Multi Level Ransomware Detection Framework
Multi Level Ransomware Detection Framework
Abstract—Ransomware attacks in recent years have proved control server. It forces the users to pay the money with cryp-
expensive due to significant damages and obstructions these tocurrencies to give back the original files, but the recovery
caused in various sectors such as health, insurance, business, of their original files is not guaranteed. Ransomware takes
and education. Several malware detection methods have been
proposed to uncover different malware families, but the problem advantage of a system’s vulnerabilities, such as the Windows
remained unsolved due to the continuously evolving malware. SMB (Server Message Block) Remote Code Execution Vul-
In this work, we proposed a multi-level big data mining nerability, CVE-2017-0144 [3] which encrypts and locks the
framework combining Reverse engineering, Natural Language user’s system.
Processing(NLP) and Machine Learning(ML) approaches. The Ransomware is mainly classified into two categories: Crypto
framework analyzes the ransomware at different levels (i.e.,
Dynamic link library, function call and assembly instruction ransomware and Locker ransomware. Crypto ransomware en-
level) via different supervised ML algorithms. Apache Spark was crypts the files in an infected computer system and hold the
employed for faster processing of large generated feature set. files unless the payment is done via bitcoin. Payment through
Portable Executable (PE) parser and Objectdump tool of Linux bitcoin hides the identity of the malware writer. Paying ransom
system were used to get the raw data from the ransomware generally makes the decryption of encrypted files possible
and normal binaries that were processed further using our
custom-built NLP processing. The n-gram probabilities, term- so that the users can get the original readable data. On the
frequency and inverse document frequency (TF-IDF) were used other hand, Locker ransomware only locks the files. Users can
to generate the final feature sets. Experiments were performed recover the locked files by physically moving the hard drive
with different N values of n-gram language model that shows to a safe location or a system.
that the ransomware detection accuracy is inversely proportional According to Cyber security business report [2], the esti-
to the value of N. Among the five chosen supervised classifiers,
Logistic regression outperformed others with a detection rate of mated cost for damages caused by ransomware attacks will
98.59% for generated TF-IDFs trigrams at combined multi-level, be $11.5 billion by the end of 2019. In 2019, ransomware
which is an improved accuracy compared to individual levels. is projected to attack a business every 14 seconds. In June
Index Terms—Ransomware, Ransomware detection, Reverse 2019, two Florida cities, Riviera and Lake became victims
Engineering, NLP, N-gram language model, N-gram probabil- of ransomware attacks. Riviera and Lake city council agreed
ity, TF-IDF, Big data, Apache Spark, Machine learning, DLL,
Function call, Assembly instructions. to pay $600,000 and $500,000, respectively, to get their data
back [6].
Various work in ransomware analysis is done using dynamic
I. I NTRODUCTION
analysis, which includes running an executable file in Virtu-
Ransomware attacks have been an increasing trend these alBox or a sandbox environment. The malware is executed
days. Various government and non-government organizations in a safe environment which does not pose harm to the host
have been affected especially in the field of education, health, system but has notable limitations. Some ransomware samples
business, research, and insurance. Techniques such as social do not run in the virtual environment and do not show their real
engineering attacks, password breaking, network attack and behavior. Moreover, the command line arguments cannot be
so on have been applied to take control of the user’s machine known. These limitations can make the ransomware analysis
and resources so as to cause further damage and disruption. and detection ineffective. Multiple works have been done by
The high cost of damage caused by ransomware attacks is researchers [22, 27, 12, 10] using NLP techniques such as n-
due to downtime of the live system, disruption of the normal gram and TF-IDF to construct the feature vector of function
business, cost for forensic investigation, restoration cost, loss calls or opcodes and then perform machine learning training
due to reputational harm, and cyber security training cost. and classification. Since feature vector construction at multi-
Ransomware uses cryptographic algorithms to encrypt and level is missing, this motivates us to perform this unique anal-
lock the system, and communicate with the command and ysis at multi-level. We argue that in order to have a detailed
analysis of ransomware, static analysis using NLP and ML their technique will overcome issues like brittle features of
techniques prove more efficient. This paper leverages these n-gram model. Wu et al. [26] have proposed DroidDolphin
approaches and proposes a multi-level ransomware detection using APImonitor, SVM, and Hadoop clusters. API monitor
framework to analyze and detect ransomware as shown in tool basically captures API sequences from Android based
Figure 1. executables. N-gram model then generates the necessary
The remaining portion of this paper is organized into various features to feed the SVM model.
sections. Related work is presented in the Section II. The
proposed multi-level framework is discussed in Section III. Unlike other works, our paper tries to explore multiple
The workflow of the detector engine, which is the major levels, namely DLL, function call, and assembly instruction
detection component of the proposed framework, is presented while disassembling the binaries to create n-gram sequences,
in Section IV. Discussion about the dataset and experiments is calculate their probability scores and TF-IDF scores to gen-
done in Section V. The paper ends with conclusion and future erate feature vectors for machine learning classifiers. We also
works in Section VI. analyze the trigram sequences at different levels to explore
insights about the distinguishing characteristics of ransomware
II. R ELATED WORK and benign samples.
Different approaches have been proposed to analyze and
detect ransomware. Trung et al. [22] have used methods such III. P ROPOSED M ETHODOLOGY
as n-gram, doc2vec, TF-IDF to convert the API(Application The proposed methodology is basically a multi-level ran-
programming interface) sequences to numeric vectors. These somware detection framework, which comprises of six major
vectors are supplied to the machine learning classifiers. components: DLL tracker, Function call tracker, Assembly in-
In another paper, Trung et al. [23] have used a memory struction tracker, Detector engine, Action engine, and Passive
augmented neural network in combination with malware’s analyzer. This multi-level framework is run in an active mode
API calls sequence. They have used word2vec to convert API so as to analyze the given binaries at three levels, as shown
sequences to numeric vectors before feeding to the one-shot in Figure 1. It is initiated with the detection counter (dc) set
learning network. Hanqi Zhang et al. [27] have used opcode to zero. This framework tracks the detection rate at each level
sequences from ransomware samples and transformed them going from DLL to the assembly instruction level so is named
to the n-gram sequences. They achieved the best accuracy as multi-level framework. At level 1, the DLL tracker interacts
with 91.43%. Munir et al. [12] have used cuckoo sandbox with the detector engine, moves to the second level with
environment to perform dynamic analysis and capture the function call tracker, and then finally moves to the assembly
API calls. A class-wise approach is applied to the multi-class instruction tracker. The details of each major component is
malware family identification. For four ransomware families, described in below sections.
96.05% accuracy was achieved. Similarly, Gerardo et al. [10]
investigated the n-grams of android malwares based on A. DLL tracker
opcodes. They claimed an accuracy of 97%. Nial et al. [15]
DLL tracker analyzes the DLLs of a given binary using
have done static analysis of raw opcode sequences of android
the detection engine, as shown in Figure 1, and calculates
malware using deep convolutional neural network. Frequency
its classification accuracy. The details of detector engine
analysis of DLLs and assembly instructions is done using
framework is explained in Section IV. The detection counter
machine learning techniques by Poudyal et al. [18]. Wang et
is incremented by one if the accuracy is greater or equal to the
al. [24] have extracted text level features from the HTTP flow
defined threshold value. Threshold value is set by the expert
generated by the mobile apps to develop malware detection
user or the security team. For our experiment, we considered
model. Xin et al. [25] have used RNN based auto encoders,
threshold as 80%.
which process the given API calls of malware to get the low
dimensional representation. B. Function call tracker
Canzanese et al. [11] have analyzed system call traces A function call tracker analyzes the function calls of a given
utilizing n-gram language model and TF-IDF to detect binary. It also uses the detector engine and calculates the
malicious processes. They have claimed that their proposed classification accuracy. The detection counter is incremented
system would alarm the user if some unintended behaviours if the accuracy obtained is greater or equal to the defined
are observed which includes activities like host modifications. threshold value.
Alsulami et al. [9] have proposed a lightweight behavioral
malware detection technique that leverages Microsoft C. Assembly instruction tracker
Windows prefetch files. They have used n-gram, TF-IDF An assembly instruction tracker works similarly to DLL
and feature dimensionality reduction with SVM and logistic and function call trackers. The difference is that the detection
regression classifiers. Raff et al. [19] have explored raw counter’s value is evaluated here. If that value is greater or
byte sequences of malware leveraging neural network to equal to one, then the action engine is triggered, else the
improve the malware detection rates. They have claimed that passive analyzer comes into play.
F. Passive analyzer
When an executable or binary file is excluded by an action
engine, the system continues to monitor using a passive
analyzer. The passive analyzer generates the signature of the
binary and updates its detection database. The security admin
may further escalate the analysis of a particular binary using
behaviour analyzer techniques such as system monitoring, file
access analyzers, and so on. Digging into the details of the
passive analyzer is, again, out of the scope of this paper. More
related details can be read from these references [13, 21, 17].
B. Multi-level Extractor
E. Action engine The multi-level extractor tool collects the DLLs, function
calls and assembly instructions used in a sequence for a given
An action engine is responsible for incident handling and sample from the processed data of the pre-processor. Below
response. When the detection counter’s value is greater or is the brief explanation about each extractor types.
equal to one then the action engine analyzes its further action 1) DLL Extractor: A dynamic link library referred to as a
and alerts the user or system about the detection. Immediate DLL is a library that contains code and data that can be used
action or preventative actions are implemented via either by more than one program at the same time. The main benefit
manual or automatic inspectors. The details of the action of DLL is code re-usability and efficient memory usage. DLL
engine is beyond the scope of this paper. However, more can be user defined or entity/Microsoft defined as shown in
related details can be found on these references [14, 20, 5, 8]. Figure 5.
Fig. 3. Life cycle of a binary file
Ransomware binaries
DLL Function call Assembly Instruction
Trigram Score Trigram Score Trigram Score
0CReaderWriterLock, 0CSingleList,
ntdll, kernel32, comctl32 1.0 1.0 sha256msg2, xor, or 0.33
0CSmallSpinLock
InSendMessageEx, DialogBoxParamA,
msdart, mlang, midimap 0.5 1.0 addss, mov, mov 0.33
SetMenuItemBitmaps
msdart, mlang, advapi32 0.5 TabbedTextOutW, ReleaseDC, GetDC 1.0 vpmacssww, push, daa 0.33
AddAccessDeniedAce, AreAnyAccessesGranted,
dsauth, gdi32, mstask 0.5 1.0 wrpkru, cld, mov 0.33
GetCommandLineA
kernel32, user32, advapi32 0.40 vbaVarSub, CIcos, adj fptan 1.0 kmovd, pushf, lds 0.33
DbgPrint, LdrGetProcedureAddress,
wtsapi32, psapi, msvcrt 0.33 1.0 vpxorq, xchg, ror 0.33
RtlInitAnsiString
BuildSecurityDescriptorW,
winhttp, comctl32, shlwapi 0.33 0.5 vfrczpd, in, and 0.33
RegSetValueW, RegConnectRegistryA
DuplicateToken, CreateServiceA,
msimg32, iphlpapi, oledlg 0.33 0.5 mulss, xchg, aas 0.33
SetSecurityDescriptorOwner
LdrGetProcedureAddress, RtlInitAnsiString,
midimap, icmp, mfcsubs 0.33 0.5 mwait, je, push 0.33
LoadLibraryW
msacm32, kernel32, glu32 0.33 lopen, LoadLibraryW, GetConsoleCP 0.375 vtestps, imul, add 0.33
Normal binaries
DLL Function call Assembly Instruction
Trigram Score Trigram Score Trigram Score
api-ms-win-core-crt-l1-1-0,
SetupDiGetDeviceInstanceIdW,
api-ms-win-core-crt-l2-1-0, 1.0 1.0 sgdtd, jne, push 0.33
SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo
api-ms-win-core-libraryloader-l1-2-0
SkciInitialize, SkciQueryInformation,
dnssd, ws2 32, kernel32 1.0 1.0 vcmpltps, add, sub 0.33
SkciTransferVersionResource
iumcrypt,
UnregisterPowerSettingNotification, DispatchMessageW,
api-ms-win-core-heap-obsolete-l1-1-0, 0.5 1.0 vpmacsdqh, enter, in 0.33
MsgWaitForMultipleObjects
api-ms-win-eventing-cp-l1-1-0
SkciQueryInformation, SkciTransferVersionResource,
ntdsapi, logoncli, rpcrt4 0.5 0.5 cmpxchg8b, retf, lock 0.33
SkciValidateDynamicCodePages
esent, ntdll,
0.5 ChooseFontW, GetSaveFileNameW, InitCommonCtrlEx 0.5 vpminuw, cwde, pop 0.33
api-ms-win-core-file-l1-1-0
AddSIDToBoundaryDescriptor, CreateBoundaryDescript,
tapi32, gdi32, user32 0.33 0.33 vcvtsd2usi, dec, jge 0.33
CreatePrivateNamespaceW
DeleteBoundaryDescriptor, OpenPrivateNamespaceW,
mshtml, urlmon, msiso 0.33 0.33 vpshaw, ret, movabs 0.33
GetSecurityDescriptorDacl
EnterCriticalPolicySection, DeviceIoControl,
mswsock, ws2 32, winmm 0.33 0.33 pinsrb, test, je 0.33
GetSystemTimeAsFileTime
dpx, ntdll, ole32 0.33 LogonUserExW, WaitServiceState,EncodePointer 0.33 vpminsd, xor, rex 0.33
kerbclientshared, ntlmshared, msasn1 0.33 RtlAddAccessDeniedAce, NtOpenKey, NtQueryKey 0.33 vfnmsubpd, jrcxz, jge 0.33
The Figure 6 shows the accuracy graph for all three levels
for n-gram TF-IDFs. We also calculated the average accuracy
among these three levels. Among three levels, function call
achieved improved high accuracy. The accuracy rate at N=3
is about 2% more than N=2, but there is a smooth decrease
at other higher values of N. There is a steep decrease in
accuracy for dll level. Detection rate of 93.36% at N=2 for
DLL level decreases to 81.52% at N=3 and finally to 57.06%
coming at N=6. The decrease is more rapid that the other two Fig. 6. Logistic regression accuracy for N-gram TF-IDF at multi-level
levels. Accuracy at assembly level has a different pattern, it
has an improved accuracy at N=3 but the accuracy decreases
slightly and becomes constant at N=5 and N=6. Generalizing
this pattern, the average graph line shows that the accuracy is [10] G. Canfora, A. De Lorenzo, E. Medvet, F. Mercaldo, and C. A.
found to be inversely proportional to the value of N. Visaggio. Effectiveness of opcode ngrams for detection of multi family
android malware. In 2015 10th International Conference on Availability,
Reliability and Security, pages 333–340. IEEE, 2015.
VI. C ONCLUSION AND F UTURE WORKS [11] R. Canzanese, S. Mancoridis, and M. Kam. System call-based detection
of malicious processes. In 2015 IEEE International Conference on
In this work, we proposed a multi-level ransomware de- Software Quality, Reliability and Security, pages 119–124. IEEE, 2015.
tection framework in big data platform leveraging techniques [12] M. Geden and J. Happa. Classification of malware families based on
of NLP domain, machine learning and reverse engineering. runtime behaviour. In International Symposium on Cyberspace Safety
and Security, pages 33–48. Springer, 2018.
We experimented with ransomware at different levels of code, [13] I. Ghafir and V. Prenosil. Dns traffic analysis for malicious domains
flowing from DLL to function call and then to assembly in- detection. In 2015 2nd International Conference on Signal Processing
structions level for better understanding of various components and Integrated Networks (SPIN), pages 613–918. IEEE, 2015.
[14] E. Kolodenker, W. Koch, G. Stringhini, and M. Egele. Paybreak: defense
and payloads. For faster processing we used an Apache Spark against cryptographic ransomware. In Proceedings of the 2017 ACM
computing environment but a general-purpose computer can on Asia Conference on Computer and Communications Security, pages
also be used. We found that the empirical results of multi-level 599–611. ACM, 2017.
[15] N. McLaughlin, J. Martinez del Rincon, B. Kang, S. Yerima, P. Miller,
analysis are convincing for further research to detect emerging S. Sezer, Y. Safaei, E. Trickel, Z. Zhao, A. Doupé, et al. Deep android
ransomware effectively. Our contributions can be summarized malware detection. In Proceedings of the Seventh ACM on Conference
as follows: on Data and Application Security and Privacy, pages 301–308. ACM,
2017.
• We designed a framework of multi-level analysis by [16] A. H. Michael Sikorski. Practical malware analysis. No starch press,
utilizing DLLs, function calls and assembly instructions (12), 2012.
[17] D. Morato, E. Berrueta, E. Magaña, and M. Izal. Ransomware early
while exploiting NLP schemes and machine learning detection by the analysis of file sharing traffic. Journal of Network and
classifiers. Computer Applications, 124:14–32, 2018.
• We explored the distinguishing n-gram sequences at
[18] S. Poudyal, K. P. Subedi, and D. Dasgupta. A framework for analyzing
ransomware using machine learning. In 2018 IEEE Symposium Series
multi-level for ransomware binary samples. These dif- on Computational Intelligence (SSCI), pages 1692–1699. IEEE, 2018.
ferences in n-gram sequences constructed a good feature [19] E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. K.
database to improve the detection rate at different levels. Nicholas. Malware detection by eating a whole exe. In Workshops at
the Thirty-Second AAAI Conference on Artificial Intelligence, 2018.
• The multi-level analysis produce improved detection re- [20] N. Scaife, H. Carter, P. Traynor, and K. R. Butler. Cryptolock (and
sult compared to the individual levels. The highest de- drop it): stopping ransomware attacks on user data. In 2016 IEEE 36th
tection accuracy for n-gram TF-IDF at N=3 is 98.59% International Conference on Distributed Computing Systems (ICDCS),
pages 303–312. IEEE, 2016.
followed by 97.13% at N=2. [21] S. Song, B. Kim, and S. Lee. The effective ransomware prevention
In the future, we plan to conduct experiments using com- technique using process monitoring on android platform. Mobile
Information Systems, 2016, 2016.
bined features of our multi-level analysis leveraging deep [22] T. K. Tran and H. Sato. Nlp-based approaches for malware classification
learning techniques. Also, we plan to include performance from api sequences. In 2017 21st Asia Pacific Symposium on Intelligent
comparison between our framework with other relevant ones. and Evolutionary Systems (IES), pages 101–105. IEEE, 2017.
[23] T. K. Tran, H. Sato, and M. Kubo. One-shot learning approach for
In addition, different program obfuscation techniques such as unknown malware classification. In 2018 5th Asian Conference on
junk code insertion, randomization to slow down the encryp- Defense Technology (ACDT), pages 8–13. IEEE, 2018.
tion process, use of polymorphic codes and multi-threaded [24] S. Wang, Q. Yan, Z. Chen, B. Yang, C. Zhao, and M. Conti. Detecting
android malware leveraging text semantics of network flows. IEEE
attacks will also be explored. Transactions on Information Forensics and Security, 13(5):1096–1109,
2017.
R EFERENCES [25] X. Wang and S. M. Yiu. A multi-task learning model for malware
classification with useful file access pattern from api call sequence. arXiv
[1] Apache spark mlib. https://spark.apache.org/mllib/. preprint arXiv:1610.05945, 2016.
[2] Cso cybersecurity business report. https://www.csoonline.com/article/- [26] W.-C. Wu and S.-H. Hung. Droiddolphin: a dynamic android malware
3237674/ransomware-damage-costs-predicted-to-hit-115b-by- detection framework using big data and machine learning. In Proceed-
2019.html. ings of the 2014 Conference on Research in Adaptive and Convergent
[3] National vulnerability database. https://nvd.nist.gov/vuln/detail/CVE- Systems, pages 247–252. ACM, 2014.
2017-0144. 2017. [27] H. Zhang, X. Xiao, F. Mercaldo, S. Ni, F. Martinelli, and A. K. Sangaiah.
[4] Pe-parse tool. https://github.com/trailofbits/pe-parse. Classification of ransomware families with machine learning based on
[5] Ransomware: How to prevent being attacked and recover after an n-gram of opcodes. Future Generation Computer Systems, 90:211–221,
attack. https://www.backblaze.com/blog/complete-guide-ransomware/. 2019.
April, 2019.
[6] Second florida city pays giant ransom to ransomware gang in
a week. https://www.zdnet.com/article/second-florida-city-pays-giant-
ransom-to-ransomware-gang-in-a-week/. June, 2019.
[7] Thezoo, make the possibility of malware analysis open and available to
the public. https://github.com/ytisf/theZoo.
[8] What to do if you’re infected by ransomware.
https://www.tomsguide.com/us/ransomware-what-to-do-next,news-
25107.html. June, 2017.
[9] B. Alsulami, A. Srinivasan, H. Dong, and S. Mancoridis. Lightweight
behavioral malware detection for windows platforms. In 2017 12th Inter-
national Conference on Malicious and Unwanted Software (MALWARE),
pages 75–81. IEEE, 2017.