Automated Hybrid Ransomware Family Classification

George Dunca; Ioan Bădărînză

doi:10.5220/0013065400003825

Automated Hybrid Ransomware Family Classification

George Dunca, Ioan Bădărînză

2024

Abstract

Ransomware is one of the most destructive forms of malware that exists today, posing a continuous and evolving threat to everyone from a regular user to a large corporation. Mainly ransomware can be analyzed in three ways: statically which involves extracting information without execution, dynamically which implies running the program in a controlled environment and observing its behavior, and hybrid which addresses the limitation of the previously specified two approaches by combining them. The aim of this study is to maximize the number of features extracted from Windows portable executables (PE) utilizing a hybrid approach and find what are the most useful attributes for differentiating between various ransomware families. A total of 707 samples across 99 families were successfully examined, from which 783 features were identified as the most informative. This data was then used to train a Random Forest model, which conducts the classification. RansoGuard was also developed. This is a graphical user interface Windows application that extracts hybrid attributes from a specified portable executable file. Then it uses the Random Forest model to output a prediction about the ransomware family to which the file belongs and finally generates a detailed report. The results obtained are promising, with the model achieving an accuracy of 71.83%, along with a precision of 0.79 and recall of 0.72.

Download

Paper Citation

in Harvard Style

Dunca G. and Bădărînză I. (2024). Automated Hybrid Ransomware Family Classification. In Proceedings of the 20th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST; ISBN 978-989-758-718-4, SciTePress, pages 409-416. DOI: 10.5220/0013065400003825

in Bibtex Style

@conference{webist24,
author={George Dunca and Ioan Bădărînză},
title={Automated Hybrid Ransomware Family Classification},
booktitle={Proceedings of the 20th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST},
year={2024},
pages={409-416},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013065400003825},
isbn={978-989-758-718-4},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 20th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST
TI - Automated Hybrid Ransomware Family Classification
SN - 978-989-758-718-4
AU - Dunca G.
AU - Bădărînză I.
PY - 2024
SP - 409
EP - 416
DO - 10.5220/0013065400003825
PB - SciTePress