Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

TL;DR

This paper introduces EldeRan, a machine learning-based dynamic analysis tool for detecting ransomware by monitoring runtime behaviors, demonstrating high accuracy and early detection capabilities across diverse ransomware families.

Contribution

The paper presents EldeRan, a novel dynamic analysis approach that effectively detects ransomware without prior family data, highlighting its potential for early and accurate ransomware detection.

Findings

EldeRan achieves an AUC of 0.995 in ransomware detection.

It works without needing complete ransomware family datasets.

Dynamic analysis reveals common runtime features across ransomware.

Abstract

Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim's system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.