RansomAI: AI-powered Ransomware for Stealthy Encryption

TL;DR

RansomAI is a reinforcement learning framework enabling ransomware to adapt encryption strategies dynamically, significantly improving its stealth capabilities against detection systems in real-world scenarios.

Contribution

This work introduces RansomAI, the first AI-powered ransomware framework that learns to optimize encryption behavior to evade detection, demonstrating its effectiveness on a Raspberry Pi 4.

Findings

RansomAI evades detection with over 90% accuracy within minutes.

The framework successfully adapts encryption strategies using reinforcement learning.

Experimental validation on Raspberry Pi 4 confirms its practical effectiveness.

Abstract

Cybersecurity solutions have shown promising performance when detecting ransomware samples that use fixed algorithms and encryption rates. However, due to the current explosion of Artificial Intelligence (AI), sooner than later, ransomware (and malware in general) will incorporate AI techniques to intelligently and dynamically adapt its encryption behavior to be undetected. It might result in ineffective and obsolete cybersecurity solutions, but the literature lacks AI-powered ransomware to verify it. Thus, this work proposes RansomAI, a Reinforcement Learning-based framework that can be integrated into existing ransomware samples to adapt their encryption behavior and stay stealthy while encrypting files. RansomAI presents an agent that learns the best encryption algorithm, rate, and duration that minimizes its detection (using a reward mechanism and a fingerprinting intelligent detection system) while maximizing its damage function. The proposed framework was validated in a ransomware, Ransomware-PoC, that infected a Raspberry Pi 4, acting as a crowdsensor. A pool of experiments with Deep Q-Learning and Isolation Forest (deployed on the agent and detection system, respectively) has demonstrated that RansomAI evades the detection of Ransomware-PoC affecting the Raspberry Pi 4 in a few minutes with >90% accuracy.