Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

Automated Dynamic Analysis of Ransomware:
Benefits, Limitations and use for Detection

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu
Department of Computing, Imperial College London
180 Queen’s Gate, SW7 2AZ, London, UK
{d.sgandurra, l.munoz, r.mohsen11, e.c.lupu}

Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim’s system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of ransomware belonging to families, and with goodware applications, show that EldeRan achieves an area under the ROC curve of . Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.

Automated Dynamic Analysis of Ransomware:

Benefits, Limitations and use for Detection

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu
Department of Computing, Imperial College London
180 Queen’s Gate, SW7 2AZ, London, UK

{d.sgandurra, l.munoz, r.mohsen11, e.c.lupu}




D.4.6 [OPERATING SYSTEMS]: Security and Protection—Invasive software


In recent months, numerous Internet users have been victims of cyber-attack campaigns based on extortion mechanisms [?], [?]. Ransomware has emerged as one of the most difficult scareware111A class of malware that use tricks to scare users, e.g. by displaying a warning purportedly from a law enforcement agency claiming users have downloaded illegal content. to defend from, as it might be computationally infeasible to revert ransomware’s damage [?]. There are two basic types of ransomware available in the wild: the first one, locker-ransomware, is designed to lock the victims’ computer, to prevent them from using it; the second one, and most common nowadays, is crypto-ransomware, which encrypts personal files to make them inaccessible to its victims. In both cases, users are forced to pay a ransom to regain access either to their data (assuming no backup mechanism is in place) or system. Ransomware has featured prominently in the media, in particular when in 2014 a Police Department’s computer system was infected by Cryptowall [?].

Many victims feel their data are so important that they have to pay the ransom. For example, when in 2012 Symantec was able to dismantle a Command and Control (C&C) network used by the CryptoDefense ransomware family, the follow-on study showed that 2.9% of victims, out of 68,000 unique infections, appeared to have paid the ransom. Extortion mechanisms, therefore, generate significant revenue for the attackers. For CryptoWall version 3, statistics account for an estimated total $325 million in damages in the US alone [?]. Note that the average ransom request amounts to $300 [?], and the preferred payment method is through Bitcoins, due to their untraceable properties. Anti-virus (AV) vendors strive to keep the pace with sophisticated malware variants. In fact, signature-based mechanisms are prone to being easily deceived, especially when new variants are spread. For example, according to [?], out of the 3,000 unique analysed exploit kits, which are one of the main vectors of ransomware (e.g., around 62% of infections of Angler exploit kit deliver ransomware), only 6% of their signatures were found in VirusTotal. Furthermore, the average detection of these signatures was very low, with usually less than ten engines (out of around 60) able to detect them. Furthermore, current ransomware implement very sophisticated packing techniques to evade detection, e.g. obfuscated API calls [?], rendering the static analysis (e.g., of import tables) useless. As signature-based AVs are easily evaded, e.g by the appearance of new variants, it is fundamental to exploit alternative approaches based on dynamically analysing behaviours. In particular, machine learning has been widely applied in research to classify malware, as an alternative to signature-based approaches [?], [?], [?].

In this paper, we propose EldeRan, a machine learning approach to classify ransomware based on their early actions. The underling assumptions of this work are based on the observation that ransomware contain unique dynamic features and, to stop their spread, it is crucial to detect new variants during their first appearance. To this end, EldeRan firstly selects the relevant features that characterize the ransomware behaviour, and then classify each newly-installed application on a user PC through a machine learning algorithm as to perform detection without relying on classical heuristic or signature-based techniques. The goal of this work is to understand whether ransomware can be identified, with a high degree of accuracy, using a limited number of characteristic features and before infecting victims. Furthermore, EldeRan provides an automatic way for creating signatures for new variants of ransomware families. EldeRan complements well AVs signature-based mechanisms, as it can be used to identify cases where AVs may have missed new, or unknown, ransomware families. The main contributions of this paper are:

  • We propose EldeRan, a framework to identify the most significant ransomware dynamic features, and use them to detect ransomware. Through the Mutual Information criterion, we have identified the most relevant dynamic features amongst a large set of considered ones. EldeRan exploits a relatively small set of features without reducing the performance of the machine learning classifier. By following this approach, EldeRan is also well suited to detect new ransomware families.

  • We have evaluated the accuracy of the Regularized Logistic Regression by comparing it against other machine learning classifiers, namely the Support Vector Machine (SVM) and Naive Bayes. We found that the Logistic Regression outperforms Naive Bayes and it is competitive with respect to the SVM. Moreover, the Logistic Regression is easy to train and adapt compared to the SVM. The regularization technique applied to the Logistic Regression helps the classifier to generalize better to unseen samples by preventing overfitting.

  • We compare the classification results with those of VirusTotal: EldeRan’s average error rate is 2.4% while that of VirusTotal is 5.6%, and EldeRan achieves a remarkable 96.3% detection rate. We also tested the ability of EldeRan to detect new families of ransomware, obtaining an average detection rate of 93.3%.

The rest of the paper is organized as follows. In Section Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we give an overview of ransomware. Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection details our approach (EldeRan) based on analysing a set of features in a sandboxed environment to detect variants of ransomware. In Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we analyse the most relevant features exhibited by the samples of our dataset based on the EldeRan’s feature selection algorithm. The results of the experimental evaluation is described in Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. In Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we discuss the relevant findings of our paper, the limitations of dynamic analysis, and suggestions of improvements. Finally, Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection discusses related work, while in Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we conclude the paper.

Ransomware is any class of malware whose specific goal is to force users to pay a ransom to be able to regain full access to their system. As previously recalled, there are two main classes of ransomware, i.e. the locker ones and the crypto ones. In the first case, the goal of the ransomware is to lock the user’s computer, using simple or sophisticated mechanisms, as to make it unable for the user to regain access to the computer. Then, they typically display a message across the screen to demand payment. Access is granted again only if the user pays the ransom. An early example of this class is WinLock, which requested the ransom payment to be made through an SMS, whose cost was set to 10$, to get the unblock code. On the other hand, crypto-ransomware aims to quietly search for and encrypt users’ files, and then asks users to pay a ransom to get the decryption keys to access them again. Very often crypto-ransomware does not encrypt the whole hard-disk, but searches for specific extensions only, e.g. .doc, .jpg, .pdf, often of files containing text documents, presentations, images, which usually contain valuable and personal user data – the ones that affect most the users if lost. Usually, symmetric encryption is chosen, for efficiency reasons, but asymmetric encryption as well as hybrid mechanisms, e.g. using a symmetric key to encrypt the files and using a public key to encrypt the symmetric keys [?], have also been used. In both cases, ransomware makes extensive use of social-engineering tactics to pressure the victims into paying, for instance by masquerading themselves as law enforcement authorities, and claiming to issue fines for users for allegedly found criminal activities on the computer (e.g. illegal music files). Similarly, the ransomware threatens to publish the users’ pictures and other personal data on the Internet unless a ransom is paid [?]. According to a study by Symantec [?], from 2005 to 2014 there were only 16 discovered families of Ransomware in the wild, a small number in comparison to the 27 discovered in 2015 alone and the 15 discovered only in Q1 of this year. Currently, the top ransomware families are Cerber, Locky, and CryptoWall [?], while just few months ago they also included TorrentLocker, CTB-Locker and TeslaCrypt (recently dismissed). This trend shows the continuously evolving nature of ransomware. A timeline of some notable ransomware is shown in Fig Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection.

Name Year Notable Features
PC Cyborg 1989 Spreads using floppy disks
GPCoder 2005-2008 Spreads via emails; encrypts a large set of files
Archiveus 2006 First Ransomware to use RSA encryption
WinLock 2010
Blocks PCs by displaying a ransom message
Reveton 2012
Warning purportedly from a law enforcement agency
DirtyDecrypt Summ. 2013 Encrypts eight different file formats
CryptLocker Sept. 2013
Fetches a public key from the C&C
CryptoWall Nov. 2013 Requires TOR browser to make payments
Android Defender 2013 First Android locker-ransomware
TorDroid 2014 First Android crypto-ransomware
Critroni July 2014 Similar to CryptoWall
TorrentLocker Aug. 2014
Stealthiness: indistinguishable from SSH connections
CTB-Locker Dec. 2014 Uses Elliptic Curve Cryptography, TOR and Bitcoins
CryptoWall 3.0 Jan. 2015 Uses exclusively TOR for payment
TeslaCrypt Feb. 2015 Adds the option to pay with PayPal My Cash Cards
Hidden Tear Aug. 2015 Open source ransomware released for educational purposes
Chimera Nov. 2015 Threatens to publish users’ personal files
CryptoWall 4.0 Nov. 2015 Encrypts also filenames
Linux.Encoder.1 Nov. 2015 Encrypts Linux’s home and website directories
DMA-Locker Jan. 2016 Comes with a decrypting feature built-in
PadCrypt Febr. 2016 Live Chat Support
Locky Ransomware Febr. 2016 Installed using malicious macro in a Word document
CTB-Locker for WebSites Febr. 2016 Targets Wordpress
KeRanger Mar. 2016 First ransomware for Apple’s Mac computers
Cerber Mar. 2016 Offered as RaaS (& quote in Latin)
Samas Mar. 2016 Pentesting on JBOSS servers
Petya Apr. 2016 Overwrites MBT with its own loader and encrypts MFT
Rokku Apr. 2016 Use of QR code to facilitate payment
Jigsaw Apr. 2016 Press victims into paying ransom
CryptXXX May 2016 Monitors mouse activities and evades sandboxed environment
Mischa May 2016 Installed when PETYA fails to gain administrative privileges
RAA June 2016 Entirely written in Javascript
Satana June 2016 Combines the features of PETYA and MISCHA
Stampado July 2016 Promoted through aggressive advertising campaigns on the Dark web
Fantom Aug. 2016 Uses a rogue Windows update screen
Cerber3 Aug. 2016 Third iteration of the Cerber ransomware
Table \thetable: Timeline of Representative Ransomware

Technological advances have made ransomware more powerful. For example, virtual currency is now the de facto method to pay ransoms for its untraceable properties [?]. Usually, in these cases, a new, and unique, Bitcoin address is created for each user, so it can be used as a victim ID as well as to receive payments. Furthermore, anonymous networks, such as Tor, are widely used to hide the location of the attacker’s servers and to store the victim’s private keys. In this context, CTB-Locker is probably the most advanced ransomware to-date [?]. Finally, note that to build a ransomware a cyber-criminal does not need to have sophisticated knowledge, as online services, such as ransomware-as-a-service (RaaS), enable everyone to build their own version easily [?].

To install ransomware on user’s computer, several techniques are frequently used by cyber-criminals, such as:

  • Phishing or SPAM e-mails: e-mails including a link [?] (e.g., to Dropbox [?]), or an attachment (using common words for the filename, such as ’invoice’, ’internal’ [?]) to a malware. Sometimes .src (Microsoft Windows Screensaver) files are disguised as .pdf with a fake icon, to lure victims into opening it; in any case, a malware sample is downloaded, and this malware downloads or drops the ransomware sample. Similar techniques apply to IRC, p2p networks, etc.

  • Exploit kits: rogue advertisements (ADs) are injected into an advertising network (malvertising), usually by placing such ADs on reputable websites to enlarge the potential audience; the rogue AD redirects users to attacker’s website, which usually exploits a vulnerability in the browser, using an exploit kit (e.g., Magnitude, Angler, Neutrino, and Nuclear [?]), to enable the drive-by-download of ransomware (or of malware downloading a ransomware in a second step). Note that almost 75% of exploits in Angler are related to Adobe Flash, whereas 20% are related to Internet Explorer [?].

  • Downloader and Trojan Botnets: downloaders coming from software-hosting websites, whose official goal is to allow users to download legitimate files, and as a hidden functionality download malware without the user noticing it.

  • Social engineering tactics: e.g., by deceiving users into installing a fake AV, by showing results of AV scans allegedly showing malware on the user’s computer.

  • Traffic Distribution Systems (TDS) [?]: similar to malvertising, cyber-criminals buy redirected web traffic to the site hosting the exploit kit as to enable the drive-by-download of the malware.

For example, in CryptoWall Version 3, the two primary distribution channels have been phishing e-mails and exploit kits, where about two-thirds were phishing e-mails [?]. However, since April 2015, attackers began relying more heavily on exploit kits for distribution and propagation of CryptoWall, due to their flexibility and power [?]. The Angler Exploit Kit, the number one crime-kit to distribute CryptoWall, can actually inject its payload directly into the memory of infected machines and handily exploits a variety of vulnerabilities, especially in Flash.

The recovery of a system compromised by locker-ransomware can be usually done, for example, by rebooting the system in safe-mode, and running an on-demand virus scanner, or through similar system-restore techniques. On the other hand, recovering the data from crypto-ransomware is usually a more challenging task. In fact, unless the user pays the ransom, and provided cyber-criminals are willing to give in exchange the key (which is usually the case, as they want to preserve their “reputation”), in general it is very hard to recover the encrypted data (i.e., computationally infeasible). Usually, the private key is either stored on the server, or it is stored encrypted on the user storage (sometimes on the header of the encrypted files themselves) with public key mechanism. Obliviously, in case the encryption mechanism is not implemented correctly, e.g. cyber-criminals design and develop their own encryption algorithm, or the key length is too short, or there are flaws in the protocol [?], it is possible to recover the data. However, note that usually this is not the case as ransomware, such as TeslaCrypt 2.0 exploits very sophisticated key generation mechanisms [?]. In some cases, the private keys is stored in clear (i.e., not encrypted with a public key) on the victim’s disk, and they can be recovered. For example, in some GPcoder variants, the keys are stored in a registry key, and, hence, it is possible to recover the key. In other cases, files can be recovered by simply rebooting the machine before the ransomware terminates, as sometimes files are zeroed only after completing the encryption. We have also to consider those cases where the encryption keys is (by mistake) deleted after use, and not stored in the attacker’s server [?]. In these case, the only way users can recover their files is if they restore them from a backup. Ransomware may also sometime delete shadows copies containing old copies of files [?]. Note that some forensics techniques might be able to recover some files (or retrieve the key) or, similarly, sometimes cyber-criminals might disclose the private keys, e.g. after regretting their actions [?]. Alternatively, the law enforcement might be able to access the database of encrypting keys or, in some other case, some AV vendors have made available an online repository of recovered decryption keys, e.g. for CoinVault and Bitcryptor222, or an online repostory of several decrypters for free333

In this section we discuss our approach, and motivate the selection and use of features to detect ransomware.

EldeRan is based on the observation that ransomware samples typically perform some actions that are unique, or significant, with respect to those performed by goodware ones. Therefore, EldeRan is focused on deriving the most important features of ransomware in its early phases. Figures Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection and  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection show, respectively, the design of our proposed system in the analysis and detection phases. In detail, EldeRan firstly dynamically analyses in a sandboxed environment (see Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection) the traces of samples coming from two datasets of ransomware and goodware. From these datasets, EldeRan retrieves, and analyses, the following classes of features: (i) Windows API calls (i.e., the traces of invocations of native functions and Windows API calls), (ii) Registry Key Operations (in particular, the read, open, write, and delete operations), (iii) File System Operations (in particular, the read, open, write, and delete operations), (iv) the set of file operations performed per File Extension, (v) Directory Operations (the set of operations performed on directories, in particular the enumeration and creation), (vi) Dropped Files (i.e., the set of files that are dropped by an application during installation), and (vii) Strings (the strings embedded in the binary). All the features, but the last ones (Strings) are collected while dynamically analysing the ransomware. After this monitoring phase, a feature selection algorithm is applied to select the most relevant ones. Finally, the matrices containing these features are used in a Regularized Logistic Regression classifier, which returns “ransomware” or “goodware” for, respectively, a ransomware or a good application. The classifier is also run online on user PCs to classify new samples, coming from genuine (compromised) website or from various infection vectors (see Fig Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection). Note that while the training set is analysed offline, and its classification is done una tantum on a sandboxed environment and requires few minutes only, new applications are classified at run-time through an online classifier, which is very fast and can be run on user PCs.

Figure \thefigure: Elderan Sandboxed Training and Analysis
Figure \thefigure: Elderan Live Detection

The machine learning component of EldeRan consists of two phases: feature selection and classification. For the first one, we have used the Mutual Information criterion [?], which allows us to select the most discriminating features for ransomware and goodware from the features gathered in the sandbox. Then, for the classification (decision) problem, EldeRan uses a Regularized Logistic Regression classifier.

Feature selection is a procedure that enables reducing the number of features to build simpler machine learning algorithms, by shortening the training (and prediction) time, and, in many cases, to prevent overfitting. Even if these techniques are not always used in machine learning approaches to detect malware [?, ?], in our opinion they are a key element to make the algorithm more efficient and achieve a better performance, as we will show in Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. In EldeRan, for each feature, we consider only the presence or absence of that particular feature. Hence, for these binary features, the Mutual Information criterion is a good method to select the most relevant ones, since it allows us to quantify how much discrimination each feature adds to the classifier. Considering that and are two discrete random variables with a joint probability mass function and marginal probability mass functions and , the Mutual Information is defined as the relative entropy between the joint distribution and the product of the marginal distributions [?]:


Once we have applied the feature selection, the final step is to build a classifier to detect ransomware. Since in this case we have a high number of features, linear classifiers are usually a good choice, as shown in [?, ?] where different linear classifiers were proposed to detect malware. In our case, we have resorted to the Logistic Regression classifier. This method aims to model the log-posterior probability of the different classes given the data via linear functions depending on the features [?]. Then, the posterior probability of a sample being classified as ransomware () given its feature vector can be written as:


where is the vector of weights, is the bias term, and the sigmoid function, is given by:


To fit the values of and , we minimize a cost function between the estimated posteriors and the true labels on a set of training points. Although there are different cost functions that can be applied, one of the most common is the cross-entropy, which also uses concepts from Information Theory. We selected this cost function since it is more sound when aiming to model the log-posterior probability of the classes although, in practice, we can expect a similar performance with other cost functions like the squared error. Therefore, given a set of training samples with features , where , and the corresponding labels , where , the cross-entropy cost function can be written as:


The cost function is convex on the weights and the bias, which means that it has a unique global minimum. Hence, to search the values of and that minimize (Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection) we can use gradient descent methods. In our case, given the size of the dataset, we have opted for a standard gradient descent approach in batch mode, i.e. computing the gradient for the whole dataset at each iteration. For bigger datasets, or to perform online training, stochastic gradient descent or mini-batch gradient descent may be more appropriate.

One of the main limitations of the Logistic Regression is that the maximum likelihood estimation of the posterior is prone to overfitting. However, several techniques exist in the literature to prevent this problem. Although, we can resort to Bayesian models, placing a prior on and [?], a simpler and common alternative that achieves similar performance to Bayesian models is regularization [?]. Hence, we can prevent overfitting in the Logistic Regression model by adding a penalty term to the cost function (Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection). In our case, we have used an regularization term, so that the cost function for the Regularized Logistic Regression becomes:


where is the regularization parameter, which is typically set by cross-validation. Note that in EldeRan we have two mechanisms to prevent overfitting: the feature selection with the Mutual Information criterion and the regularization of the Logistic Regression.

Although more powerful classifiers, like the SVM, could have been used, in many practical situations the Regularized Logistic Regression is competitive with SVM and is easier to train and to adapt when new training samples are added to the training set. Hence, the parameters can be adapted online as new samples arrive without the need of training the classifier from scratch. On the other hand, although in some practical situations the simplistic approach of the Naive Bayes classifier achieves a good performance, it relies on the assumption of independence between features, which we do not consider to be valid for the detection of ransomware, where we expect to have strong dependencies between some of the features, e.g. between API and File Operations. In Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we will show the experimental comparison of the performance the Regularized Logistic Regression classifier compared to the SVM and Naive Bayes.

The ransomware samples of our datasets were downloaded from VirusShare444, a website that maintains a continuously-updated database of malware for several OSes. Table Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection reports the full list of ransomware families used for our experiments. To analyse the samples we used the Cuckoo Sandbox555, a well-know tool to automate malware analysis. The construction of the dataset, and the use of the sandbox, have been done following the best practices suggested in [?], and is described in the following. Later, we describe the features we extracted and processed.

The dataset of ransomware and goodware was retrieved and analysed at the end of February 2016, and it consists of 582 working samples of ransomware belonging to 11 different classes and 942 of good applications666The initial dataset was larger: we considered a ransomware or a goodware sample to be effective only if the set of dynamic features was not empty.. We strived to collect both old ransomware and new ransomware samples, as well as recent and well-known good applications (see in the following). The collected ransomware samples are representative of the most popular versions and variants currently encountered in the wild (most of them belong to crypto-ransomware type). We manually clustered each ransomware into a well-established family name, since there are several discrepancies among AV vendors’ naming strategy and it is therefore not easy to extract a common name for each ransomware family. For each family, we downloaded all the samples found on VirusShare but, for the largest classes (having more that 100 samples), we limited the number of samples by randomly sampling from VirusShare database. We also downloaded and analysed a dataset of 942 benign applications (the goodware set): these were selected from the top list of the most popular software coming from a software aggregator website777 To ensure that the downloaded goodware samples did not contain suspicious components inside their payload, we only downloaded applications hosted from the most trustworthy sources only, as indicated by the internal AV checker and rating system. Finally, we also double-checked with the results of VirusTotal. This dataset of goodware applications includes generic utilities for Windows (e.g., zipper, password managers, etc.), drivers, browsers (the most popular ones), file utilities (DropBox, file search, etc.) multimedia tools (music, video, etc.), developers tools (Eclipse, notepad++, etc.), games, network utilities, paint tools, databases, emulator and virtual machines monitors, office tools, etc. We tried to built a realistic dataset that encompasses a large variety of common applications installed on user PCs. We manually checked that both classes did not contain samples of the other class, i.e. ransomware labelled as goodware and viceversa.

The system used during execution was a version of Windows XP 32 bit SP2 without additional software installed, except for Python (which was requested by Cuckoo for its agent). We used this version of Windows as its weaker security protections enables EldeRAN to observe more ransomware behaviour [?]. When analysing the malware execution, no other user application was running in the analysed machine, and the system was not actively used by people. The virtual machine (VM) running in the sandboxed environment with Windows XP had network connectivity. We also inserted several files, under different directories, to mimic personal user files, such as images (e.g., jpg, png), Office documents (e.g., doc, ppt), documents (e.g., pdf, txt), and others (e.g., zip). Each VM was reverted to the original clean/safe state before each new test. We analysed the samples of ransomware and goodware in the Sandbox for 30 seconds. Although we allowed network connectivity to the VM, and collected PCAP traces, we focus here on the analysis of host-based features only.

To analyse all the dinamically-generated traces efficiently, we built a feature parser (see “preprocessing & parser” component in Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection) that retrieves all these reports (in JSON format), and creates a set of matrices that can be analysed by the EldeRAN feature selection and classifier. Before creating the matrices, the EldeRAN feature parser implements some preprocessing and basic feature selection. In detail, in case of API invocations, the feature parser creates a matrix with the API Stats feature, which takes into account the absence or the presence of a specific call for this feature. Concerning the registry keys (Reg Keys), for each of the four analysed operations, and for each sample, the feature parser creates a matrix by considering whether the operation was performed on each specific key accessed by the operation. Concerning the File Operations, the feature parser creates similar matrices to the ones related to the registry keys by considering as features the full paths of the filename along with the absence or presence of the specific operation. Analogously to File Operations, the features parser creates similar matrices by considering the file operations performed per File Extension, and by considering the Directory Operations (enumerate and creation). For the Dropped Files feature, the feature parser considers as feature the type of the dropped file, i.e. a new feature is added for each new type of dropped file (such as PE32, DOS batch, JPEG, etc.), coupled with the absence of presence of each feature for all the samples of ransomware and goodware. Finally, for the Strings features, since the set of embedded strings is fairly large, we limited ourselves to consider as features each imported library and function, as well as strings related to crypto-functions, and string related to file extensions, by creating a single matrix considering the absence or presence of each of these features. After analysing all the samples of ransomware and goodware, the total number of features was . We then further performed experiments to assess which class of features is better suited to classify ransomware when isolated. By considering only the top 400/100 features, according to the MI criterion, the percentage of features belonging to each set is shown in Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection.

Features Top 400 Top 100
Registry Keys Operations 48.25% 49%
API Stats 24.00% 27%
Strings 8.25% 5%
File Extensions 8.00% 9%
Files Operations 5.25% 6%
Directory Operations 4.00% 2%
Dropped Files Extensions 2.25% 2%
Table \thetable: Percentage of the Most Relevant Features for Each Class

We observe that the Registry Keys and API Stats are the two most relevant sets, but also the other sets are useful. Among all these features, several are characteristic of ransomware behaviour, and their presence, together with other features more generally characteristic of malware behaviour, leads to a very good detection rate (see Sect. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection). In particular, high activities on files in personal folders and tmp directories. Ransomware also often implement registry keys updates to enable persistence across reboot, or access to keys to retrieve the list of mounted devices (to search for more files), or to acquire the list of recently opened files, possibly because believed to contain important information. Further, ransomware often include links to DLL related to the usage of Visual Basic, shell extensions, and access to certificates (related to key creation and management), or strings showing patterns of extension to be searched for. Characteristic APIs are those allowing a ransomware to terminate, or write to, other processes (for example, to inject into explorer.exe and svchost.exe processes). Dropped files include html and rtf, used to show the ransom note. The usage of evasion techniques seems to be recurrent, e.g. trying to search for the Python agent. Finally, important file extensions include manifest files, pad, and bat.

We present here the experimental evaluation to assess the accuracy of EldeRan to detect ransomware, by measuring the performance and the detection rate of the classifier compared to other machine learning techniques and AV vendors. We used a Naive Bayes (NB) classifier [?] and the linear SVM [?, ?] as comparison benchmarks to assess the performance of the Regularized Logistic Regression classifier used by EldeRan. We used the Matlab (version 2015b) implementation for the Naive Bayes and the SVM, whereas for EldeRAN we developed our own Matlab implementation. We applied the MI criterion to select the most relevant features for the three methods. In the experimental evaluation we also included the information provided by VirusTotal with the labels from a pool of AV vendors indicating if a sample is malware or not. To this end, we have aggregated the labels from the pool of AV providers using a majority voting strategy. Then, we decided that a sample is ransomware if more than a half of the AV vendors providing a label for that sample says that it is malware. For the experimental comparison, we also considered individually the 5 AV vendors with the highest detection rate measured on the whole dataset. In the cases where an AV vendor did not provide a label for a given sample, we did not consider that sample when calculating the FPs and detection rates for that AV vendor. Note that this induces an experimental advantage for the AV vendors. Finally, we have also analysed the ability of EldeRan to detect new families of ransomware, i.e. families that are not included in the features selection, and the training process of the classifier.

For the first experiment we evaluated the performance of the 3 machine learning classifiers (EldeRan, SVM, and NB) with the number of features selected with the MI criterion. We explored using between and features to see which combination performs better. For each value explored, we created random splits of the whole dataset with of the samples for training and as test samples. To select the regularization parameter for EldeRan and the cost parameter for the SVM, we performed a 5-fold cross validation using the whole dataset, exploring values for and in the range with values of the form , with . For EldeRan we also explored the value , which corresponds to the standard Logistic Regression, i.e. without regularization. To train the Regularized Logistic Regression we used a standard gradient descent implementation in batch mode, with a learning rate of , and with as the max number of training iterations.

Figure \thefigure: Evolution of the average AUC with the number of features over 100 train/test splits for EldeRan, the SVM, and NB

In Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we show the performance of EldeRan, the SVM, and NB in terms of the AUC with the number of features. We observe that both EldeRan and the SVM outperforms the NB classifier. This result suggests the importance of considering the relation across the different features. Note that NB considers independence between features, whereas the SVM and the Logistic Regression take into account possible dependencies across features. We observe that EldeRan slightly outperforms the SVM in all cases. Although the difference is not significant, the Regularized Logistic Regression classifier used by EldeRan is simpler than the SVM and can be easily adapted to be retrained online, i.e. as we increase our training dataset with new samples, without training the classifier from scratch. This property is desirable from a practical perspective since we can expect hundreds of new ransomware and goodware samples per day. By looking at Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection, it is also interesting to observe that the maximum of the performance for the three algorithms is achieved for features. Thus, adding more features to the classifiers does not improve the accuracy. This result shows the importance of feature selection to reduce the complexity of the machine learning algorithms without affecting the performance (note that the whole number of features in our dataset is ). Moreover, this also suggests that MI is an effective means of identifying the most useful features. Therefore, for the remaining experiments we used the features with the highest MI for EldeRan, the SVM, and NB.

Figure \thefigure: Average ROC for the test samples over 100 random splits for EldeRan, the SVM, NB, and VirusTotal

For the second experiment we compared the performance of EldeRan, the SVM, and NB with VirusTotal. For EldeRan, the SVM, and NB we selected the top features. We have computed the test performance for all the methods averaging the results over independent train/test splits with of samples for training. In Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we show the average ROC for the test set. We can observe that VirusTotal outperforms the rest of the machine learning algorithms, though EldeRan comes close to its performance. On the other hand, EldeRan outperforms both the SVM and NB, supporting the results of Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. In Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we show a more detailed comparison of the four methods in terms of the AUC and test error, false positive, and detection rates. We observe that in terms of the AUC, VirusTotal slightly outperforms SVM and EldeRan, which supports the results in Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. However, in terms of the test error rate VirusTotal (with majority voting) is worse than EldeRan and the SVM. In this sense, whereas EldeRan’s average error rate is , that of VirusTotal is . We also observe a better performance of EldeRan with respect to the SVM (with a error rate) and NB ( of error). From the results in Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection it is interesting to note that in the case of VirusTotal all the errors are false negatives, since the false positive rate is zero. This implies that the detection rate of VirusTotal is sensibly lower compared to the 3 machine learning techniques. EldeRan outperforms the rest of the methods and achieves a remarkable detection rate. Although the false positive rate is slightly higher than VirusTotal, we consider that a of false positives are tolerable for this kind of analysis, considering the fact that EldeRan is not based on signatures, and is also able to detect new ransomware families. The good average ROC for VirusTotal in Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection contrasts the poor results in terms of the detection rate.

Method AUC Test Error FP Rate Det. Rate
Table \thetable: Average test results plus/minus one standard deviation for EldeRan (ELD), the SVM, NB, and VirusTotal (VT) over independent train/test splits, including the AUC, test error, false positive (FP), and detection rates
Test Error FP Rate Det. Rate
Table \thetable: Average test results plus/minus one standard deviation (over train/test splits) for EldeRan (ELD) compared with the Top-5 AV vendors, including the test error, false positive (FP), and detection rates

Finally, given the limitations on the detection rate for the majority voting scheme with VirusTotal, we compared EldeRan with the 5 AVs with highest detection rate over the whole dataset. Then, we averaged the results of these 5 AVs over the same train/test random splits used in the previous experiment. The results are shown in Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. We can observe that EldeRan outperforms 4 out the top-5 AVs in terms of the detection rate. Despite EldeRan’s false positive rate is higher than 4 of the AVs, the test error rate is competitive to all of them. In Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection we show in more detail the average detection rate of the top-5 AVs compared to EldeRan, and we can see that EldeRan places in the second position with a slightly lower detection rate compared to the best AV. As mentioned before, it is important to note that the experimental comparison is not fair, since machine learning methods and AV software work in a different way. In particular, the measured test performance corresponds to the performance on samples that the machine learning classifier has not seen yet, whereas possibly, in most cases, the AV vendors have the corresponding signature analysis for those test samples, i.e. they have already seen them. Moreover, when an AV does not provide an answer to a specific piece of software, we are not considering that as an error888Both when a vendor does not provide an answer for a sample on VirusTotal, and when the analysis is absent on VirusTotal. Note that we used the “cached” mode: hence, most of the goodware samples were not present on VirusTotal..

Figure \thefigure: Average detection rate (over train/test splits) of EldeRan compared with the Top-5 AV vendors

In the final experiment we want to test the ability of EldeRan to detect new families of ransomware. The importance of this analysis lies in the fact that often new families of ransomware appear, which share many characteristics, and goals, of previous classes [?]. Therefore, particular in the first phases, the average detection of these signatures by AV vendors is very low, exemplified by the CryptoWall 3 variants [?]. We manually clustered our dataset into classes using their generally known family name – as the naming conventions of the AV vendors are not always consistent or compatible amongst them. We analysed the detection rate of EldeRan when one specific family of ransomware is not considered in the training set, so that family is effectively a new family for the classifier. Then, for each of the ransomware families appearing in the dataset, we selected the features and trained the classifier considering all the goodware and ransomware samples in the dataset, except those corresponding to the ransomware family under analysis. We considered two cases by selecting the top and features according to the MI criterion. For the classifier, we set regularization parameter . When testing the detection rate for each family, since the samples in the training set are the same, we do not need to average the results over several repetitions. Note that, for a given training set, the Logistic Regression classifier converges always to a unique minimum of the cost function999In practice there can be very small variations due to the gradient descent algorithm, but they are negligible..

Family # samples
Det. Rate
( ft.)
Det. Rate
( ft.)
Citroni 50
CryptLocker 107
CryptoWall 46
Kollah 25
Kovter 64
Locker 97
Matsnu 59
Pgpcoder 4
Reveton 90
TeslaCrypt 6
Trojan-Ransom 34
Weighted Avg. 582
Table \thetable: Detection rate across different ransomware families when EldeRan is trained using only the data from the rest of the ransomware families using the most relevant and features according to the Mutual Information criterion

The results of the experiment are shown in Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection. We can observe that, by using only features, the detection rate is above for of the ransomware families, and above for out of the families. The results are however worse when considering features with a detection rate higher than for families, and a detection rate above for families. It is interesting to observe that the average detection rate (calculated as the weighted average over the detection rate for each family) is higher () when using only the top features than in the case of using features (). This contrasts the results shown in Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection, where for features we get a lower AUC and then, a lower detection rate is expected (at least if we consider the same false positive rate in the corresponding ROCs). The reason of this comes from the difference between the samples in the training and the test sets: whereas in the experiment shown in Fig. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection the samples for both the training and the test sets come from the same distribution (since the samples from the different families are mixed in both sets), in the experiment shown in Tab. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection the distribution of the ransomware samples in the test set can be different to the ones in the training set. This induces certain “overfitting" to the families that are known to the classifier and limits the detection for new families of ransomware. However, in this particular case, it seems that all the ransomware families share a common set of features that are captured by the top most relevant features according to the MI criterion. This reduces the effect of the “overfitting" due to the different distribution of the training and test sets. It is important to note that this “overfitting" is not due to the Regularized Logistic Regression classifier and the feature selection algorithm per se, but to the differences between the distributions of the training and test sets.

In this section we discuss the results of EldeRan, the benefits and limitations of dynamic analysis and suggestions for improvements.

The experimental results show that it is possible to detect a ransomware from its early phases of installation, and also when a new family appears. In fact, EldeRan achieved a detection rate of 96.3%. Note that we can expect to see more new ransomware families, especially with the RaaS availability. In our experiments we have shown that, even if the initial set of features was rather large (around ), in the end only 400 have been shown to be sufficient. One important result that we were able to provide is that Mutual Information is very effective in deriving the most important features. In particular, the registry key and API calls are the two classes with most relevant features. Finally, EldeRan is competitive with the top AV vendors in the detection rate. In this respect, note that security researchers have discovered ransomware variants sharing the same packing and delivery technique (essentially, they come from the same family) but included random variables in their code, for each target, that help them evading AV static signature-based detection [?], especially in the first phases of a new ransomware campaign, when as few as 2 AV vendors out of 66 may be able to detect a new variant [?]. This example further favours our assumption that a machine learning approach is particularly suitable for detecting ransomware. Despite these very good results, EldeRan would not be suitable as a replacement for AV software, and is not intended as such. However, these results indicate that EldeRan would be an effective and entirely automated tool to analyse new software and enhance the detection capabilities of AV software. In particular, it shows that EldeRan can identify ransomware with a high degree of accuracy, especially when new families of ransomware are spread on the wild, and can thus identify candidates for subsequent signature extraction.

Note that AV companies are relying on automated dynamic analysis tools to detect new variants of ransomware (and other malware): they apply heuristics combined with behaviour analysis to deduce whether the executable is benign or malware. EldeRan follows a similar approach and, in addition, it implements machine learning techniques to improve the process of classification. There are two main reasons for employing automated dynamic analysis techniques for ransomware: first, in initial stage of triage, the main goal is the containment, i.e. the detection of the ransomware before infection; to this end, we run the infected file for a very limited time to select the relevant features; secondly, ransomware use very sophisticated packing (such as Themida and VMProtect) and obfuscated techniques that render most of static analysis tools useless. Therefore, dynamic analysis is indispensable to dissect ransomware and understand their main features and functionalities. Note that some families of ransomware do not drop their payload before checking certain preliminaries (environment, C&C ), where in the absence of these the malware won’t perform the encryption. Hence, early detection before releasing the payload in crucial for containment.

We are aware that currently some limitations of EldeRan. A first limitation concerns the analysis, and detection, of those samples of ransomware that are silent for some time, or that wait for the user to do something. In this case, EldeRan does not properly extract their features. To mitigate this ransomware’s behaviour, a solution is to inject some real, or script-generated, user actions into the sandboxed environment. Analogously, for ransomware that exploits evasion, or anti-sandbox, techniques, e.g. any malware that looks for signs of emulation or virtualization, and that does not perform any action in case. Another limitation of our approach is that, in the current settings, no other applications were running in the analysed VM, except the ones coming packed with a fresh installation of Windows. This might not be a limitation per se but, as in the previous cases, the ransomware might do some checks as to evade being analysed. Finally, note that the dataset consists of 582 working samples of ransomware belonging to 11 different classes and 942 samples of good applications: however, the initial dataset was larger (1,450 ransomware samples and 1,131 goodware samples). We analysed a ransomware (or goodware) only if the set of API calls was not empty, which means the ransomware could be run properly.

In additions to the previously suggested improvements, we also point out that any dynamic solution should to take into account these issues: (i) reduce the time of feature analysis to be as short as possible; (ii) implement more sophisticated detection techniques, e.g. based on (known) patterns of system calls used to encrypt files; (iii) be able to distinguish between actions performed by a legitimated encryption software and a crypto-ransomware. We believe that, in any case, the dynamic analysis is needed to improve the detection of ransomware: in fact, current packers render the static analysis of ransomware very hard. Note that the goal of this work is twofold: firstly, to discover whether it is possible with dynamic analysis to derive some key-characteristics features of ransomware across different families. Secondly, whether it is possible, by using these features, to classify ransomware using machine learning techniques by achieving results comparable to those of top AV vendors. Note that the classifier, once trained, can be run on user PCs: as we already pointed out, the Regularized Logistic Regression classifier used by EldeRan can be easily adapted to be retrained online when new samples are available, without the need to re-train it from scratch.

Currently, little related work specifically targets ransomware. Hence, here we describe both related works on ransomware and more general malware-oriented papers. The first description of the development of a crypto-virus prototype was in 1996 [?], which described the use of asymmetric encryption. [?] report the first analysis of three ransomware families, and showed they did not fulfil the basic crypto requirements (e.g., sufficiently long encryption keys) for mass extortion. [?] present the experimental results of applying cryptography to carry out extortion-based attacks, by implementing the payload through Microsoft Cryptographic API. More recently, a Symantec report [?] shows how ransomware has evolved considerably in the last years, both in terms of features and spreading capabilities. The authors also pinpoint future directions of ransomware evolution, such as targeting the wearable market (the so called “ransomwear”). [?] describe, among others, the underground market of scareware and ransomware, by showing that (prudent) statistics for CryptoLocker account for $3 million revenue in 2013-2014. In [?] the authors propose a new method to learn and discriminate malware behaviour. Similarly, in [?] the authors propose a framework to automatically analyse malware behaviour through ML. In particular, the framework allows researchers to identify novel classes of malware having similar behaviour, and to assign labels to the new discovered classes. In contrast, in EldeRan we have shown the importance of feature selection to reduce the complexity of the ML algorithms without affecting the performance. This contrasts with some solutions proposed in where no feature selection algorithm is proposed [?], [?]. In [?] the authors analyse 15 different ransomware families, by showing that the large majority of samples implement locking or encrypting techniques through naïve techniques. The authors describe simple techniques to detect and stop ransomware, such as monitoring abnormal file activities. This analysis is confirmed by EldeRan results: by using a limited set features we were able to detect more than 96% of ransomware. HelDroid [?] is a system for recognizing Android ransomware using their typical characteristic, such as functions to lock screen. The detection results for HelDroid are better than those of EldeRan, due to the fact that the sophistication, and variance, of ransomware for Android is quite limited with respect to that for Windows. Finally, [?] is a early-warning detection system for ransomware that checks for file activities and alerts the user in case of suspicious activities, using an union of three features (file type changes, similarity measurement and entropy).

Given the monetary gains achievable, ransomware has become the focus of many cyber-criminals leading to its rapid evolution, and to sophisticated samples able to evade signature-based AVs. Coping with both new variants of known families, and new families, is therefore of essence. We have shown that ML is a viable and effective approach to detect new variants and families of ransomware for subsequent analysis and signature extraction, and as a complement for AV. Mutual Information has shown to be an effective way of automatically selecting the features, while Regularized Logistic Regression has shown to be an accurate algorithm, easy to train and update, and fast. In terms of results, it compares well with more sophisticated algorithms and leads to much better results than more naïve approaches.

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description