Abstract

Recent statistics show that in 2015 more than 140 millions new malware\nsamples have been found. Among these, a large portion is due to ransomware, the\nclass of malware whose specific goal is to render the victim's system unusable,\nin particular by encrypting important files, and then ask the user to pay a\nransom to revert the damage. Several ransomware include sophisticated packing\ntechniques, and are hence difficult to statically analyse. We present EldeRan,\na machine learning approach for dynamically analysing and classifying\nransomware. EldeRan monitors a set of actions performed by applications in\ntheir first phases of installation checking for characteristics signs of\nransomware. Our tests over a dataset of 582 ransomware belonging to 11\nfamilies, and with 942 goodware applications, show that EldeRan achieves an\narea under the ROC curve of 0.995. Furthermore, EldeRan works without requiring\nthat an entire ransomware family is available beforehand. These results suggest\nthat dynamic analysis can support ransomware detection, since ransomware\nsamples exhibit a set of characteristic features at run-time that are common\nacross families, and that helps the early detection of new variants. We also\noutline some limitations of dynamic analysis for ransomware and propose\npossible solutions.\n