Sorting Ransomware from Malware Utilizing Machine Learning Methods with Dynamic Analysis

Ransomware attacks have grown significantly in the past dozen years and have disrupted businesses that engage with personal data. In this paper, we discuss the identification of ransomware, malware, and benign software from one another using machine learning techniques. We collected data samples from repositories on the internet as well as referencing a dataset from a previous study that provided a basis for our approach. We collected ransomware, malware, and benign software samples manually using Cuckoo Sandbox (TM). We filtered on certain feature groups to test and determine if certain activity/processes in the infection process could be used to correctly distinguish ransomware from malware and benign software. These feature groups represent correlated processes within a running application: network activity, registry/events processes, and file interactions. The datasets were analyzed using several machine learning (ML) models which included Random Forest, Support Vector Machines (SVM), Gradient Boosting, and Decision Trees using binary classification. The best classifiers for distinctly identifying ransomware from benign software were Random Forest and SVM with an f1-score of 86% and an f1-score of 82% as well as an 85% in overall accuracy for Random Forest. In addition to ransomware versus benign software, we also compared malware software to ransomware data. Yielding a 100% accuracy in performance, Gradient Boosting Classifier and Decision Trees were the best at distinguishing ransomware from malware software. This high result may partially be caused by a smaller malware and ransomware dataset. Overall, we were able to successfully distinguish ransomware from malware and benign software.