Dynamic Opcode Analysis of Ransomware

The explosion of ransomware in recent years has served as a costly reminder that the malware threatscape has moved from that of socially-inept hobbyists to career criminals. This paper investigates the efficacy of dynamic opcode analysis in distinguishing cryptographic ransomware from benignware, and presents several novel contributions. Firstly, a new dataset of cryptoransomware dynamic run-traces, the largest of its kind in the literature. We release this to the wider research community to foster further research in the field. Our second novel contribution demonstrates that a short runlength of 32k opcodes can provide highly accurate detection of ransomware (99.56%) compared to benign software. Third, our model offers a distinct advantage over other models in the literature, in that it can detect a form of benign encryption (i.e. file zipping) with 100% accuracy against not only ransomware, but also the non-encrypting benignware in our dataset. The research presented here demonstrates that dynamic opcode tracing is capable of detecting ransomware in comparable times to static analysis, without being thwarted by obfuscation tactics.

[1]  Pavol Zavarsky,et al.  Experimental Analysis of Ransomware on Windows and Android Platforms: Evolution and Characterization , 2016, FNC/MobiSPC.

[2]  Alexandre Gazet,et al.  Comparative analysis of various ransomware virii , 2010, Journal in Computer Virology.

[3]  Mohammad Mehdi Ahmadian,et al.  Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares , 2015, 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC).

[4]  Krzysztof Cabaj,et al.  Developing malware evaluation infrastructure , 2016, 2016 Federated Conference on Computer Science and Information Systems (FedCSIS).

[5]  Sakir Sezer,et al.  Evolution of ransomware , 2018, IET Networks.

[6]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[7]  Nitesh V. Chawla,et al.  Editorial: special issue on learning from imbalanced data sets , 2004, SKDD.

[8]  Igor Santos,et al.  Using opcode sequences in single-class learning to detect unknown malware , 2011, IET Inf. Secur..

[9]  Krzysztof Cabaj,et al.  Network activity analysis of CryptoWall ransomware , 2015 .

[10]  Mark Stamp,et al.  Opcode graph similarity and metamorphic detection , 2012, Journal in Computer Virology.

[11]  Kieran McLaughlin,et al.  SVM Training Phase Reduction Using Dataset Feature Filtering for Malware Detection , 2013, IEEE Transactions on Information Forensics and Security.

[12]  Sakir Sezer,et al.  Dynamic Analysis of Malware using Run Time Opcodes , 2017 .

[13]  Jean-Marc Robert,et al.  An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems , 2016, CANS.