Early detection of crypto-ransomware using pre-encryption detection algorithm

Crypto ransomware is a type of malware that locks its victim’s file for ransom using an encryption algorithm. Its popularity has risen at an alarming rate among the cyber security community due to several successful worldwide attacks. The encryption employed had caused irreversible damage to the victim’s digital files, even when the victim chooses to pay the ransom. Therefore, this research proposes the Pre-Encryption Detection Algorithm (PEDA) that can detect crypto-ransomware at the pre-encryption stage, when no encryption has been done. PEDA provides two levels of detection; the first level of detection was before the ransomware can be activated using a signature comparison with a known crypto-ransomware’s signature. The signature was generated using SHA-256 (Secure Hashing Algorithm) that allowed fast and accurate comparison of the file content. The second level of detection used Learning Algorithm (LA) that can detect crypto-ransomware based on pre-encryption application program interface (API). The LA produced a 100% recall rate based on 80:20 ratios of training and testing, and 99.9% recall rate with a 10-fold cross-verification test. In addition, this research had also successfully identified fourteen important APIs that can differentiate between ransomware and goodware. Three APIs were present in most ransomware, but less in goodware; these APIs were NtProtectVirtualMemory, NtResumeThread, and NtTerminateProcess. Eleven APIs, on the other hand, were mostly present in goodware, but less in ransomware; these APIs were NtWriteVirtualMemory, UuidCreate, NtDelayExecution, NtSetInformationFile, NtWriteFile, CreateThread, NtReadVirtualMemory, VirtualFreeEx, CreateDirectoryW, VirtualProtectEx, and SetFilePointer.