RWArmor: a static-informed dynamic analysis approach for early detection of cryptographic windows ransomware

Ransomware attacks have captured news headlines worldwide for the last few years due to their criticality and intensity. Ransomware-as-a-service (RaaS) kits are aiding adversaries to launch such powerful attacks with little to no technical knowledge. Eventually, with the successful progression of ransomware attacks, organizations suffer financial loss, and their proprietary-based sensitive digital assets end up on the dark web for sale. Due to the severity of this situation, security researchers are seen to conduct static and dynamic analysis research for ransomware research. Both analyses have advantages and disadvantages, and prompt ransomware detection is expected to stop the irreversible encryption process. This research proposes a novel static-informed dynamic analysis approach, RWArmor, which includes the knowledge of the already-trained machine learning models based on static features to improve the ransomware detection capabilities during dynamic analysis. The effectiveness of our approach is evaluated by predicting a novel/unknown ransomware between 30 and 120 seconds of its execution. The random forest algorithm is utilized to accomplish this task and tested against 215 active cryptographic Windows ransomware collected between 2014 and 2022. Based on our empirical findings, our method achieves 97.67%, 92.38%, and 86.42% accuracy within 120, 60, and 30 seconds of behavioral logs, respectively.