International Journal of Technology Management and Information System (IJTMIS) eISSN: 2710-6268 [Vol. 4 No. 4 December 2022]
Journal website: http://myjms.mohe.gov.my/index.php/ijtmis
CRYPTO-RANSOMWARE EARLY DETECTION
FRAMEWORK USING MACHINE LEARNING APPROACH
W. Z. A. Zakaria1*, Nur Mohammad Kamil Mohammad Alta2, Mohd Faizal Abdollah3, Othman Abdollah4 and S. M. Warusia Mohamed S. M. M5
1 2 MyCERT, Cybersecurity Malaysia, Cyberjaya, MALAYSIA
3 4 5 Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka, Durian Tunggal,
MALAYSIA
*Corresponding author: [email protected]
Article Information:
Article history:
Received date : 12 November 2022 Revised date : 14 November 2022 Accepted date : 3 December 2022 Published date : 15 December 2022
To cite this document:
Zakaria, W. Z. A., Mohammad Alta, N.
M. K., Abdollah, M. F., Abdollah, O., &
Warusia Mohamed S. M. M, S. M.
(2022). CRYPTO-RANSOMWARE EARLY DETECTION FRAMEWORK USING MACHINE LEARNING APPROACH. International Journal of Technology Management and
Information System, 4(4), 15-27.
Abstract: Ransomware threats are rising. Some exploits start by using social engineering techniques to install payloads on the targets' computers, then they connect to command and control services to exchange data. Scientists should raise awareness of the risks posed by these growing intrusions to scale back these attacks and prevent irreversible data loss. In this paper, we proposed a machine learning-based framework for early detection of ransomware infection on the Windows operating system to combat this ransomware menace. Based on the behavioural logs gathered from a malware sandbox, this research analyses distinct ransomware families. To create a ransomware pre-encryption dataset, we examine the behavioural logs. We aim to create a list of API calls involved in ransomware’s early stages. Machine learning classifiers are given this dataset to determine which samples are ransomware and benign. The features employed in this study were among the 232 features detected in Windows API calls. Five popular machine learning classifiers were utilised in this experiment: Naive Bayes, k-nearest neighbours (kNN), Support Vector Machines, Random Forest, and J48. Support vector machines (SVM) performed the best in our testing, with an accuracy rate of 93.8% and an area under the curve (AUC) of 0.979, respectively.
Keywords: ransomware, crypto-ransomware, cryptographic ransomware, ransomware detection, ransomware lifecycle, ransomware early stage.
1. Introduction
Malicious software, also known as ransomware, attacks computers and quickly spreads to lock or encrypt data (Badawi & Jourdan, 2020; Liao et al., 2016; Shakir & Jaber, 2018). The victims' data is rendered inaccessible by the malware, and the attackers demand payment from them to decrypt and make their files available. Payment is frequently demanded in untraceable currencies like Bitcoin (Bhardwaj et al., n.d.; Kharraz et al., 2015; U. Salvi & V. Kerkar, 2015). Around the world, ransomware is currently attacking businesses and individuals.
The fundamental goal of ransomware is to use malware to increase its revenue. Ransomware has demonstrated its disruptive and destructive aspect from the time of its initial intrusion till now.
More than merely displaying adverts, banning services, turning off keyboards, or spying on user activity are now among its expanded list of capabilities (Surati & Prajapati, 2017). In other cases, it also threatens the user with exposing private information to the public if payment is not made by locking the system or encrypting the data, rendering victims unable to make a payment (Cabaj et al., 2018). Although they employ various types of payloads, all varieties of ransomware act in a remarkably similar way (Gonzalez & Hayajneh, 2017; Jones & Shashidhar, 2012).
The sophistication of ransomware assaults has increased, posing a danger to businesses, government agencies, and institutions of higher learning. Hundreds of ransomware variations were developed by cyber criminals because of attractive incentives. Ransomware has thus recently dominated the landscape of online threats. Ransomware attacks target individuals, companies, corporations, government institutions, universities, and hospitals. For instance, the Shadow Brokers APT EternalBlue hack allowed the Wannacry ransomware to infect over 300,000 people in 150 countries in 2017. The Petya ransomware attack was the first to be specifically targeted, with most infections taking place in Ukraine. Petya, however, has expanded to more than 60 nations. As a result, ransomware assaults continue to rule the world of cyber security, and targeted attacks are predicted to expand dramatically. Focusing on this danger is vital due to the ransomware attacks' exponential expansion. The main reasons propelling the global crypto- ransomware spread include exploit-kits, cryptocurrencies, and ransomware-as-a-service (RaaS) (Craciun et al., 2019; Kao et al., 2019; Urooj, Aizaini Bin Maarof, et al., 2021). With RaaS, any organisation can be the target of a crypto-ransomware assault by an attacker, regardless of experience level. Malware, known as crypto-ransomware, encrypts user data using the cryptography capabilities of the system. Compared to other malware categories, crypto- ransomware makes it harder to withstand the attack due to its irreversible effect. It becomes challenging to access user files encrypted by a crypto-ransomware assault without the necessary decryption key (Anghel & Racautanu, 2019; Gagneja, 2017; Gonzalez & Hayajneh, 2017; Kok et al., 2020).
The availability of ransomware development toolkits like RaaS and the numerous ransomware variants generated contribute to the growing ransomware problem. This leads to the current rise in ransomware assaults. Additionally, the dark web's accessibility to RaaS made it easier to create ransomware. Locker and cryptographic ransomware are the two types currently in use (Homayoun et al., 2017, 2019; Pathak & Nanded, 2016). The files on a victim's computer are encrypted by crypto-ransomware, which will not release the decryption key for the files unless the victim pays a ransom (Chen et al., 2018). Comparatively, locker ransomware secures the victim's computer files but prevents access until a ransom is paid (Cusack et al., 2018). After infection, the Locker ransomware locks the system (Maigida et al., 2019). Without changing the files stored inside, it locks the device and prevents the user from accessing the device and system operations. Sometimes it poses as law enforcement agencies and demands money in retaliation for the user engaging in unlawful behaviour, such as downloading files or visiting websites with child pornography. On the infected computing platform, cryptographic ransomware encrypts all or specific files and folders (Honda et al., 2018; Pathak & Nanded, 2016; Symantec, 2016; Yaqoob et al., 2017).
In other words, it restricts access to the victim's files. The public-private key relationship is the most common method employed by crypto-ransomware; data is encrypted using the public key and decrypted using the private key. Successful ransomware attacks are a serious threat to online safety. Given the proliferation of Internet-connected devices, this was especially important.
However, ransomware cannot be detected using the traditional methods used by malware detection software. This is so that ransomware can be found before being encrypted. Only when these threats are discovered before encryption begins can they be adequately mitigated. It is difficult to identify ransomware assaults in their early stages since there is little data available before encryption (Honda et al., 2018; Yaqoob et al., 2017).
2. Literature Review
Ransomware has been around for a while. The first Windows ransomware first appeared in 1989 and has continued to exist today, albeit it has undergone major changes since then. The PC Cyborg assault, which happened in December 1989, was the first ransomware incident. It was the first cryptographic ransomware since it encrypted the files stored on computer drives using a symmetric key and an initialization vector (Giri & Jyoti, n.d.).
A computer program known as malware is designed to interfere with an operating system's fundamental system functions by sneaking into or exploiting any installed software that is weak, damaging the machine by stealing its resources, network, and data. Viruses, worms, spyware, trojan horses, adware, and ransomware are some well-known malware families.
Due to its use of cryptovirology, ransomware is currently regarded as the most common malware attack. Young et al. described the nature of using encryption to protect user data and files (Young, 1996). The AIDS Trojan or PC Cyborg was the first ransomware to be identified, and it appeared in 1989. By timing bombing the ransomware dependent on the number of reboots, biologist Joseph Popp delivered it via a floppy disc drive. When the counter reaches 90, it encrypts files and issues a demand for payment by check. Due to its reliance on transmission via physical floppy discs and the use of symmetric key encryption, it was less effective and had a modest impact (Giri & Jyoti, n.d.).
Locker and crypto-ransomware are the two types of ransomwares. The Locker ransomware merely affects the user interface, leaving the system and files intact. The Locker ransomware encrypts files and disables operating system features, including desktop apps and input/output utilities.
Meanwhile, cryptographic ransomware, often known as crypto-ransomware, tries to extract money from victims by encrypting their files (Anghel & Racautanu, 2019; Bhardwaj et al., n.d.; Fernando et al., 2020).
Crypto-ransomware encrypts user-related files using the cryptography features in the host operating system. The consequences of such ransomware are reversible only through the cryptographic keys possessed by a distant adversary, which sets it apart from other types of malwares. Files that have been encrypted are renamed and given new extensions. Some of the most common ransomware encrypted file extensions are ".ccc", ".cerber", ".cerber2", ".cerber3",
".crypt", ".cryptolocker", ".cryptowall", ".ecc", ".ezz", ".locky", ".micro", ".zepto", and
".encrypted". It substitutes a fresh wallpaper with a ransom note for the original desktop background. Cryptolocker, CryptoDefense, KeRanger, ZCryptor, Crysis, zCrypt, Locky, and WannaCry are just a few examples of crypto-ransomware (Lee et al., 2019).
2.1 Ransomware Lifecycle
Before we can build solutions for early detection, it is crucial to understand the phases of a ransomware lifecycle (Patyal et al., 2017; Urooj, Aizaini Bin Maarof, et al., 2021; Zakaria et al., 2022). Most literature described ransomware phases as depicted in Figure 1. Understanding ransomware behavior at each level would permit the creation of a mitigation strategy at the desired stage.
Figure 1: Ransomware Attack Lifecycle (Zakaria et al., 2022).
2.1.1 Deployment
Through email, the most popular method of transmitting ransomware, cybercriminals can execute dangerous software because they have succeeded in persuading the recipient to believe the communication is legitimate. Microsoft Office files with macros, phishing, and executable files with icons are some of the most popular social engineering approaches. It is known that some ransomware may be downloaded from malicious websites and exploit kits like the Angler EK.
Deployment Installation C2 Destruction Extortion
2.1.2 Installation
The ransomware will automatically install once it has reached the host. In the case of Windows- based systems, changes are made to the system during the installation process, such as the setting of specific registry values that will guarantee the malicious malware starts up each time the host is rebooted. At this point, several valid subprocesses were formed, and a few dynamic-link libraries were run. The attacker starts to control the machine when the ransomware is installed. The malicious components may occasionally be divided into a few scripts, processes, batch files, and other tools. To prevent being discovered by antivirus scanners that rely on signatures, this is done.
2.1.3 Command and Control (C2)
The ransomware contacts the server to obtain the encryption keys and instructions that must be followed moving forward, such as platform mapping and identification of network shared drives.
There are many inconsistent ways that ransomware communicates with its controlling server. In some circumstances, communication can take place over a plain HTTP channel without encryption, or they can access the controller server using a complicated channel like the TOR network.
2.1.4 Destruction
The specified files are now being encrypted by ransomware. The crucial element that sets ransomware apart from other malware and makes it challenging to eradicate is encryption. The encryption phase begins after successfully connecting to the victim's machine. The encryption key may occasionally be created on the victim's computer.
2.1.5 Extortion
The next step is to inform the user that the data have been fully encrypted. The ransom note that contains the instructions to be followed to send the cash and decrypt the data is presented in a window to let the victim know this. All ransomware uses extortion, although there are several ways it does it.
2.2 Related Works on Ransomware Detection
Ransomware evolved from deceptive apps, phoney antivirus, locker ransomware, and finally, crypto-ransomware. The availability of programming toolkits, the portability of cryptographic technology, and the financial gain from victims' payments to attackers are the key drivers of ransomware assaults today. Ransomware detection methods and procedures were divided into anomaly and abuse approaches (Ahmed et al., 2020; Al-rimy et al., 2020; Al-rimy & Maarof, 2018). To establish detecting patterns utilising machine learning techniques and identify ransomware files within the first ten seconds of operation, the suggested algorithm in [24] mostly relies on activity logs. They accurately identify ransomware samples from three different families with 99% precision.
A dynamic analysis system called UNVEIL was created by Amin et al. as an upper layer for the Cuckoo sandbox (Kharaz et al., 2016). Regardless of whether samples are file lockers or screen lockers, their suggested technique can detect ransomware. To prevent ransomware from detecting the user environment, the file locking type is determined by watching file system I/O requests with automatically produced user environments. While Ahmadian et al. (Ahmadian & Shahriari, 2016) suggested a detection technique dubbed 2entFOX, screen lockers are currently identified by the dissimilarity scores of screenshots taken from desktop computers. The newly described methodology uses a Bayesian belief network to extract 20 variables from an experimental study to identify high-survivability ransomware (HSR). Static and dynamic analysis are equally essential to 2entFOX's characteristics. With no loss occurring before detection, Feng et al. suggested a deception strategy for ransomware detection (Ahmadian & Shahriari, 2016). Using decoy files, the method has been tested on the Locky family to identify ransomware behaviour in real time. A honeypot folder was made by Chris Moore to track modifications and find malware (Moore, 2016).
Whether through file screening services or an analysis of Windows security logs, the honeypot folder is audited. Based on the threshold that was triggered, a classified response was delivered.
2.3 Problem Statement
A crypto-ransomware attack's irreversible effects necessitate that it be discovered as soon as possible before it begins encrypting files and demands payment. The presence of ransomware in its early phases cannot be found with the present detection method. Most available remedies can only detect its presence if the files have been encrypted, ransom notes suddenly emerge, or the wallpaper has changed.
The irreversible effect of crypto-ransomware, even after detection and eradication, defines it. Early detection is therefore essential to prevent the ransomware from encrypting user data and files. To make use of the information acquired during the early stages of assaults, before the encryption process begins, several strategies have been put forth. But a lack of data in the early stages of an attack makes detection less accurate (Ahmed et al., 2020; Al-rimy & Maarof, 2018; Alqahtani et al., 2020; Sgandurra et al., 2016; Urooj, Maarof, et al., 2021; Zakaria et al., 2022).
In contrast to other forms of malware, crypto-ransomware requires early detection due to the irreversible nature of its attack (Al-rimy & Maarof, 2018; Mathane & Lakshmi, 2021; Zakaria et al., 2022). To efficiently and as early as feasible detect crypto-ransomware, the description of the phase before encryption is crucial. Although several researchers have recently focused on the early prediction of crypto-ransomware, these methods could be more successful and efficient for crypto- ransomware detection as they only concentrate on tracking specific ad-hoc events rather than the overall behaviour. Due to the variety of crypto-ransomware attack methods, the family of the infected code determines whether these ad hoc occurrences occur. As a result, this method has a poor detection rate and a high rate of false alarms. The pre-encryption stage needs to be better defined in current ransomware detection research, making it difficult to successfully identify the crypto-ransomware attack early on (Al-rimy et al., 2021; Alqahtani et al., 2020; Kok et al., 2020;
Zakaria et al., 2022). Furthermore, current methods are misuse-based and rely on predetermined structural or behavioural signs, which are unable to identify unique, zero-day arracks. The researcher proposes a framework for developing early detection models for crypto-ransomware
that may successfully identify this kind of assault even before the encryption process begins to address these difficulties. Listed below are three research questions for this study:
a) Can we predict crypto-ransomware infection on a Windows host by using runtime behavioural data, such as processes before the ransomware starts its encryption activity towards the targeted files?
b) Which features to be used to represent crypto-ransomware activity during the early stages of the ransomware initialization?
c) How to identify crypto ransomware-related early-stage activities?
2.4 Research Objectives
The value of crypto-ransomware detection is to detect it during the pre-encryption stages. Hence, the objectives of this research are listed below:
a) To identify features for pre-encryption detection of crypto-ransomware.
b) To propose, design and develop an algorithm for predicting the presence of crypto- ransomware during the pre-encryption stage.
c) To test and validate the proposed algorithm.
3. Proposed Framework
Having tools to identify unknown crypto-ransomware attacks before unapproved mass file encryption occurs seems vital given the scope and diversity of cyber threats we face today.
Additionally, it is crucial to safeguard user data against all types of crypto-ransomware attacks with no data loss. Making an early detection system that can block crypto-ransomware assaults, even ones that use complicated encryption, is doable by keeping an eye on the Application Programming Interface (API) calls that crypto-ransomware makes.
To prevent user data from being encrypted, we proposed an early detection methodology for crypto-ransomware called RENTAKA. According to thorough studies of most incidents, there is a strong correlation between API calls for the Windows platform and ransomware-specific events and processes. System calls must be called for user-level malware, such as ransomware, to interface with the operating system (OS) and carry out its harmful deeds. The operations that software uses during execution are called API calls. In other words, API calls are a collection of routines offered by the OS for the development of programmes, where each API call carries out a certain function. Using dynamic analysis, the API calls are retrieved after running the ransomware sample in a sandbox. We show that, when used against thst ransomware families, our suggested method can achieve zero data loss and can identify crypto-ransomware in the early stage. The framework is depicted in Figure 2.
Figure 2: RENTAKA Framework
3.1 Dataset
The dataset used in this study is from the Resilient Information System Security (RISS) research group from Imperial College London in 2016. This dataset was selected because it has API data for ten ransomware families and a good selection of goodware (benign). The dataset was created using a dynamic analysis approach for 582 samples of ransomware and 942 samples of benign programs. The data are captured in five main categories with 30,067 features. API calls have 232 features.
These researchers successfully used the RISS dataset from different institutions and produced acceptable results. Another dataset is from The Zoo malware repository, which provides ransomware binaries that can be downloaded and analyzed into dynamic analysis sandboxes such as Cuckoo Sandbox.
API
RENTAKA-algorithm
Extract pre-encryption features Dynamic analysis Ransomware sample
Generate pre-encryption features Network Install
Deploy
Classifier
CR Not CR
Table 1: Ransomware Families and Sample Counts in the Dataset No. Sample
name
Count
1 Critroni 50
2 Cryptlocker 107 3 Cryptowall 46
4 Kollah 25
5 Kovter 64
6 Locker 97
7 Matsnu 59
8 Pgpcoder 4
9 Reveton 90
10 Teslacrypt 6 11 Trojan-
ransom
34
Table 2: Category of Information in the Dataset
Category Count
API 232
Registration key 346
Dropped file 6622
Files and directory operation 7500
Embedded string 16267
Total 30967
Two groups of researchers used this dataset for works on crypto-ransomware early detection frameworks [1], [51]. As far as this research is concerned, the dataset on crypto-ransomware behaviour still needs to be added. However, the RISS dataset is by far the best dataset available for ransomware behaviour, and this is shown by the works done by Elderan and PEDA [1], [51].
Table III provides some information about the RISS dataset used in this study. These researchers successfully used the RISS dataset from different institutions and produced acceptable results.
Another dataset is from The Zoo malware repository, which provides ransomware binaries that can be downloaded and analysed into dynamic analysis sandboxes such as Cuckoo Sandbox.
Figure 3: Steps Involved in Generating the Required Dataset for the Framework Ransomware behavior
dataset
RENTAKA-Algorithm
Pre-Encryption dataset
4. Results and Discussion
On a corpus of ransomware samples from the actual world, the suggested model is examined and validated. The findings demonstrate that API call attributes can distinguish between malicious and benign binaries with accuracy. Additionally, the appropriate feature selection procedure can speed up model construction without compromising the effectiveness of the malware detection system.
Using five different classification algorithms—Random Forest, Naive Bayes, SVM, kNN, and J48—this study tested 80 characteristics. Support vector machines (SVMs) had the best accuracy and TPR, with 97.05% and 0.995, respectively, in our trials. The Random Forest classifier, which achieved an accuracy of 96.39%, came in second. The final performance has the lowest accuracy, J48, at 94.75%. Table V presents the overall findings from our experiments.
Table 3: The Performance of five Classifiers in this Study
5. Conclusion
The categories of ransomware, the attack lifecycle, analytical methods, detection strategies, and associated efforts in its detection were covered in this study. An outline of the difficulties in early crypto-ransomware detection was also presented in this work. We suggested a machine learning classifier-based method for detecting ransomware. Support vector machine (SVM), one of the supervised machine learning methods, demonstrated the best accuracy in our testing. Attacks using crypto-ransomware are quite dynamic and on the verge of evolving into a specific sort of assault.
Therefore, to reduce crypto-ransomware assaults, early detection systems with classification methods based on machine learning are required. We will test with larger samples in future work and enhance the pre-encryption boundary technique. This research's encryption border identification algorithm is a key component. It specifies how many features will be utilised to create the machine learning model.
Classifier Accuracy TPR FPR
Random Forest 96.3934% 0.984 0.071 Naïve Bayes 80.9836% 0.781 0.142
SVM 97.0492% 0.995 0.071
kNN 96.0656% 0.979 0.071
J48 94.7541% 0.979 0.106
References
Ahmadian, M. M., & Shahriari, H. R. (2016). 2entFOX: A framework for high survivable ransomwares detection. 13th International ISC Conference on Information Security and Cryptology, ISCISC 2016, 79–84. https://doi.org/10.1109/ISCISC.2016.7736455
Ahmed, Y. A., Koçer, B., & Al-Rimy, B. A. S. (2020). Automated Analysis Approach for the Detection of High Survivable Ransomware. KSII Transactions on Internet and Information Systems, 14(5), 2236–2257. https://doi.org/10.3837/tiis.2020.05.021
Al-rimy, B. A. S., & Maarof, M. A. (2018). A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework. https://doi.org/10.1007/978-3-319-59427-9
Al-rimy, B. A. S., Maarof, M. A., Alazab, M., Alsolami, F., Shaid, Z. M., Ghaleb, F. A., Al- hadhrami, T., & Ali, A. M. (2020). A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre- Encryption Boundary Delineation and Features Extraction. XX. https://doi.org/10.1109/ACCESS.2020.3012674
Al-rimy, B. A. S., Maarof, M. A., Alazab, M., Shaid, S. Z. M., Ghaleb, F. A., Almalawi, A., Ali, A. M., & Al-Hadhrami, T. (2021). Redundancy Coefficient Gradual Up-weighting-based Mutual Information Feature Selection technique for Crypto-ransomware early detection.
Future Generation Computer Systems, 115, 641–658.
https://doi.org/10.1016/j.future.2020.10.002
Alqahtani, A., Gazzan, M., & Sheldon, F. T. (2020). A proposed Crypto-Ransomware Early Detection(CRED) Model using an Integrated Deep Learning and Vector Space Model Approach. 2020 10th Annual Computing and Communication Workshop and Conference, CCWC 2020, 275–279. https://doi.org/10.1109/CCWC47524.2020.9031182
Anghel, M., & Racautanu, A. (2019). A note on different types of ransomware attacks. Cryptology EPrint Archive, Report 2019/605. https://eprint.iacr.org/2019/605
Badawi, E., & Jourdan, G. V. (2020). Cryptocurrencies emerging threats and defensive mechanisms: A systematic literature review. IEEE Access, 8, 200021–200037.
https://doi.org/10.1109/ACCESS.2020.3034816
Bhardwaj, A., Subrahmanyam, G. V. B., Avasthi, V., & Sastry, H. (n.d.). Ransomware : A Rising Threat of new age Digital Extortion.
Cabaj, K., Caviglione, L., Mazurczyk, W., Wendzel, S., Woodward, A., & Zander, S. (2018). The New Threats of Information Hiding: the Road Ahead. http://arxiv.org/abs/1801.00694
Chen, L., Yang, C.-Y., Paul, A., & Sahita, R. (2018). Towards resilient machine learning for ransomware detection. Ml. http://arxiv.org/abs/1812.09400
Craciun, V. C., Mogage, A., & Simion, E. (2019). Trends in design of ransomware viruses. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 11359 LNCS, 259–272. https://doi.org/10.1007/978-3-030- 12942-2_20
Cusack, G., Michel, O., & Keller, E. (2018). Machine Learning-Based Detection of Ransomware Using SDN. https://doi.org/10.1145/3180465.3180467
Fernando, D. W., Komninos, N., & Chen, T. (2020). A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques. IoT, 1(2), 551–604.
https://doi.org/10.3390/iot1020030
Gagneja, K. K. (2017). Knowing the ransomware and building defense against it-Specific to healthcare institutes. Proceedings of the 2017 3rd Conference on Mobile and Secure Services, MOBISECSERV 2017. https://doi.org/10.1109/MOBISECSERV.2017.7886569
Giri, B. N., & Jyoti, N. (n.d.). The Emergence of Ransomware.
https://doi.org/10.1177/0306396801432003
Gonzalez, D., & Hayajneh, T. (2017). Detection and prevention of crypto-ransomware. 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), 472–478. https://doi.org/10.1109/UEMCON.2017.8249052
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., & Khayami, R. (2017). Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Transactions on Emerging Topics in Computing, 6750(c), 1–1.
https://doi.org/10.1109/TETC.2017.2756908
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R., Choo, K.-K. R.,
& Newton, D. E. (2019). DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer. Future Generation Computer Systems, 90, 94–104.
https://doi.org/10.1016/j.future.2018.07.045
Honda, T., Mukaiyama, K., Shirai, T., Ohki, T., & Nishigaki, M. (2018). Ransomware Detection Considering User’s Document Editing. 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), 907–914.
https://doi.org/10.1109/AINA.2018.00133
Jones, J., & Shashidhar, N. (2012). Ransomware Analysis and Defense. Journal of Colloid and Interface Science, 374(1), 45–53. https://doi.org/10.1016/j.jcis.2012.01.028
Kao, D. Y., Hsiao, S. C., & Tso, R. (2019). Analyzing WannaCry Ransomware Considering the Weapons and Exploits. International Conference on Advanced Communication Technology, ICACT, 2019-Febru(2), 1098–1107. https://doi.org/10.23919/ICACT.2019.8702049
Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Mulliner, C., & Robertson, W. (2016).
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware.
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the gordian knot:
A look under the hood of ransomware attacks. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 9148, 3–24. https://doi.org/10.1007/978-3-319-20550-2_1
Kok, S. H., Azween, A., & Jhanjhi, N. Z. (2020). Evaluation metric for crypto-ransomware detection using machine learning. Journal of Information Security and Applications, 55(October), 102646. https://doi.org/10.1016/j.jisa.2020.102646
Lee, S., Kim, H. K., & Kim, K. (2019). Ransomware protection using the moving target defense perspective. Computers & Electrical Engineering, 78, 288–299.
https://doi.org/10.1016/j.compeleceng.2019.07.014
Liao, K., Zhao, Z., Doupe, A., & Ahn, G. J. (2016). Behind closed doors: Measurement and analysis of CryptoLocker ransoms in Bitcoin. ECrime Researchers Summit, ECrime, 2016- June, 1–13. https://doi.org/10.1109/ECRIME.2016.7487938
Maigida, A. M., Abdulhamid, S. M., Olalere, M., Alhassan, J. K., Chiroma, H., & Dada, E. G.
(2019). Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. Journal of Reliable Intelligent Environments, 5(2), 67–89.
https://doi.org/10.1007/s40860-019-00080-3
Mathane, V., & Lakshmi, P. V. (2021). Predictive Analysis of Ransomware Attacks using Context- aware AI in IoT Systems. International Journal of Advanced Computer Science and Applications, 12(4), 240–244. https://doi.org/10.14569/IJACSA.2021.0120432
Moore, C. (2016). Detecting ransomware with honeypot techniques. Proceedings - 2016 Cybersecurity and Cyberforensics Conference, CCC 2016, 77–81.
https://doi.org/10.1109/CCC.2016.14
Pathak, P. B., & Nanded, Y. M. (2016). A Dangerous Trend of Cybercrime: Ransomware Growing Challenge. International Journal of Advanced Research in Computer Engineering &
Technology, 5(2), 371–373. http://ijarcet.org/wp-content/uploads/IJARCET-VOL-5-ISSUE- 2-371-373.pdf
Patyal, M., Sampalli, S., Ye, Q., & Rahman, M. (2017). Multi-layered defense architecture against ransomware. International Journal of Business & Cyber Security, 1(2), 52–64.
http://ezproxy.umuc.edu/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=
bth&AN=121205538&site=eds-live&scope=site
Sgandurra, D., Muñoz-González, L., Mohsen, R., & Lupu, E. C. (2016). Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection.
https://doi.org/10.15199/48.2015.11.48
Shakir, H. A., & Jaber, A. N. (2018). A Short Review for Ransomware: Pros and Cons.
https://doi.org/10.1007/978-3-319-69835-9_38
Surati, S. B., & Prajapati, G. I. (2017). A Review on Ransomware Detection & Prevention.
International Journal of Research and Scientific Innovation Issue IX, IV(Ix), 2321–2705.
https://goo.gl/JwDUyV
Symantec. (2016). Internet Security Threat Report. Symantec, 21(2), 1–3.
https://doi.org/10.1016/S1353-4858(05)00194-7
U. Salvi, H., & V. Kerkar, R. (2015). Ransomware: A Cyber Extortion. Asian Journal of Convergence in Technology, 2(3), 1–6.
Urooj, U., Aizaini Bin Maarof, M., & Ali Saleh Al-Rimy, B. (2021). A proposed Adaptive Pre- Encryption Crypto-Ransomware Early Detection Model. 2021 3rd International Cyber Resilience Conference, CRC 2021, 7–12. https://doi.org/10.1109/CRC50527.2021.9392548 Urooj, U., Maarof, M. A., & Ali Saleh Al-Rimy, B. (2021). A proposed Adaptive Pre-Encryption
Crypto-Ransomware Early Detection Model.
Yaqoob, I., Ahmed, E., Rehman, M. H., Ahmed, A. I. A., Al-garadi, M. A., Imran, M., & Guizani, M. (2017). The rise of ransomware and emerging security challenges in the Internet of Things.
Computer Networks, 0, 1–15. https://doi.org/10.1016/j.comnet.2017.09.003
Young, A. (1996). Cryptovirology : Extortion-Based Security Threats and Countermeasures 1 Introduction 2 Background.
Zakaria, W. Z. A., Abdollah, M. F., Mohd, O., S. M. Yassin, S. M. W. M., & Ariffin, A. (2022).
RENTAKA : A Novel Machine Learning Framework for Crypto-Ransomware Pre-encryption Detection. International Journal of Advanced Computer Science and Applications, 13(5), 378–385.
