A Behavioural-based Approach to Ransomware Detection

This whitepaper provides motivation for the use of machine-learned behaviour for ransomware detection.

The rise of ransomware as a cybersecurity threat is nothing short of spectacular - from its dormant introduction nearly three decades ago, to present day, where ransomware is widespread and has become a serious threat.

Ransomware is a type of malicious software (malware) that once executed on a computer system, hinders the user from using the computer or its data, demanding a sum of money (ransom) for the restoration of the computer. Currently, ransomware attacks hinder computer operation in three ways: by blocking accessing to the computer, this form of ransomware is referred to as locker ransomware; by making user data unusable by means of employing encryption algorithms, referred to as crypto ransomware; and a combination of locker/crypto ransomware where a user is blocked from using their computer while their data is being encrypted.

MWR InfoSecurity has been performing deep research into hundreds of different ransomware families in pursuit of a way to appropriately defend against it. The techniques described in this paper are used by MWR, utilising dynamic (behavioural) analyses and machine-learning techniques.