Understanding Ransomware Actions Through Behavioral Feature Analysis

Main Article Content

Caio Carvalho Moreira
http://orcid.org/0000-0002-0034-7552
Claudomiro de Souza de Sales, Jr.
http://orcid.org/0000-0002-2735-1383
Davi Carvalho Moreira
http://orcid.org/0000-0002-5974-3285

Abstract

Crypto ransomware attacks have substantially increased in recent years, and owing to their highly profitable  nature, this growth will evidently escalate in the future. To better understand this malware and help developers of ransomware detection systems build more robust and reliable solutions, this study investigates ransomware actions during the destruction phase through behavioral feature analysis. We used a dataset with 1524 samples and 30 967 features representing the actions conducted using 582 types of ransomware and 942 good applications (goodware). Six representative and widely used classification algorithms were applied as auxiliary tools to investigate the behavior of these attacks: Naive Bayes (NB), K-Nearest Neighbors (KNN), Logistic Regression (LR), Random Forest (RF), Stochastic Gradient Descent (SGD), and Support Vector Machine (SVM). We achieved an accuracy of 98.48%, balanced accuracy of 98.35%, precision of 98.17%, recall of 97.82%, F-measure of 97.98%, and ROC AUC of 99.87% by using RF for 462 features of the resultant dataset. We propose a new criterion to determine the feature group relevance and a method to distinguish the features that are most related to ransomware and goodware. Our main conclusions are as follows: Application Programming Interface (API) calls are the most relevant feature group, achieving alone a balanced accuracy of 96.49%; native encryption Windows APIs are not crucial for ransomware classification; and the most significant features of ransomware tend to involve handling the thread/process, physical memory operation, and communication, whereas goodware features are more likely to indicate virtual memory, files, directories, and resource operations.

Article Details

How to Cite
Moreira, C. C., Sales, Jr., C. de S. de, & Moreira, D. C. (2022). Understanding Ransomware Actions Through Behavioral Feature Analysis. Journal of Communication and Information Systems, 37(1), 61–76. https://doi.org/10.14209/jcis.2022.7
Section
Regular Papers
Author Biographies

Caio Carvalho Moreira, Federal University of Pará (UFPA)

caio.png

Caio Carvalho Moreira received the M.Sc. degree in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2013. He served as a Computer System Analyst at the Brazilian Air Force from 2013 to 2017. He is currently a Ph.D. student in the Electrical Engineering Graduate Program at UFPA. His contemporary research addresses machine learning techniques applied to network and system security, specifically, ransomware detection.

Claudomiro de Souza de Sales, Jr., Federal University of Pará (UFPA)

claudomiro.png

Claudomiro de Souza de Sales, Jr. received the Ph.D. in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2009. Since 2010, he has been with UFPA, where he is currently with the Computer Science Department and Electrical Engineering and Computer Science Graduate Programs. He is involved in developing new dimension reduction and data visualization techniques, applying machine learning algorithms for ransomware detection and bioinformatics, and developing new metaheuristics and variants for PSO and genetic algorithms.

Davi Carvalho Moreira, Federal University of Pará (UFPA)

davi.png

Davi Carvalho Moreira received the Ph.D. in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2021. Since 2005, he has been with the Electrical Center of North Brazil, Tucuruí, Pará, Brazil, where he is currently with the HPP Tucuruí in the Electrical Maintenance Department. He has experience in the operation of hydroelectric plants, maintenance planning, equipment design/specifications, and maintenance of generators, transformers, and gas insulated substations.