Abstract
Ransomware is a very effective form of malware, which recently raised a lot of attention since an impressive number of workstations was affected. This malware is able to encrypt the files located in the infected machine and block the access to them. The attackers will restore the machine and files only after the payment of a certain amount of money, usually given in bitcoins. In this paper we discuss an hybrid framework, combining static and dynamic analysis, exploiting APIs to prevent and mitigate ransomware threats. The evaluation, considering 1000 legitimate and ransomware applications, demonstrates that the hybrid API calls-based detection can be proved to be a promising direction in ransomware prevention and mitigation.
Similar content being viewed by others
References
Barbuti, R., De Francesco, N., Santone, A., Vaglini, G.: Reduced models for efficient ccs verification. Formal Methods Syst. Des. 26(3), 319–350 (2005)
Boukhtouta, A., Lakhdari, N.E., Debbabi, M.: Inferring malware family through application protocol sequences signature. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5 (2014). https://doi.org/10.1109/NTMS.2014.6814026
Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Formal methods for prostate cancer gleason score and treatment prediction using radiomic biomarkers. Magn. Reson. Imaging 66, 165–175 (2019)
Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Neural networks for lung cancer detection through radiomic features. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)
Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: An ensemble learning approach for brain cancer detection exploiting radiomic features. Comput. Methods Programs Biomed. 185, 105134 (2020)
Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using http traffic characteristics. Comput. Electr. Eng. 66, 353–368 (2017)
Canfora, G., Medvet, E., Mercaldo, F., Visaggio, C.A.: Detection of malicious web pages using system calls sequences. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) Availability, Reliability, and Security in Information Systems, pp. 226–238. Springer, Cham (2014)
Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)
Canfora, G., Mercaldo, F., Pirozzi, A., Visaggio, C.A.: How i met your mother? In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 310–317. SCITEPRESS-Science and Technology Publications, Lda (2016)
Canfora G., Mercaldo F., Visaggio C.A.: Evaluating op–code frequency histograms in malware and third–party mobile applications. In: International Conference on E–Business and Telecommunications, pp 201–222. Springer (2015)
Carrera, E., Erdélyi, G.: Digital genome mapping—advanced binary malware analysis (2004)
Ceccarelli, M., Cerulo, L., Santone, A.: De novo reconstruction of gene regulatory networks from time series data, an approach based on formal methods. Methods 69(3), 298–305 (2014). https://doi.org/10.1016/j.ymeth.2014.06.005
Ceron, J.M., Margi, C.B., Granville, L.Z.: Mars: An sdn-based malware analysis solution. In: 2016 IEEE Symposium on Computers and Communication (ISCC), pp. 525–530 (2016). https://doi.org/10.1109/ISCC.2016.7543792
Cimino, M.G., De Francesco, N., Mercaldo, F., Santone, A., Vaglini, G.: Model checking for malicious family detection and phylogenetic analysis in mobile environment. Comput. Secur. 90, 101691 (2020)
Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Formal methods meet mobile code obfuscation identification of code reordering technique. In: 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 263–268. IEEE (2017)
Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Vaglini, G.: Model checking for mobile android malware evolution. In: 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE), pp. 24–30. IEEE (2017)
Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Talos: no more ransomware victims with formal methods. Int. J. Inf. Secur. 17(6), 719–738 (2018)
Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Model checking for data anomaly detection. Procedia Comput. Sci. 159, 1277–1286 (2019)
Fabio, M., Albina, O., Francecso, M., Vittoria, N., Santone, A., Arun, S.: Human behaviour characterization for driving style recognition in vehicle system (2018)
Francesco, N.D., Lettieri, G., Santone, A., Vaglini, G.: Grease: a tool for efficient “nonequivalence” checking. ACM Trans. Softw. Eng. Methodol. 23(3), 24 (2014)
Huang, K., Ye, Y., Jiang, Q.: Ismcs: An intelligent instruction sequence based malware categorization system. In: 2009 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication, pp. 509–512 (2009). https://doi.org/10.1109/ICASID.2009.5276989
Institute, I.: Evolution in the World of Cyber Crime. Technical Report, Infosec Institute (2016). http://resources.infosecinstitute.com/evolution-in-the-world-of-cyber-crime/#gref. Accessed 13 May 2021
Kinable, J., Kostakis, O.: Malware classification based on call graph clustering. J. Comput. Virol. 7(4), 233–245 (2011)
Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware (keynote). In: 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 1 (2017). https://doi.org/10.1109/SANER.2017.7884603
Labs, M.: McAfee Labs Threats Report – December 2016. Technical Report, McAfee Labs (2016). https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf. Accessed 13 May 2021
Liangboonprakong, C., Sornil, O.: Classification of malware families based on n-grams sequential pattern features. In: 2013 IEEE 8th Conference on Industrial Electronics and Applications (ICIEA), pp. 777–782 (2013). https://doi.org/10.1109/ICIEA.2013.6566472
Martinelli, F., Mercaldo, F., Michailidou, C., Saracino, A.: Phylogenetic analysis for ransomware detection and classification into families. ICETE 2, 732–737 (2018)
Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Car hacking identification through fuzzy logic algorithms. In: 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1–7. IEEE (2017)
Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Hey malware, I can find you! In: 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 261–262. IEEE (2016)
Pitolli, G., Aniello, L., Laurenza, G., Querzoni, L., Baldoni, R.: Malware family identification with birch clustering. In: 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2017). https://doi.org/10.1109/CCST.2017.8167802
Provataki, A., Katos, V.: Differential malware forensics. Digit. Investig. 10(4), 311–322 (2013)
Rudman, L., Irwin, B.: Dridex: Analysis of the traffic and automatic generation of iocs. In: 2016 Information Security for South Africa (ISSA), pp. 77–84 (2016). https://doi.org/10.1109/ISSA.2016.7802932
Sandbox, C.: Cuckoo Sandbox—Automated Malware Analysis. https://cuckoosandbox.org/ (2018). Accessed 06 Mar 2018
Santone, A.: Automatic verification of concurrent systems using a formula-based compositional approach. Acta Inf. 38(8), 531–564 (2002)
Santone, A.: Clone detection through process algebras and java bytecode. In: IWSC, pp. 73–74. Citeseer (2011)
Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312 (2016). https://doi.org/10.1109/ICDCS.2016.46
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection (2016). arXiv preprint arXiv:1609.03020
Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virol. 4(4), 279–287 (2008). https://doi.org/10.1007/s11416-007-0074-9
Wehner, S.: Analyzing worms and network traffic using compression. J. Comput. Secur. 15(3), 303–320 (2007)
Zhong, Y., Yamaki, H., Yamaguchi, Y., Takakura, H.: Ariguma code analyzer: efficient variant detection by identifying common instruction sequences in malware families. In: 2013 IEEE 37th Annual Computer Software and Applications Conference, pp. 11–20 (2013). https://doi.org/10.1109/COMPSAC.2013.6
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Mercaldo, F. A framework for supporting ransomware detection and prevention based on hybrid analysis. J Comput Virol Hack Tech 17, 221–227 (2021). https://doi.org/10.1007/s11416-021-00388-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-021-00388-w