1. Introduction
Modern ransomware routinely uses commercial packers and polymorphic techniques to evade static signature detection, while the underlying encryption and file-system enumeration behaviour remains relatively stable across variants within the same family, motivating dynamic behavioural analysis.
2. Methodology
A total of 3,400 labelled samples, comprising ransomware from six major families and an equal number of benign executables, were executed in an isolated Cuckoo Sandbox instance for 180 seconds each, with opcode sequences extracted from executed instruction traces converted to 3-gram frequency vectors and combined with Windows API call frequency features, used to train a random forest classifier with 400 trees.
3. Results
The classifier achieved 96.8 percent binary detection accuracy (ransomware versus benign) and, among correctly detected ransomware samples, correctly attributed the specific family in 91.2 percent of cases based on hierarchical clustering of the same feature set, with the two most confused family pairs sharing a common underlying encryption library.
4. Conclusion
Opcode n-gram and API-call behavioural features extracted via sandboxed dynamic execution provide robust ransomware detection resilient to static evasion techniques, along with useful family attribution for incident response. Future work will evaluate detection latency trade-offs for shorter sandbox execution windows.
References
[1] Kharraz A. et al., Cutting the Gordian knot: A look under the hood of ransomware attacks, DIMVA, 2015. [2] Egele M. et al., A survey on automated dynamic malware-analysis techniques and tools, ACM Computing Surveys, 2012.