Majority Voting Approach to Ransomware Detection: References and Appendix

Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction 2. Related Work 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4.1. Majority Voting 5. Conclusion 5.1. Limitations 5.2. Future Work References and Appendix References [1] Abbasi, M.S., Al-Sahaf, H., Welch, I., 2021. Automated Behaviorbased Malice Scoring of Ransomware Using Genetic Programming. 2021 IEEE Symposium Series on Computational Intelligence, SSCI 2021 - Proceedings doi:10.1109/SSCI50451.2021.9660009. [2] Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S., 2021. Peeler: Profiling Kernel-Level Events to Detect Ransomware. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12972 LNCS, 240– 260. doi:10.1007/978-3-030-88418-5\_12, arXiv:2101.12434. [3] Ahmed, Y.A., Koçer, B., Al-Rimy, B.A.S., 2020. Automated Analysis Approach for the Detection of High Survivable Ransomware. KSII Transactions on Internet and Information Systems 14, 2236–2257. doi:10.3837/tiis.2020.05.021. [4] Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M., 2019. Cryptoransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Future Generation Computer Systems 101, 476–491. URL: https://doi.org/10.1016/j. future.2019.06.005, doi:10.1016/j.future.2019.06.005. [5] Alam, M., Sinha, S., Bhattacharya, S., Dutta, S., Mukhopadhyay, D., Chattopadhyay, A., 2020. RAPPER: Ransomware Prevention via Performance Counters. Arxiv , 1–18URL: http://arxiv.org/abs/2004. 01712, arXiv:2004.01712. [6] Andronio, N., Zanero, S., Maggi, F., 2015. HelDroid: Dissecting and Detecting Mobile Ransomware, in: Bos, H., Monrose, F., Blanc, G. (Eds.), Research in Attacks, Intrusions, and Defenses, Springer International Publishing, Cham. pp. 382–404. [7] Balogh, Š., Pondelik, M., 2011. Capturing encryption keys for digital analysis. Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS’2011 2, 759–763. doi:10.1109/IDAACS.2011.6072872. [8] Berrueta, E., Morato, D., Magana, E., Izal, M., 2019. A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access 7, 144925–144944. doi:10.1109/ACCESS.2019.2945839. [9] Bottazzi, G., Italiano, G., Spera, D., Bottazzi, G., Italiano, G., Spera, D., Ransomware, P., Through, A., Bottazzi, G., Italiano, G.F., Spera, D., 2018. Preventing Ransomware Attacks Through File System Filter Drivers, in: Proceedings of the Second Italian Conference on Cyber Security (ITASEC18), p. 4. URL: https://www.researchgate.net/publication/323125541_ Preventing_Ransomware_Attacks_Through_File_System_Filter_Drivers. [10] Buchanan, . Digital Forensics Magic Numbers. URL: https:// asecuritysite.com/forensics/magic, (Last Accessed: 2022-10-20). [11] Chadha, S., Kumar, U., 2017. Ransomware: Let’s fight back!, in: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 925–930. doi:10.1109/CCAA.2017.8229926. [12] Choudhury, P., Kumar, K.R., Nandi, S., Athithan, G., 2019. An empirical approach towards characterization of encrypted and unencrypted VoIP traffic. Multimedia Tools and Applications 79, 603– 631. doi:10.1007/s11042-019-08088-w. [13] Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F., 2016. ShieldFS: A self-healing, ransomware-aware file system, in: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. URL: https://dl.acm.org/doi/10.1145/2991079.2991110, doi:10.1145/ 2991079.2991110. [14] Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G., Benedetto, L., 2019. A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques 15, 277–305. URL: https://doi.org/10.1007/ s11416-019-00338-7, doi:10.1007/s11416-019-00338-7. [15] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2021a. Differential area analysis for ransomware attack detection within mixed file datasets. Computers and Security 108, 102377. URL: https://doi.org/10.1016/j.cose.2021.102377, doi:10.1016/j. cose.2021.102377, arXiv:2106.14418. [16] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2021b. NapierOne. URL: www.napierone.com. [17] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2022a. Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification. Entropy 24. doi:10.3390/e24101503. [18] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2022b. NapierOne: A modern mixed file data set alternative to Govdocs1. Forensic Science International: Digital Investigation 40, 301330. URL: https://doi. org/10.1016/j.fsidi.2021.301330, doi:10.1016/j.fsidi.2021.301330. [19] De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V., 2020. The Naked Sun: Malicious Cooperation Between Benign-Looking Processes. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12147 LNCS, 254–274. doi:10.1007/ 978-3-030-57878-7\_13, arXiv:1911.02423. [20] De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V., 2022. Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques. Neural Computing and Applications 34, 12077–12096. URL: https://doi.org/10.1007/ s00521-022-07096-6, doi:10.1007/s00521-022-07096-6. [21] Dutta, N., Jadav, N., Tanwar, S., Sarma, H.K.D., Pricop, E., 2022. Introduction to Malware Analysis. Springer Singapore, Singapore. chapter Introducti. pp. 129–141. URL: https://doi.org/10.1007/ 978-981-16-6597-4_7, doi:10.1007/978-981-16-6597-4\_7. [22] F.R.S., K.P., 2009. X. On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. https://doi.org/10.1080/14786440009463897 50, 157–175. URL: https://www.tandfonline.com/doi/abs/10.1080/ 14786440009463897, doi:10.1080/14786440009463897. [23] Ganfure, G.O., Wu, C.F., Chang, Y.H., Shih, W.K., 2020. DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection. Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020 doi:10.1109/ISI49825. 2020.9280508. [24] Genç, Z.A., Lenzini, G., Ryan, P.Y., 2018. No random, no ransom: A key to stop cryptographic ransomware. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10885 LNCS, 234–255. doi:10. 1007/978-3-319-93411-2\_11. [25] Genç, Z.A., Lenzini, G., Ryan, P.Y.A., 2019. NoCry : No More Secure Encryption Keys for Cryptographic Ransomware, in: International Workshop on Emerging Technologies for Authorization and Authentication, pp. 69–85. doi:10.1007/978-3-030-39749-4\_5. [26] Gharib, A., Ghorbani, A., 2017. DNA-Droid: A real-time android ransomware detection framework. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10394 LNCS, 184–198. doi:10. 1007/978-3-319-64701-2\_14. [27] Google, 2015. File types indexable by Google. URL: https:// support.google.com/webmasters/answer/35287?hl=en, (Last Accessed: 2021-03-24). [28] Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W., 2009. Lest we remember: Cold-boot attacks on encryption keys. Communications of the ACM 52, 91–98. doi:10.1145/1506409.1506429. [29] Hall, G.A., 2006. Sliding Window Measurement for File Type Identification. Proceedings of the 1997 ACM symposium on Applied computing , 529–532. [30] Heninger, N., Feldman, A., 2008. AESKeyFind. URL: https://github.com/eugenekolo/sec-tools/tree/master/crypto/ aeskeyfind/aeskeyfind. [31] Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R., 2020. Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Transactions on Emerging Topics in Computing 8, 341–351. doi:10. 1109/TETC.2017.2756908. [32] John, T.C., Abbasi, M.S., Al-Sahaf, H., Welch, I., 2022. Automatically Evolving Malice Scoring Models through Utilisation of Genetic Programming: A Cooperative Coevolution Approach. volume 1. john ed., Association for Computing Machinery. doi:10.1145/3520304. 3529063. [33] Joseph, P., Norman, J., 2020. Systematic Memory Forensic Analysis of Ransomware using Digital Forensic Tools. International Journal of Natural Computing Research 9, 61–81. doi:10.4018/ijncr. 2020040105. [34] Kara, I., 2023. Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges. Expert Systems with Applications 214, 119133. URL: https: //www.sciencedirect.com/science/article/pii/S0957417422021510, doi:https://doi.org/10.1016/j.eswa.2022.119133. [35] Kessler, G., . GCK’S File Signature Table. URL: https://www.garykessler.net/library/file_sigs.html, (Last Accessed: 2023-02-10). [36] Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Mulliner, C., Robertson, W., 2016. UNVEIL : A Large-Scale , Automated Approach to Detecting Ransomware This paper is included in the Proceedings of the. In Proceedings of the 2014 VIRUS BULLETIN CONFERENCE , 757– 772URL: https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/kharaz. [37] Kharraz, A., Kirda, E., 2017a. Redemption: Real-Time Protection Against Ransomware at End-Hosts. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10453 LNCS, 98–119. doi:10.1007/978-3-319-66332-6\_5. [38] Kharraz, A., Kirda, E., 2017b. Redemption: Real-Time Protection Against Ransomware at End-Hosts. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10453 LNCS, 98–119. doi:10.1007/978-3-319-66332-6\_5. [39] Ki, Y., Kim, E., Kim, H.K., 2015. A novel approach to detect malware based on API call sequence analysis. International Journal of Distributed Sensor Networks 2015. URL: https://journals.sagepub. com/doi/pdf/10.1155/2015/659101, doi:10.1155/2015/659101. [40] Kim, G.Y., Paik, J.Y., Kim, Y., Cho, E.S., 2022. Byte Frequency Based Indicators for Crypto-Ransomware Detection from Empirical Analysis. Journal of Computer Science and Technology 37, 423–442. doi:10.1007/s11390-021-0263-x. [41] Klein, T., 2006. All your private keys are belong to us process memory. Tech. Rep , 1–7URL: https://citeseerx.ist.psu. edu/document?repid=rep1&type=pdf&doi\protect\@normalcr\relax= cf85042cca0da125b860db7c2fefb38012396cbc. [42] Kornblum, J., 2017. findaes. URL: http://jessekornblum.com/tools/ findaes/, (Last Accessed: 2019-08-10). [43] Lebbie, M., Prabhu, S.R., Agrawal, A.K., 2022. Comparative Analysis of Dynamic Malware Analysis Tools, in: Dua, M., Jain, A.K., Yadav, A., Kumar, N., Siarry, P. (Eds.), Proceedings of the International Conference on Paradigms of Communication, Computing and Data Sciences, Springer Singapore, Singapore. pp. 359–368. [44] Lee, J., Lee, K., 2022. A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms. Entropy 24. doi:10.3390/e24020239. [45] Lee, K., Lee, S.Y., Yim, K., 2019a. Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services, in: I-SPAN 2019: Pervasive Systems, Algorithms and Networks, Springer International Publishing. pp. 133–139. URL: http://dx.doi.org/10.1007/ 978-3-030-30143-9_11, doi:10.1007/978-3-030-30143-9\_11. [46] Lee, K., Lee, S.Y., Yim, K., 2019b. Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems. IEEE Access 7, 110205–110215. URL: https://dx.doi.org/10.1109/ ACCESS.2019.2931136, doi:10.1109/access.2019.2931136. [47] Lemmou, Y., Lanet, J.L., Souidi, E.M., 2021. In-depth analysis of ransom note files. Computers 10, 1–25. doi:10.3390/computers10110145. [48] Leommoore, . File Magic Numbers · GitHub. URL: https: //gist.github.com/leommoore/f9e57ba2aa4bf197ebc5, (Last Accessed: 2023-02-28). [49] Li, W.J., Wang, K., Stolfo, S.J., Herzog, B., 2005. Fileprints: Identifying file types by n-gram analysis. Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005 2005, 64–71. URL: https://dx.doi.org/10.1109/ IAW.2005.1495935, doi:10.1109/IAW.2005.1495935. [50] Lokuketagoda, B., Weerakoon, M.P., Kuruppu, U.M., Senarathne, A.N., Yapa Abeywardena, K., 2018. R - Killer: An email based ransomware protection tool. 13th International Conference on Computer Science and Education, ICCSE 2018 , 735–741doi:10.1109/ICCSE. 2018.8468807. [51] Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A., 2009. The persistence of memory: Forensic identification and extraction of cryptographic keys. DFRWS 2009 Annual Conference 6, 132–140. doi:10. 1016/j.diin.2009.06.002. [52] Maigida, A.M., Abdulhamid, S.M., Olalere, M., Alhassan, J.K., Chiroma, H., Dada, E.G., 2019. Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. Journal of Reliable Intelligent Environments 5, 67–89. URL: https://doi. org/10.1007/s40860-019-00080-3, doi:10.1007/s40860-019-00080-3. [53] MalwareBytes, 2023. ION starts bringing customers back online after LockBit ransomware attack. URL: https://www.malwarebytes.com/blog/news/2023/02/ ion-starts-bringing-customers-back-online-after-lockbit-ransomware-attack, (Last Accessed: 2023-02-20). [54] Manavi, F., Hamzeh, A., 2022. A novel approach for ransomware detection based on PE header using graph embedding. Journal of Computer Virology and Hacking Techniques URL: https://doi.org/ 10.1007/s11416-021-00414-x, doi:10.1007/s11416-021-00414-x. [55] McDonald, G., Papadopoulos, P., Pitropakis, N., Ahmad, J., Buchanan, W.J., 2022. Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors 22. doi:10.3390/ s22030953, arXiv:2202.03276. [56] McIntosh, T., Jang-Jaccard, J., Watters, P., Susnjak, T., 2019. The Inadequacy of Entropy-Based Ransomware Detection, in: International Conference on Neural Information Processing, Springer International Publishing. pp. 181–189. URL: https://dx.doi.org/10.1007/ 978-3-030-36802-9_20, doi:10.1007/978-3-030-36802-9\_20. [57] Mehnaz, S., Mudgerikar, A., Bertino, E., 2018. RWGuard: A Real-Time Detection System Against Cryptographic Ransomware, in: International Symposium on Research in Attacks, Intrusions, and Defenses. Springer International Publishing. volume 1, pp. 114– 136. URL: https://doi.org/10.1007/978-3-030-00470-5_6, doi:10. 1007/978-3-030-00470-5\_6. [58] Moser, A., Kruegel, C., Kirda, E., 2007. Limits of Static Analysis for Malware Detection, in: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. doi:10.1109/ ACSAC.2007.21. [59] Nieuwenhuizen, D., 2017. A behavioural-based approach to ransomware detection. Computer Science URL: https://www.semanticscholar.org/paper/ A-behavioural-based-approach-to-ransomware-Nieuwenhuizen93b6e2fdf2a79608e44ab64 [60] O’Kane, P., Sezer, S., McLaughlin, K., 2011. Obfuscation: The Hidden Malware. IEEE Security & Privacy 9, 41–47. doi:10.1109/MSP. 2011.98. [61] Oz, H., Aris, A., Levi, A., Uluagac, A.S., 2021. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys 1. URL: http://arxiv.org/abs/2102.06249, arXiv:2102.06249. [62] Pattern Recognition and Applications Lab, 2023. R-PackDroid Ransomware Detector (App) and Dataset | PRA Lab. URL: http:// pralab.diee.unica.it/en/RPackDroid, (Last Accessed: 2023-02-23). [63] Prachi, Kumar, S., 2022. An effective ransomware detection approach in a cloud environment using volatile memory features. Journal of Computer Virology and Hacking Techniques URL: https://doi.org/ 10.1007/s11416-022-00425-2, doi:10.1007/s11416-022-00425-2. [64] Sai, R.L.P., Kumar, T.P., 2019. Reverse Engineering the Behaviour of NotPetya Ransomware. International Journal of Recent Technology and Engineering , 574–578URL: https://www.ijrte.org/wp-content/ uploads/papers/v7i6s/F03120376S19.pdf. [65] Salehi, S., Shahriari, H., Ahmadian, M.M., Tazik, L., 2018a. A Novel Approach for Detecting DGA-based Ransomwares. 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology, ISCISC 2018 doi:10.1109/ISCISC.2018. 8546941. [66] Salehi, S., Shahriari, H., Ahmadian, M.M., Tazik, L., 2018b. A Novel Approach for Detecting DGA-based Ransomwares, in: 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), pp. 1–7. doi:10.1109/ ISCISC.2018.8546941. [67] Scaife, N., Carter, H., Traynor, P., Butler, K.R., 2016a. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS) , 303–312URL: https://doi.org/10.1109/ICDCS.2016. 46, doi:10.1109/ICDCS.2016.46. [68] Scaife, N., Carter, H., Traynor, P., Butler, K.R., 2016b. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. Proceedings - International Conference on Distributed Computing Systems 2016-Augus, 303–312. doi:10.1109/ICDCS.2016.46. [69] Shannon, C., 1948. A Mathematical Theory of Communication. Bell System Technology 27, 379–423. URL: https://dx.doi.org/10.1002/ j.1538-7305.1948.tb01338.x, doi:10.1002/j.1538-7305.1948.tb01338. x. [70] Sheen, S., Asmitha, K.A., Venkatesan, S., 2022. R-Sentry: Deception based ransomware detection using file access patterns. Computers and Electrical Engineering 103, 108346. URL: https://doi.org/10.1016/ j.compeleceng.2022.108346, doi:10.1016/j.compeleceng.2022.108346. [71] Song, S., Kim, B., Lee, S., 2016. The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mobile Information Systems 2016, 2946735. URL: https://doi.org/ 10.1155/2016/2946735, doi:10.1155/2016/2946735. [72] The Telegraph Media Group, 2023. Royal Mail turned down £66m ransom demand from Lockbit hackers. URL: https://www.telegraph.co.uk/business/2023/02/14/ royal-mail-turned-66m-ransom-demand-lockbit-hackers/. [73] VandenBrink, R., 2016. Using File Entropy to Identify "Ransomwared" Files. URL: https://isc.sans.edu/forums/diary/Using+ FileEntropy+to+Identify+Ransomwared+Files/21351/, (Last Accessed: 2020-09-05). [74] Walker, J., 2008. Pseudorandom Number Sequence Test Program. URL: https://www.fourmilab.ch/random/, (Last Accessed: 2022-05-29). [75] Wikipedia, a. List of file formats. URL: https://en.wikipedia.org/ wiki/List_of_file_formats, (Last Accessed: 2022-01-11). [76] Wikipedia, b. List of file signatures. URL: https://en.wikipedia.org/ wiki/List_of_file_signatures, (Last Accessed: 2022-01-20). [77] Yamany, B., Elsayed, M.S., Jurcut, A.D., Abdelbaki, N., Azer, M.A., 2022. A New Scheme for Ransomware Classification and Clustering Using Static Features. Electronics (Switzerland) 11. doi:10.3390/ electronics11203307. Appendix A Ransomware Strains Appendix B Program Information This paper is available on arxiv under CC BY 4.0 DEED license. Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Authors: Authors: (1) Simon R. Davies, School of Computing, Edinburgh Napier University, Edinburgh, UK (s.davies@napier.ac.uk); (2) Richard Macfarlane, School of Computing, Edinburgh Napier University, Edinburgh, UK; (3) William J. Buchanan, School of Computing, Edinburgh Napier University, Edinburgh, UK. Table of Links Abstract and 1 Introduction 2. Related Work 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4.1. Majority Voting 5. Conclusion 5.1. Limitations 5.2. Future Work References and Appendix Abstract and 1 Introduction Abstract and 1 Introduction 2. Related Work 2. Related Work 3. Methodology and 3.1. File Content Analysis 3. Methodology and 3.1. File Content Analysis 3.2. File Name Analysis 3.2. File Name Analysis 3.3. Executable Analysis 3.3. Executable Analysis 3.4. Behaviour Analysis 3.4. Behaviour Analysis 4. Evaluation and Discussion 4. Evaluation and Discussion 4.1. Majority Voting 4.1. Majority Voting 5. Conclusion 5. Conclusion 5.1. Limitations 5.1. Limitations 5.2. Future Work 5.2. Future Work References and Appendix References and Appendix References [1] Abbasi, M.S., Al-Sahaf, H., Welch, I., 2021. Automated Behaviorbased Malice Scoring of Ransomware Using Genetic Programming. 2021 IEEE Symposium Series on Computational Intelligence, SSCI 2021 - Proceedings doi:10.1109/SSCI50451.2021.9660009. [2] Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S., 2021. Peeler: Profiling Kernel-Level Events to Detect Ransomware. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12972 LNCS, 240– 260. doi:10.1007/978-3-030-88418-5\_12, arXiv:2101.12434. [3] Ahmed, Y.A., Koçer, B., Al-Rimy, B.A.S., 2020. Automated Analysis Approach for the Detection of High Survivable Ransomware. KSII Transactions on Internet and Information Systems 14, 2236–2257. doi:10.3837/tiis.2020.05.021. [4] Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M., 2019. Cryptoransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Future Generation Computer Systems 101, 476–491. URL: https://doi.org/10.1016/j. future.2019.06.005, doi:10.1016/j.future.2019.06.005. [5] Alam, M., Sinha, S., Bhattacharya, S., Dutta, S., Mukhopadhyay, D., Chattopadhyay, A., 2020. RAPPER: Ransomware Prevention via Performance Counters. Arxiv , 1–18URL: http://arxiv.org/abs/2004. 01712, arXiv:2004.01712. [6] Andronio, N., Zanero, S., Maggi, F., 2015. HelDroid: Dissecting and Detecting Mobile Ransomware, in: Bos, H., Monrose, F., Blanc, G. (Eds.), Research in Attacks, Intrusions, and Defenses, Springer International Publishing, Cham. pp. 382–404. [7] Balogh, Š., Pondelik, M., 2011. Capturing encryption keys for digital analysis. Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS’2011 2, 759–763. doi:10.1109/IDAACS.2011.6072872. [8] Berrueta, E., Morato, D., Magana, E., Izal, M., 2019. A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access 7, 144925–144944. doi:10.1109/ACCESS.2019.2945839. [9] Bottazzi, G., Italiano, G., Spera, D., Bottazzi, G., Italiano, G., Spera, D., Ransomware, P., Through, A., Bottazzi, G., Italiano, G.F., Spera, D., 2018. Preventing Ransomware Attacks Through File System Filter Drivers, in: Proceedings of the Second Italian Conference on Cyber Security (ITASEC18), p. 4. URL: https://www.researchgate.net/publication/323125541_ Preventing_Ransomware_Attacks_Through_File_System_Filter_Drivers. [10] Buchanan, . Digital Forensics Magic Numbers. URL: https:// asecuritysite.com/forensics/magic, (Last Accessed: 2022-10-20). [11] Chadha, S., Kumar, U., 2017. Ransomware: Let’s fight back!, in: 2017 International Conference on Computing, Communication and Automation (ICCCA), pp. 925–930. doi:10.1109/CCAA.2017.8229926. [12] Choudhury, P., Kumar, K.R., Nandi, S., Athithan, G., 2019. An empirical approach towards characterization of encrypted and unencrypted VoIP traffic. Multimedia Tools and Applications 79, 603– 631. doi:10.1007/s11042-019-08088-w. [13] Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F., 2016. ShieldFS: A self-healing, ransomware-aware file system, in: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. URL: https://dl.acm.org/doi/10.1145/2991079.2991110, doi:10.1145/ 2991079.2991110. [14] Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G., Benedetto, L., 2019. A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. Journal of Computer Virology and Hacking Techniques 15, 277–305. URL: https://doi.org/10.1007/ s11416-019-00338-7, doi:10.1007/s11416-019-00338-7. [15] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2021a. Differential area analysis for ransomware attack detection within mixed file datasets. Computers and Security 108, 102377. URL: https://doi.org/10.1016/j.cose.2021.102377, doi:10.1016/j. cose.2021.102377, arXiv:2106.14418. [16] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2021b. NapierOne. URL: www.napierone.com. [17] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2022a. Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification. Entropy 24. doi:10.3390/e24101503. [18] Davies, S.R., Macfarlane, R., Buchanan, W.J., 2022b. NapierOne: A modern mixed file data set alternative to Govdocs1. Forensic Science International: Digital Investigation 40, 301330. URL: https://doi. org/10.1016/j.fsidi.2021.301330, doi:10.1016/j.fsidi.2021.301330. [19] De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V., 2020. The Naked Sun: Malicious Cooperation Between Benign-Looking Processes. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12147 LNCS, 254–274. doi:10.1007/ 978-3-030-57878-7\_13, arXiv:1911.02423. [20] De Gaspari, F., Hitaj, D., Pagnotta, G., De Carli, L., Mancini, L.V., 2022. Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques. Neural Computing and Applications 34, 12077–12096. URL: https://doi.org/10.1007/ s00521-022-07096-6, doi:10.1007/s00521-022-07096-6. [21] Dutta, N., Jadav, N., Tanwar, S., Sarma, H.K.D., Pricop, E., 2022. Introduction to Malware Analysis. Springer Singapore, Singapore. chapter Introducti. pp. 129–141. URL: https://doi.org/10.1007/ 978-981-16-6597-4_7, doi:10.1007/978-981-16-6597-4\_7. [22] F.R.S., K.P., 2009. X. On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. https://doi.org/10.1080/14786440009463897 50, 157–175. URL: https://www.tandfonline.com/doi/abs/10.1080/ 14786440009463897, doi:10.1080/14786440009463897. [23] Ganfure, G.O., Wu, C.F., Chang, Y.H., Shih, W.K., 2020. DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection. Proceedings - 2020 IEEE International Conference on Intelligence and Security Informatics, ISI 2020 doi:10.1109/ISI49825. 2020.9280508. [24] Genç, Z.A., Lenzini, G., Ryan, P.Y., 2018. No random, no ransom: A key to stop cryptographic ransomware. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10885 LNCS, 234–255. doi:10. 1007/978-3-319-93411-2\_11. [25] Genç, Z.A., Lenzini, G., Ryan, P.Y.A., 2019. NoCry : No More Secure Encryption Keys for Cryptographic Ransomware, in: International Workshop on Emerging Technologies for Authorization and Authentication, pp. 69–85. doi:10.1007/978-3-030-39749-4\_5. [26] Gharib, A., Ghorbani, A., 2017. DNA-Droid: A real-time android ransomware detection framework. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10394 LNCS, 184–198. doi:10. 1007/978-3-319-64701-2\_14. [27] Google, 2015. File types indexable by Google. URL: https:// support.google.com/webmasters/answer/35287?hl=en, (Last Accessed: 2021-03-24). [28] Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W., 2009. Lest we remember: Cold-boot attacks on encryption keys. Communications of the ACM 52, 91–98. doi:10.1145/1506409.1506429. [29] Hall, G.A., 2006. Sliding Window Measurement for File Type Identification. Proceedings of the 1997 ACM symposium on Applied computing , 529–532. [30] Heninger, N., Feldman, A., 2008. AESKeyFind. URL: https://github.com/eugenekolo/sec-tools/tree/master/crypto/ aeskeyfind/aeskeyfind. [31] Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R., 2020. Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Transactions on Emerging Topics in Computing 8, 341–351. doi:10. 1109/TETC.2017.2756908. [32] John, T.C., Abbasi, M.S., Al-Sahaf, H., Welch, I., 2022. Automatically Evolving Malice Scoring Models through Utilisation of Genetic Programming: A Cooperative Coevolution Approach. volume 1. john ed., Association for Computing Machinery. doi:10.1145/3520304. 3529063. [33] Joseph, P., Norman, J., 2020. Systematic Memory Forensic Analysis of Ransomware using Digital Forensic Tools. International Journal of Natural Computing Research 9, 61–81. doi:10.4018/ijncr. 2020040105. [34] Kara, I., 2023. Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges. Expert Systems with Applications 214, 119133. URL: https: //www.sciencedirect.com/science/article/pii/S0957417422021510, doi:https://doi.org/10.1016/j.eswa.2022.119133. [35] Kessler, G., . GCK’S File Signature Table. URL: https://www.garykessler.net/library/file_sigs.html, (Last Accessed: 2023-02-10). [36] Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Mulliner, C., Robertson, W., 2016. UNVEIL : A Large-Scale , Automated Approach to Detecting Ransomware This paper is included in the Proceedings of the. In Proceedings of the 2014 VIRUS BULLETIN CONFERENCE , 757– 772URL: https://www.usenix.org/conference/usenixsecurity16/ technical-sessions/presentation/kharaz. [37] Kharraz, A., Kirda, E., 2017a. Redemption: Real-Time Protection Against Ransomware at End-Hosts. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10453 LNCS, 98–119. doi:10.1007/978-3-319-66332-6\_5. [38] Kharraz, A., Kirda, E., 2017b. Redemption: Real-Time Protection Against Ransomware at End-Hosts. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 10453 LNCS, 98–119. doi:10.1007/978-3-319-66332-6\_5. [39] Ki, Y., Kim, E., Kim, H.K., 2015. A novel approach to detect malware based on API call sequence analysis. International Journal of Distributed Sensor Networks 2015. URL: https://journals.sagepub. com/doi/pdf/10.1155/2015/659101, doi:10.1155/2015/659101. [40] Kim, G.Y., Paik, J.Y., Kim, Y., Cho, E.S., 2022. Byte Frequency Based Indicators for Crypto-Ransomware Detection from Empirical Analysis. Journal of Computer Science and Technology 37, 423–442. doi:10.1007/s11390-021-0263-x. [41] Klein, T., 2006. All your private keys are belong to us process memory. Tech. Rep , 1–7URL: https://citeseerx.ist.psu. edu/document?repid=rep1&type=pdf&doi\protect\@normalcr\relax= cf85042cca0da125b860db7c2fefb38012396cbc. [42] Kornblum, J., 2017. findaes. URL: http://jessekornblum.com/tools/ findaes/, (Last Accessed: 2019-08-10). [43] Lebbie, M., Prabhu, S.R., Agrawal, A.K., 2022. Comparative Analysis of Dynamic Malware Analysis Tools, in: Dua, M., Jain, A.K., Yadav, A., Kumar, N., Siarry, P. (Eds.), Proceedings of the International Conference on Paradigms of Communication, Computing and Data Sciences, Springer Singapore, Singapore. pp. 359–368. [44] Lee, J., Lee, K., 2022. A Method for Neutralizing Entropy Measurement-Based Ransomware Detection Technologies Using Encoding Algorithms. Entropy 24. doi:10.3390/e24020239. [45] Lee, K., Lee, S.Y., Yim, K., 2019a. Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services, in: I-SPAN 2019: Pervasive Systems, Algorithms and Networks, Springer International Publishing. pp. 133–139. URL: http://dx.doi.org/10.1007/ 978-3-030-30143-9_11, doi:10.1007/978-3-030-30143-9\_11. [46] Lee, K., Lee, S.Y., Yim, K., 2019b. Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems. IEEE Access 7, 110205–110215. URL: https://dx.doi.org/10.1109/ ACCESS.2019.2931136, doi:10.1109/access.2019.2931136. [47] Lemmou, Y., Lanet, J.L., Souidi, E.M., 2021. In-depth analysis of ransom note files. Computers 10, 1–25. doi:10.3390/computers10110145. [48] Leommoore, . File Magic Numbers · GitHub. URL: https: //gist.github.com/leommoore/f9e57ba2aa4bf197ebc5, (Last Accessed: 2023-02-28). [49] Li, W.J., Wang, K., Stolfo, S.J., Herzog, B., 2005. Fileprints: Identifying file types by n-gram analysis. Proceedings from the 6th Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC 2005 2005, 64–71. URL: https://dx.doi.org/10.1109/ IAW.2005.1495935, doi:10.1109/IAW.2005.1495935. [50] Lokuketagoda, B., Weerakoon, M.P., Kuruppu, U.M., Senarathne, A.N., Yapa Abeywardena, K., 2018. R - Killer: An email based ransomware protection tool. 13th International Conference on Computer Science and Education, ICCSE 2018 , 735–741doi:10.1109/ICCSE. 2018.8468807. [51] Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A., 2009. The persistence of memory: Forensic identification and extraction of cryptographic keys. DFRWS 2009 Annual Conference 6, 132–140. doi:10. 1016/j.diin.2009.06.002. [52] Maigida, A.M., Abdulhamid, S.M., Olalere, M., Alhassan, J.K., Chiroma, H., Dada, E.G., 2019. Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. Journal of Reliable Intelligent Environments 5, 67–89. URL: https://doi. org/10.1007/s40860-019-00080-3, doi:10.1007/s40860-019-00080-3. [53] MalwareBytes, 2023. ION starts bringing customers back online after LockBit ransomware attack. URL: https://www.malwarebytes.com/blog/news/2023/02/ ion-starts-bringing-customers-back-online-after-lockbit-ransomware-attack, (Last Accessed: 2023-02-20). [54] Manavi, F., Hamzeh, A., 2022. A novel approach for ransomware detection based on PE header using graph embedding. Journal of Computer Virology and Hacking Techniques URL: https://doi.org/ 10.1007/s11416-021-00414-x, doi:10.1007/s11416-021-00414-x. [55] McDonald, G., Papadopoulos, P., Pitropakis, N., Ahmad, J., Buchanan, W.J., 2022. Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors 22. doi:10.3390/ s22030953, arXiv:2202.03276. [56] McIntosh, T., Jang-Jaccard, J., Watters, P., Susnjak, T., 2019. The Inadequacy of Entropy-Based Ransomware Detection, in: International Conference on Neural Information Processing, Springer International Publishing. pp. 181–189. URL: https://dx.doi.org/10.1007/ 978-3-030-36802-9_20, doi:10.1007/978-3-030-36802-9\_20. [57] Mehnaz, S., Mudgerikar, A., Bertino, E., 2018. RWGuard: A Real-Time Detection System Against Cryptographic Ransomware, in: International Symposium on Research in Attacks, Intrusions, and Defenses. Springer International Publishing. volume 1, pp. 114– 136. URL: https://doi.org/10.1007/978-3-030-00470-5_6, doi:10. 1007/978-3-030-00470-5\_6. [58] Moser, A., Kruegel, C., Kirda, E., 2007. Limits of Static Analysis for Malware Detection, in: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 421–430. doi:10.1109/ ACSAC.2007.21. [59] Nieuwenhuizen, D., 2017. A behavioural-based approach to ransomware detection. Computer Science URL: https://www.semanticscholar.org/paper/ A-behavioural-based-approach-to-ransomware-Nieuwenhuizen93b6e2fdf2a79608e44ab64 [60] O’Kane, P., Sezer, S., McLaughlin, K., 2011. Obfuscation: The Hidden Malware. IEEE Security & Privacy 9, 41–47. doi:10.1109/MSP. 2011.98. [61] Oz, H., Aris, A., Levi, A., Uluagac, A.S., 2021. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys 1. URL: http://arxiv.org/abs/2102.06249, arXiv:2102.06249. [62] Pattern Recognition and Applications Lab, 2023. R-PackDroid Ransomware Detector (App) and Dataset | PRA Lab. URL: http:// pralab.diee.unica.it/en/RPackDroid, (Last Accessed: 2023-02-23). [63] Prachi, Kumar, S., 2022. An effective ransomware detection approach in a cloud environment using volatile memory features. Journal of Computer Virology and Hacking Techniques URL: https://doi.org/ 10.1007/s11416-022-00425-2, doi:10.1007/s11416-022-00425-2. [64] Sai, R.L.P., Kumar, T.P., 2019. Reverse Engineering the Behaviour of NotPetya Ransomware. International Journal of Recent Technology and Engineering , 574–578URL: https://www.ijrte.org/wp-content/ uploads/papers/v7i6s/F03120376S19.pdf. [65] Salehi, S., Shahriari, H., Ahmadian, M.M., Tazik, L., 2018a. A Novel Approach for Detecting DGA-based Ransomwares. 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology, ISCISC 2018 doi:10.1109/ISCISC.2018. 8546941. [66] Salehi, S., Shahriari, H., Ahmadian, M.M., Tazik, L., 2018b. A Novel Approach for Detecting DGA-based Ransomwares, in: 2018 15th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology (ISCISC), pp. 1–7. doi:10.1109/ ISCISC.2018.8546941. [67] Scaife, N., Carter, H., Traynor, P., Butler, K.R., 2016a. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS) , 303–312URL: https://doi.org/10.1109/ICDCS.2016. 46, doi:10.1109/ICDCS.2016.46. [68] Scaife, N., Carter, H., Traynor, P., Butler, K.R., 2016b. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. Proceedings - International Conference on Distributed Computing Systems 2016-Augus, 303–312. doi:10.1109/ICDCS.2016.46. [69] Shannon, C., 1948. A Mathematical Theory of Communication. Bell System Technology 27, 379–423. URL: https://dx.doi.org/10.1002/ j.1538-7305.1948.tb01338.x, doi:10.1002/j.1538-7305.1948.tb01338. x. [70] Sheen, S., Asmitha, K.A., Venkatesan, S., 2022. R-Sentry: Deception based ransomware detection using file access patterns. Computers and Electrical Engineering 103, 108346. URL: https://doi.org/10.1016/ j.compeleceng.2022.108346, doi:10.1016/j.compeleceng.2022.108346. [71] Song, S., Kim, B., Lee, S., 2016. The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mobile Information Systems 2016, 2946735. URL: https://doi.org/ 10.1155/2016/2946735, doi:10.1155/2016/2946735. [72] The Telegraph Media Group, 2023. Royal Mail turned down £66m ransom demand from Lockbit hackers. URL: https://www.telegraph.co.uk/business/2023/02/14/ royal-mail-turned-66m-ransom-demand-lockbit-hackers/. [73] VandenBrink, R., 2016. Using File Entropy to Identify "Ransomwared" Files. URL: https://isc.sans.edu/forums/diary/Using+ FileEntropy+to+Identify+Ransomwared+Files/21351/, (Last Accessed: 2020-09-05). [74] Walker, J., 2008. Pseudorandom Number Sequence Test Program. URL: https://www.fourmilab.ch/random/, (Last Accessed: 2022-05-29). [75] Wikipedia, a. List of file formats. URL: https://en.wikipedia.org/ wiki/List_of_file_formats, (Last Accessed: 2022-01-11). [76] Wikipedia, b. List of file signatures. URL: https://en.wikipedia.org/ wiki/List_of_file_signatures, (Last Accessed: 2022-01-20). [77] Yamany, B., Elsayed, M.S., Jurcut, A.D., Abdelbaki, N., Azer, M.A., 2022. A New Scheme for Ransomware Classification and Clustering Using Static Features. Electronics (Switzerland) 11. doi:10.3390/ electronics11203307. Appendix A Ransomware Strains Appendix B Program Information This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv