Majority Voting Approach to Ransomware Detection: Executable Analysis

Table of Links

• Abstract and 1 Introduction
• 2. Related Work
• 3. Methodology and 3.1. File Content Analysis
• 3.2. File Name Analysis
• 3.3. Executable Analysis
• 3.4. Behaviour Analysis
• 4. Evaluation and Discussion
• 4.1. Majority Voting
• 5. Conclusion
• 5.1. Limitations
• 5.2. Future Work
• References and Appendix

3.3. Executable Analysis

The collection of tests described in this section relates to tests performed on the executable code files used to launch the process as well as tests performed on a process’s memory captured during its execution. Benign programs were selected that would normally generate files of a specific type. Specific details of the benign programs analysed are provided in Table 6. For example, files of type DOCX would usually be created using the Microsoft Word application, so the executable for this application was analysed as well as its memory during its execution.

Strings in Executable Test. Often ransomware executables contain anti-analysis techniques in an attempt to prevent researchers from inspecting the content of the code. These techniques can include obfuscation, polymorphism and encryption of the content of the executable. A consequence of this is that the number of humanly readable strings found within such a file could be significantly lower than would normally be expected. This static analysis technique was applied to both benign as well as ransomware executable files and took the form of extracting strings from the executable and then counting the number and frequency of Windows Application Programming Interface(API) strings that could be identified. This technique has also been leveraged in other ransomware detection systems such as R-PackDroid [62].

No specific metrics, such as the expected number of API strings per KB, are currently available in the literature. So these tests are more exploratory to discover if the type and frequency of API calls differ significantly between ransomware and benign executables and if this measurement would be a useful contributor to a malice score calculation in a ransomware detection system.

Creation and Modification Dates Test. Executable files normally have a significant time interval between when they were placed on the file system and the current execution time. A small interval between the creation date and time and the current date and time could also be used as an indicator of a recently placed malicious program.

This static analysis test was applied to all the executable files shown in the appendix in Tables 5 and 6. For an executable file under test, if the file’s creation or modification date is greater than one day then the test passed and the executable file was considered benign, otherwise, the test failed and the file was considered malicious.

3.3.1. Process Analysis

The following tests could be performed on running processes to determine if any indicators could be identified, that would suggest that the process was malicious. The memory contents of the process under investigation are analysed for indicators of malicious behaviour.

File-less Execution Test. Running processes that do not have an underlying executable on the file system could be considered suspicious as some forms of ransomware execute by being directly injected into memory. These injected programs would then have no underlying executable file present on the file system. This is unusual behaviour for a process and can be used to flag irregular behaviour [34].

This test was applied to the running process. If the process is associated with a file on the file system then the test passed and the process file was considered benign, otherwise, the test failed and the process was considered malicious.

Cryptographic Key Identification Test. The memory and underlying executable file used to launch the process under investigation will be examined for traces of cryptographic keys, as these could indicate that the process is, or will shortly begin, encrypting files. The memory will be searched for keys for the following three cryptographic algorithms: AES [7, 28, 51, 30, 42], Salsa20 [? ] and RSA [33, 41]. The AES key testing included checking for the presence of keys of length 128, 192 and 256 bits.

Initially, the executable file that will be used to launch the process with be examined. Subsequently, the memory of the running process will be checked on two occasions, firstly, directly after the process has launched and then subsequently checked again 30 seconds after launch. If no keys are found in each of these tests, then the test passed and the process was considered benign, otherwise, if keys are discovered, the test failed and the process was considered malicious.

Ransom Note Identification Test. The memory of the process under investigation will be examined for traces of typical strings that often appear within ransom notes. These are files normally generated by ransomware programs and are used to inform the user that they have been the victim of a ransomware attack. These files usually contain information on how the user may recover their data. The presence of many keywords close together within the process’s memory would be an indicator that the process could be malicious. This test is similar to the previous Ransom Note Creation Test, using the same keywords, however, in this case, it will be performed on the process’s memory and not on its output.

This test was applied to the running process. If the process’s memory does not contain several examples of the keywords, then the test passed and the process was considered benign, otherwise, the test failed and the process was considered malicious.

Windows API Analysis Test. The memory of the process under investigation will be examined and a review of the number and frequency of all the found window’s application programming interface (API) calls will be performed. Executables use these API calls to interact with the operating system and the number and type of calls used together with their frequency will be investigated to determine if this could be used as an indicator that the process under investigation is malicious. This test is similar to the previous Strings in Executable Test, however, in this case, it will be performed on the process’s memory and not on the executable file used to launch the process.

No specific metrics, such as the expected number of API strings per KB, are currently available in the literature. So these tests are more exploratory to discover if the type and frequency of API calls differ significantly between ransomware and benign executables and if this measurement would be a useful contributor to a malice score calculation in a ransomware detection system.