Detection of Ransomware using Immutable Anomalous Performance Data

Ransomware (RW) is a real threat affecting almost every sector including, government agencies, businesses, educational institutions, and healthcare. The techniques to detect RW work at pre- penetration (before RW is installed on a victim machine), before encryption, and during encryption stages. Pre-penetration detection uses IDS/IPS and network traffic analysis, Trojans delivering RW can bypass. Detection before encryption relies on identifying and blocking the dropper or C&C key exchange. However, this is a short and stealthy activity which makes the detection harder. Detection during encryption, the last line of defense again RW, relies on identifying activities such as high-frequency file access, file entropy changes, and unusual pattern of processor or I/O events. This project aims to detect RW quickly and accurately using hardware performance counters (HPCs). TACC’s Chameleon Cloud is used to set up a Windows machine running on top of a Linux host and KVM hypervisor. Benign and RW are run on the target, with or without a background load of standard windows applications and browser activity, and counts of specific hardware events are captured using the HPCs. Experiments with three different benign apps that use encryption/compression operations and 22 RWs, including Ryuk and Locky from VirusTotal, were run, and HPC data were collected. The captured data is split into 100ms chunks and processed to extract features in time-domain as well as frequency-domain and analyzed using four machine learning (ML) models: the support vector machine, decision tree, K-nearest neighbors, and random forest (RF). The RF model performs the best, with an accuracy of 96.6%. The data collection, processing, and analysis are being implemented on the host Linux machine for real-time detection.