Ransomware on the Run: A Detection Approach using Effective API and Machine Learning Models

Abstract

The research introduces an innovative approach for the early detection of crypto-ransomware, a form of malware that encrypts a victim's data and demands ransom for decryption. Various detection techniques, including behavior-based analysis, API calls, system calls, network communication patterns, static and dynamic analysis, are commonly employed to detect ransomware. However, these techniques consist of various challenges such as adversarial attacks, classification errors, difficulties in detecting zero-day attacks, performance and scalability limitations, and limited efficiency of machine learning models for detection. The major challenges consist of larger number of (read/write) APIs calls that are employed for detection of ransomware. Further, it indirectly increases the complexity of the detection system. In this study, we developed an efficient ransomware detection method that utilizes a lower number of attributes. The proposed scheme adopts a two-level detection approach, combining a signature-based technique and sandbox analysis using machine learning (ML) algorithms and an application program interface (API) generated by Cuckoo Sandbox. The signature-based technique compares ransomware signatures with a database of known ransomware, utilizing hashing techniques such as SHA. The sandbox analysis, complemented by ML algorithms and the API, aims to identify ransomware prior to the encryption process. The scheme is evaluated using various ML classifiers, including Random Forest (RF), Support Vector Machine (SVM), and K-Nearest Neighbour (KNN), with an 80:20 training and testing ratio. In addition, the proposed scheme was assessed through 10-fold cross-verification. Experimental results demonstrate the proposed approach accurately identify 26 contributing read/write ransomware attributes with 98% accuracy. It also surpassing the existing detection techniques while employing a minimal number of attributes. Early detection of ransomware is vital in preventing data encryption, potentially saving victims from paying ransoms.