Skip to main content
SpringerLink
Log in

A framework for supporting ransomware detection and prevention based on hybrid analysis

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Ransomware is a very effective form of malware, which recently raised a lot of attention since an impressive number of workstations was affected. This malware is able to encrypt the files located in the infected machine and block the access to them. The attackers will restore the machine and files only after the payment of a certain amount of money, usually given in bitcoins. In this paper we discuss an hybrid framework, combining static and dynamic analysis, exploiting APIs to prevent and mitigate ransomware threats. The evaluation, considering 1000 legitimate and ransomware applications, demonstrates that the hybrid API calls-based detection can be proved to be a promising direction in ransomware prevention and mitigation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. https://www.nomoreransom.org.

  2. http://wapo.st/2pKyXum?tid=ss_tw&utm_term=.6887a06778fa.

  3. https://www.goo.gl/N7PAjh.

  4. https://www.goo.gl/Gyrt1N.

References

  1. Barbuti, R., De Francesco, N., Santone, A., Vaglini, G.: Reduced models for efficient ccs verification. Formal Methods Syst. Des. 26(3), 319–350 (2005)

    Article  Google Scholar 

  2. Boukhtouta, A., Lakhdari, N.E., Debbabi, M.: Inferring malware family through application protocol sequences signature. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5 (2014). https://doi.org/10.1109/NTMS.2014.6814026

  3. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Formal methods for prostate cancer gleason score and treatment prediction using radiomic biomarkers. Magn. Reson. Imaging 66, 165–175 (2019)

    Article  Google Scholar 

  4. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Neural networks for lung cancer detection through radiomic features. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)

  5. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: An ensemble learning approach for brain cancer detection exploiting radiomic features. Comput. Methods Programs Biomed. 185, 105134 (2020)

    Article  Google Scholar 

  6. Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using http traffic characteristics. Comput. Electr. Eng. 66, 353–368 (2017)

    Article  Google Scholar 

  7. Canfora, G., Medvet, E., Mercaldo, F., Visaggio, C.A.: Detection of malicious web pages using system calls sequences. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) Availability, Reliability, and Security in Information Systems, pp. 226–238. Springer, Cham (2014)

    Google Scholar 

  8. Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)

  9. Canfora, G., Mercaldo, F., Pirozzi, A., Visaggio, C.A.: How i met your mother? In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 310–317. SCITEPRESS-Science and Technology Publications, Lda (2016)

  10. Canfora G., Mercaldo F., Visaggio C.A.: Evaluating op–code frequency histograms in malware and third–party mobile applications. In: International Conference on E–Business and Telecommunications, pp 201–222. Springer (2015)

  11. Carrera, E., Erdélyi, G.: Digital genome mapping—advanced binary malware analysis (2004)

  12. Ceccarelli, M., Cerulo, L., Santone, A.: De novo reconstruction of gene regulatory networks from time series data, an approach based on formal methods. Methods 69(3), 298–305 (2014). https://doi.org/10.1016/j.ymeth.2014.06.005

    Article  Google Scholar 

  13. Ceron, J.M., Margi, C.B., Granville, L.Z.: Mars: An sdn-based malware analysis solution. In: 2016 IEEE Symposium on Computers and Communication (ISCC), pp. 525–530 (2016). https://doi.org/10.1109/ISCC.2016.7543792

  14. Cimino, M.G., De Francesco, N., Mercaldo, F., Santone, A., Vaglini, G.: Model checking for malicious family detection and phylogenetic analysis in mobile environment. Comput. Secur. 90, 101691 (2020)

    Article  Google Scholar 

  15. Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Formal methods meet mobile code obfuscation identification of code reordering technique. In: 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 263–268. IEEE (2017)

  16. Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Vaglini, G.: Model checking for mobile android malware evolution. In: 2017 IEEE/ACM 5th International FME Workshop on Formal Methods in Software Engineering (FormaliSE), pp. 24–30. IEEE (2017)

  17. Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Talos: no more ransomware victims with formal methods. Int. J. Inf. Secur. 17(6), 719–738 (2018)

  18. Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Model checking for data anomaly detection. Procedia Comput. Sci. 159, 1277–1286 (2019)

    Article  Google Scholar 

  19. Fabio, M., Albina, O., Francecso, M., Vittoria, N., Santone, A., Arun, S.: Human behaviour characterization for driving style recognition in vehicle system (2018)

  20. Francesco, N.D., Lettieri, G., Santone, A., Vaglini, G.: Grease: a tool for efficient “nonequivalence” checking. ACM Trans. Softw. Eng. Methodol. 23(3), 24 (2014)

    Article  Google Scholar 

  21. Huang, K., Ye, Y., Jiang, Q.: Ismcs: An intelligent instruction sequence based malware categorization system. In: 2009 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication, pp. 509–512 (2009). https://doi.org/10.1109/ICASID.2009.5276989

  22. Institute, I.: Evolution in the World of Cyber Crime. Technical Report, Infosec Institute (2016). http://resources.infosecinstitute.com/evolution-in-the-world-of-cyber-crime/#gref. Accessed 13 May 2021

  23. Kinable, J., Kostakis, O.: Malware classification based on call graph clustering. J. Comput. Virol. 7(4), 233–245 (2011)

    Article  Google Scholar 

  24. Kirda, E.: Unveil: a large-scale, automated approach to detecting ransomware (keynote). In: 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), p. 1 (2017). https://doi.org/10.1109/SANER.2017.7884603

  25. Labs, M.: McAfee Labs Threats Report – December 2016. Technical Report, McAfee Labs (2016). https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf. Accessed 13 May 2021

  26. Liangboonprakong, C., Sornil, O.: Classification of malware families based on n-grams sequential pattern features. In: 2013 IEEE 8th Conference on Industrial Electronics and Applications (ICIEA), pp. 777–782 (2013). https://doi.org/10.1109/ICIEA.2013.6566472

  27. Martinelli, F., Mercaldo, F., Michailidou, C., Saracino, A.: Phylogenetic analysis for ransomware detection and classification into families. ICETE 2, 732–737 (2018)

    Google Scholar 

  28. Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Car hacking identification through fuzzy logic algorithms. In: 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1–7. IEEE (2017)

  29. Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Hey malware, I can find you! In: 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 261–262. IEEE (2016)

  30. Pitolli, G., Aniello, L., Laurenza, G., Querzoni, L., Baldoni, R.: Malware family identification with birch clustering. In: 2017 International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2017). https://doi.org/10.1109/CCST.2017.8167802

  31. Provataki, A., Katos, V.: Differential malware forensics. Digit. Investig. 10(4), 311–322 (2013)

    Article  Google Scholar 

  32. Rudman, L., Irwin, B.: Dridex: Analysis of the traffic and automatic generation of iocs. In: 2016 Information Security for South Africa (ISSA), pp. 77–84 (2016). https://doi.org/10.1109/ISSA.2016.7802932

  33. Sandbox, C.: Cuckoo Sandbox—Automated Malware Analysis. https://cuckoosandbox.org/ (2018). Accessed 06 Mar 2018

  34. Santone, A.: Automatic verification of concurrent systems using a formula-based compositional approach. Acta Inf. 38(8), 531–564 (2002)

    Article  MathSciNet  Google Scholar 

  35. Santone, A.: Clone detection through process algebras and java bytecode. In: IWSC, pp. 73–74. Citeseer (2011)

  36. Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312 (2016). https://doi.org/10.1109/ICDCS.2016.46

  37. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection (2016). arXiv preprint arXiv:1609.03020

  38. Wagener, G., State, R., Dulaunoy, A.: Malware behaviour analysis. J. Comput. Virol. 4(4), 279–287 (2008). https://doi.org/10.1007/s11416-007-0074-9

    Article  Google Scholar 

  39. Wehner, S.: Analyzing worms and network traffic using compression. J. Comput. Secur. 15(3), 303–320 (2007)

    Article  Google Scholar 

  40. Zhong, Y., Yamaki, H., Yamaguchi, Y., Takakura, H.: Ariguma code analyzer: efficient variant detection by identifying common instruction sequences in malware families. In: 2013 IEEE 37th Annual Computer Software and Applications Conference, pp. 11–20 (2013). https://doi.org/10.1109/COMPSAC.2013.6

Download references

Author information

Authors and Affiliations

  1. Department of Medicine and Health Sciences “Vincenzo Tiberio”, University of Molise, Campobasso, Italy

    Francesco Mercaldo

  2. Institute for Informatics and Telematics, National Research Council of Italy (CNR), Pisa, Italy

    Francesco Mercaldo

Authors
  1. Francesco Mercaldo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Mercaldo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mercaldo, F. A framework for supporting ransomware detection and prevention based on hybrid analysis. J Comput Virol Hack Tech 17, 221–227 (2021). https://doi.org/10.1007/s11416-021-00388-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-021-00388-w

Keywords

Search

Navigation