Identifying Ransomware Through Statistical and Behavioural Analysis

Ransomware is a devastating type of malicious software that restricts a user's access to a digital asset of value, demanding a ransom in order to restore it. Ransomware attacks have only increased in popularity over the years and show no signs of abating. Moreover, the complexity and potential impact of these attacks have also increased, such that modern-day ransomware attacks are capable of bringing businesses and organisations to a standstill, with ransom demands often in excess of millions of pounds. The research presented in this thesis aims to contribute to a stronger foundation of knowledge regarding this relatively new cyberthreat through the development of several novel countermeasures. An in-depth analysis of current state-of-the-art anti-ransomware tools was conducted, through which an overall preference towards statistical and behavioural detection methods was identified. Additionally, several datasets and an analysis environment were constructed in order to identify and subsequently improve current statistical and behavioural approaches, contributing towards more effective ransomware detection. Untapped potential within statistical-based approaches to ransomware detection was clearly identified, showing that near-perfect classification rates were possible within the scope of our experiments. Despite the continual growth both in terms of frequency and sophistication of ransomware attacks, our results suggest that the significant differences in system behaviour observed during a ransomware attack are enough to identify and thwart ransomware attacks. Future work should pay particular attention to these clear fingerprints created by ransomware attacks, such that damages can largely be mitigated, alleviating the need to pay the ransom and thus toppling the underground ransomware economy