware activity on a Windows endpoint. 582 ransomware samples that consist of ten ransomware families and 942 benign software samples were analysed. This study proposed RENTAKA, a novel framework for the early detection of cryptographic ransomware. It makes use of characteristics acquired from ransomware behaviour and machine learning. This study presented an algorithm to generate a ransomware pre-encryption dataset. This study, which includes six machine-learning models, gives satisfactory results in detecting cryptographic ransomware. The features used in this research were among the 232 features identified in Windows API calls. Five standard machine learning classifiers were employed in this experiment: Naive Bayes, k-nearest neighbours (kNN), Support Vector Machines (SVM), Random Forest, and J48. In our tests, SVM fared the best, with an accuracy rate of 93.8% and an area under the curve (AUC) of 0.979, respectively. The results indicate that we can distinguish ransomware from benign applications with low false-positive and false-negative rates.

Downloads

Download data is not yet available.

Author Biographies

Wira Zanoramy A. Zakaria, MyCERT, Cybersecurity Malaysia, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor, Malaysia

wira@cybersecurity.my

Nur Mohammad Kamil Mohammad Alta, MyCERT, Cybersecurity Malaysia, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor, Malaysia

kamil@cybersecurity.my

Mohd Faizal Abdollah, Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia

faizalabdollah@utem.edu.my

Othman Abdollah, Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia

mothman@utem.edu.my

S.M. Warusia Mohamed S.M.M Yassin, Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Hang Tuah Jaya, 76100 Durian Tunggal, Melaka, Malaysia

s.m.warusia@utem.edu.my

Published

2024-02-13

Issue

Section

Articles