1. Introduction

2. Related works

3. Methodology

3.3. Generating Windows API calls

This subsection discusses how to generate Windows API calls.

3.3.1. Tracing Windows API Calls

The process of Windows API call tracing plays a critical role in understanding the behavior of ransomware. To instigate an infection on the host system, ransomware must successfully initiate a sequence of Windows API calls. These calls are instrumental in differentiating between malicious and non-malicious files due to their role as an interface through which programs request services from the operating system’s kernel. Therefore, monitoring these calls can be indicative of a program’s ultimate objective.

Definition 1. Windows API Call Trace is an analytical method employed to dynamically record the execution of a process within a secure environment. Given a process K with an input I, and assuming the process K invokes a Windows API call C, where $K\in C$ with input I, the Windows API call trace $C_t$ can be formally described as:

$$C_t=\left\{(K,C,I)\right\}$$

(1)

The comprehensive trace compiles a sequence of Windows API calls, each with its respective parameters and returned values from the process. To capture these dynamic behavioral traces, each ransomware sample was executed within an insulated environment. For a precise duration, ranging from 70.1 to 89.9 seconds, the behavior of the ransomware was scrutinized to reveal any malicious indicators. The utility of virtualization software was indispensable, as it allowed for the creation of system snapshots prior to the execution of ransomware. Post ransomware attack, the environment was restored to its prior uninfected state. A parallel was drawn for benign applications, executing them within the same insulated environment to accrue their behavioral profiles. To accurately trace Windows API calls, it is necessary for both ransomware and benign samples to run to completion. However, certain ransomware requires user interaction, such as mouse clicks or keyboard inputs, to activate their payload. To overcome this, a custom Python script was implemented to simulate basic user activities within the sandbox environment. These activities included web browsing, file manipulation, and desktop interaction. At the conclusion of the execution, the sandbox outputted a log file in JSON format, which is readable by humans and provides a record for each sample analyzed. While these reports encompass various dimensions of ransomware analysis, the focus was narrowed to the behavioral category, which elucidates the dynamic attributes of the ransomware.

3.3.2. Windows API feature abstraction

Following the acquisition of the behavioral log, the resultant report size from the sandbox was substantial, often spanning several hundred megabytes. The manual scrutiny of each report was deemed impractical due to the sheer volume of data, thus necessitating the development of a specialized parser engine. This engine, outlined in a comprehensive algorithm, was tasked with extracting behavioral characteristics from the output files. The parsing operation entailed reading the sandbox’s extensive reports and systematically sifting through them to isolate the essential Windows API calls, thereby diminishing the search space. To streamline the trace sequences, a focused extraction was performed, retrieving only the list of Windows API call function identifiers linked to the process, while overlooking the parameters and the values returned. A selection of critical cryptographic Windows API calls, along with their associated parameters, were represented visually. In the effort to condense the behavioral logs derived from the sample’s execution trace, a set of rules was implemented: Initially, the process identifier for the ransomware samples was pinpointed. Subsequently, an examination was conducted to determine the precise juncture at which the process instigated a new thread or spawned a child process, achieved by traversing through the logs. These calls were then ordered in a chronological fashion based on their timestamps. Ultimately, pertinent function calls were semantically distilled from the logs to construct an illustrative feature vector.

$$\begin{array}{cc}\hfill & \mathbf{Algorithm}\mathbf{1}:\mathbf{Trace}\mathbf{Parsing}\mathbf{and}\mathbf{Feature}\mathbf{Extraction}\hfill \\ \hfill & \mathrm{Input}\text{:}\mathrm{Behavioral}\mathrm{logs}L\hfill \\ \hfill & \mathrm{Output}\text{:}\mathrm{Feature}\mathrm{vector}F\hfill \\ \hfill & 1:\mathrm{Load}\mathrm{logs}L\mathrm{into}\mathrm{parser}\mathrm{engine}\hfill \\ \hfill & 2:F\leftarrow \varnothing (\mathrm{Initialize}\mathrm{feature}\mathrm{vector}\mathrm{as}\mathrm{empty})\hfill \\ \hfill & 3:\mathrm{for}\mathrm{each}\log l\mathrm{in}L\mathrm{do}\hfill \\ \hfill & 4:\mathrm{Identify}\mathrm{process}\mathrm{identifier}PID\mathrm{of}\mathrm{ransomware}\mathrm{sample}\hfill \\ \hfill & 5:\mathrm{for}\mathrm{each}\mathrm{Windows}\mathrm{API}\mathrm{call}c\mathrm{in}l\mathrm{do}\hfill \\ \hfill & 6:\mathrm{if}c\mathrm{is}\mathrm{linked}\mathrm{to}PID\mathrm{then}\hfill \\ \hfill & 7:\mathrm{Extract}\mathrm{function}\mathrm{identifier}FID\mathrm{from}c\hfill \\ \hfill & 8:\mathrm{if}FID\mathrm{is}\mathrm{not}\mathrm{extraneous}\mathrm{then}\hfill \\ \hfill & 9:F\leftarrow F\cup \left\{FID\right\}(\mathrm{Add}\mathrm{to}\mathrm{feature}\mathrm{vector})\hfill \\ \hfill & 10:\mathrm{end}\mathrm{if}\hfill \\ \hfill & 11:\mathrm{end}\mathrm{for}\hfill \\ \hfill & 12:\mathrm{Sort}F\mathrm{chronologically}\hfill \\ \hfill & 13:\mathrm{end}\mathrm{for}\hfill \\ \hfill & 14:\mathrm{Refine}F\mathrm{to}\mathrm{eliminate}\mathrm{noisy}\mathrm{calls}\hfill \\ \hfill & 15:\mathrm{return}F\hfill \end{array}$$

(2)

The output traces harvested not only encapsulated the authentic Windows API calls but were also interspersed with extraneous and obfuscating calls fabricated by the ransomware to camouflage its deleterious intentions.

3.3.3. Constructing n-gram

In the process of constructing a sequential behavior profile based on the Windows API call log for each sample, subsequences exerting minimal influence on detection were identified and omitted. N-grams with lengths ranging from 2 to 5 were synthesized from the Windows API call traces of each scrutinized sample. Only n-grams that were derived from identical categories were extracted. For example, the sequence comprising NtTerminateThread, NtTerminateThread, and NtSuspendThread represents a 3-gram sequence associated with the process and thread operations aiming to cease and suspend a specific threat. The culmination of this n-gram Windows API call trace construction is encapsulated in the vector $\mathbf{V}$, which embodies the count of every conceivable n-gram.

Upon the generation of n-grams, the aggregate count of issues derived from the Windows API traces utilizing 2-gram, 3-gram, 4-gram, and 5-gram structures amounted to 32,134; 76,917; 186,909; and 227,152 respectively. Nevertheless, the magnitude of these features imposes a considerable demand on training duration and memory allocation. Recognizing that not all features are integral to the categorization of malicious samples, those subsequences deemed to be noise-inducing and of negligible impact on detection precision were pruned from the sequence trace.

$$V_{ngram}=\left\{\left(g_1,g_2,\dots ,g_n\right)\mid g_i\in G,\sum _{i=1}^n\mathrm{count}\left(g_i\right)\right\}$$

(3)

Here, G represents the set of all possible grams derived from the Windows API call logs, and $\mathrm{count}\left(g_i\right)$ refers to the frequency of the individual grams within the log sequence. The refinement of the n-gram vector aims to retain only the most indicative sequences that contribute to the effective discrimination between benign and ransomware-related behaviors.

3.3.4. API refining process

In their attempts to elude detection, ransomware creators embed an extensive array of non-essential and redundant dynamic call sequences to obscure their runtime malevolent behavior and misdirect execution flow. Consequently, the volume of malevolent Windows API call sequences burgeons, engendering a highly noisy behavioral sequence. Windows API calls that fail to enhance the quality of detection are regarded as noise due to their non-contributory nature to detection efficacy. The performance of machine learning algorithms is contingent upon the presence or absence of such noise. Noise-laden datasets could deleteriously affect the learning models, manifesting in augmented processing times, escalated storage needs, and convoluted analysis of genuine malevolent intent, potentially leading to operational inefficiencies and compromised predictive capacities.

Definition 2. A Windows API call A is characterized as redundant $A_R$ if the feature vector $f_i$ and its correlated counterpart $f_j$ possess a redundancy index $R_{ij}$ approaching or equaling 1, indicating a complete association with no additive value towards the target outcome. Typically, the squared cosine similarity is utilized to ascertain the correlation between two Windows API call vectors $(f_i,f_j)$, delineated as:

$$R_{ij}={cos}^2\theta (f_i,f_j)$$

(4)

The goal is to simplify the model’s complexity and bolster the algorithm’s performance by excluding irrelevant and redundant Windows API calls that fail to contribute to heightened detection accuracy.

Syntax Definitions: Let P represent a process, $F_S$ denote first seen, log file $\left\{L\right\}$, Windows API Call $\left\{A\right\}$, Database $\left\{DB\right\}$; Dynamic behavior $\left\{B_d\right\}$, timestamps $\left\{T\right\}$ and directory D. Input: File containing the Windows API traces $A_t=\left\{(P\in A;I)\right\}$ and features $\{f_1,f_2,f_3,\dots ,f_n\}$. Output: List of Windows API calls $L\in \{a_1{a}_2{a}_3\dots a_t\}$.

$$\begin{array}{cc}\hfill & \mathbf{Algorithm}\mathbf{2}:\mathbf{Trace}\mathbf{Parsing}\mathbf{and}\mathbf{Feature}\mathbf{Extraction}\hfill \\ \hfill 1:& \mathrm{Procedure}\mathrm{FindAPICalls}(A_t,Condition)\{\hfill \\ \hfill 2:& \mathrm{for}\mathrm{each}P\mathrm{in}\left\{L\right\}{[}^{\prime }{B}_d^{\prime }]{[}^{\prime }{P}_d^{\prime }]\mathrm{do}\hfill \\ \hfill 3:& \mathrm{if}\left\{L\right\}\left[P_d\right]=Condition\mathrm{then}\hfill \\ \hfill 4:& F_{Stemp}\leftarrow F_S\hfill \\ \hfill 5:& \mathrm{if}{F}_S\ge F_{Stemp}\hfill \\ \hfill 6:& F_S\leftarrow F_{Stemp}\hfill \\ \hfill 7:& \mathrm{for}\mathrm{each}\mathrm{trace}\mathrm{in}\left\{L\right\}\left[P_d\right][A_t=(P\in A;I)]\mathrm{do}\hfill \\ \hfill 8:& \mathrm{if}\mathrm{trace}\left[i\right]\mathrm{does}\mathrm{not}\mathrm{include}A\mathrm{then}\hfill \\ \hfill 9:& ID\leftarrow A,\mathrm{modify}DB\mathrm{bad}\mathrm{hbox}T\left[i\right]\leftarrow \left\{T\right\}\left[i\right]\hfill \\ \hfill 10:& DB\left[i\right]\left[\mathrm{count}\right]\leftarrow 1\hfill \\ \hfill 11:& \mathrm{else}DB\left[i\right]\left[T\right]\leftarrow \mathrm{append}\left[T\right[i\left]\right]\hfill \\ \hfill 12:& DB\left[i\right]\left[\mathrm{count}\right]\leftarrow DB\left[i\right]\left[\mathrm{count}\right]+1\hfill \\ \hfill 13:& \mathrm{return}DB\left[i\right]\hfill \\ \hfill 14:& \mathrm{end}\mathrm{for}\hfill \\ \hfill 15:& \mathrm{end}\mathrm{for}\hfill \\ \hfill 16:& \mathrm{end}\hfill \\ \hfill 17:& \mathrm{Procedure}\mathrm{Loadfile}(D,PR)\{\hfill \\ \hfill 18:& \mathrm{for}(D,PR)\mathrm{in}G\_\mathrm{files}\hfill \\ \hfill 19:& \mathrm{for}i,N\mathrm{in}\mathrm{enumerate}\left[\mathrm{all}\_\mathrm{files}\right]\mathrm{do}\hfill \\ \hfill 20:& \mathrm{if}N\mathrm{ends}\mathrm{with}(\text{’}.\mathrm{json}\text{’})\mathrm{then}\hfill \\ \hfill 21:& FN\leftarrow N\hfill \\ \hfill 22:& Sdata\leftarrow \mathrm{load}(D+FN)\hfill \\ \hfill 23:& FindAPICalls(Sdata,true)\hfill \\ \hfill 24:& \mathrm{end}\mathrm{if}\hfill \\ \hfill 25:& \mathrm{end}\mathrm{for}\hfill \\ \hfill 26:& \mathrm{end}\mathrm{for}\hfill \\ \hfill 27:& \mathrm{end}\}\hfill \end{array}$$

(5)

3.3.5. Removing noise

The extraction of sequences from the N-Grams often encompasses numerous instances that fail to single out the functions of malicious files. Isolating these distinctive subset features from the Windows API call logs is a paramount task in the analysis phase, being both time-intensive and necessitating considerable effort for data cleansing. The mRmR has seen wide application across various domains, including intrusion detection. The Maximum Relevance process singles out the most relevant feature associated with the behavior of a malicious class without accounting for relationships among features. Given a set G of features, and collective information $MI(f_i;M)$ representing the mutual information among feature $f_i$ and the ransomware class, the Maximum Relevance is quantified as:

$$\mathrm{MaxRelevance}(f_i;M)=\frac{1}{\left|G\right|}\sum _{f_i\in G}MI(f_i;M)$$

(6)

Table 2. Comparative accuracy of classifiers with varying n-gram sequences.

Table 2. Comparative accuracy of classifiers with varying n-gram sequences.

n-gram	SVM	kNN	DT	RF
2-g	66.7%	58.7%	63.7%	67.7%
3-g	98.7%	88.7%	86.7%	78.7%
4-g	96.7%	76.7%	74.7%	61.7%
5-g	97.7%	78.7%	76.7%	59.7%

Opting for features based on Maximum Relevance (mR) can discern behaviors relevant to ransomware. To mitigate the issue of repetition in mR, the Minimum Redundancy (mR) criterion is employed and articulated as:

$$\mathrm{MinRedundancy}(f_i;C)=\frac{1}{{\left|S\right|}^2}\sum _{f_i,f_j\in S}MI(F_i;F_j)$$

(7)

Where $MI(F_i;F_j)$ is the mutual information between feature $F_i$ and feature $F_j$. By amalgamating these two conditions—Maximum Relevance and Minimum Redundancy—into a singular score function denoted by mRMR, one achieves a balance, employing the mutual information difference (mRMR MID) defined as:

$$\mathrm{MID}=\underset{S}{max}\left[MI(f_i;\Omega )-\frac{1}{\left|S\right|}\sum _{f_i,f_j\in S}MI(F_i;F_j)\right]$$

(8)

Separate features including redundancy and relevance quantified by computing the common information between selected characters. Two Windows API call features are deemed independent if their mutual information score is the minimal value $MI(f_i;f_j)$. The joint probability distribution $p(x,y)$ alongside the marginal probabilities $p\left(x\right)$ and $p\left(y\right)$, allows for defining the mutual information of feature pairs as:

$$MI(f_i;f_j)=\sum _{x,y}p(x,y)log\left(\frac{p(x,y)}{p\left(x\right)p\left(y\right)}\right)$$

(9)

4. Results

4.1. Classifier Performance Analysis Based on N-Gram Feature Lengths

The efficacy of various classifiers was scrutinized based on n-gram lengths of 2, 3, 4, and 5, derived from each Windows API call sequence. This analysis was facilitated by the train-test split methodology, which bifurcates the dataset into a training set and a testing set. Prior to the construction of the model, the dataset was divided, ensuring a uniform distribution where 80.7% constituted the training set and 19.3% formed the testing set. The classifiers’ precision was evaluated by metrics such as accuracy and the values of the Area under the Receiver Operating Characteristic Curve (AUC).

The Support Vector Machine (SVM) classifier, when utilizing a 3-gram approach, manifested superior accuracy, with a spectrum from 66.7% to 98.7%, and a reduced false-positive rate of approximately 0.0267. The robustness of this classifier was observed to be consistent with the implementation of 4-gram and 5-gram feature sequences. According to the data presented in Table 2, the k-Nearest Neighbors (kNN) and Decision Tree (DT) algorithms revealed almost parallel accuracy. These classifiers, with a 2-gram feature set, exhibited a lower accuracy threshold, whereas a significant increase was noted with the application of a 3-gram sequence.

The Random Forest (RF) classifier displayed the least accurate results across the spectrum of classifiers when the models were subjected to various lengths of n-grams. Specifically, the accuracy was moderately satisfactory with 67.7% for 2-grams and 78.7% for 3-grams. However, a decline in accuracy to 61.7% and 59.7% was observed for 4-grams and 5-grams, respectively. This decrease could be attributed to the increased computational complexity required by the RF classifier to construct the model with larger n-gram sizes, leading to overfitting issues during the training phase and consequently a lack of generalization for new features during testing. In contrast, Logistic Regression (LR) exhibited remarkable performance, with an accuracy of 72.3% and a lower false-positive rate of 0.413 for 2-gram features. This can be ascribed to the classifier’s lower computational demands with smaller n-gram sizes.

Table 3. Classifier Performance Evaluation with Varied N-Gram Feature Lengths.

Table 3. Classifier Performance Evaluation with Varied N-Gram Feature Lengths.

n-gram Length	SVM	kNN	DT	RF
2-gram	66.1%	58.1%	63.1%	67.1%
3-gram	98.1%	88.1%	86.1%	78.1%
4-gram	96.1%	76.1%	74.1%	61.1%
5-gram	97.1%	78.1%	76.1%	59.1%

The Receiver Operating Characteristic (ROC) curves show that overall AUC values underwent a marked decrease when 2-gram based features were utilized for model training. This is likely due to shorter n-grams’ inability to encapsulate ransomware behavior adequately, thus increasing false positive alerts. A broadening of feature dimensionality, achieved by expanding the n-gram window to a 3-gram, resulted in a dramatic rise in AUC values for the classifiers. As seen in Figure (c), a marginal decline in AUC by an average of 0.167% was observed for n = 4. Furthermore, Figure (d) presents a comparative analysis of the ROC curves for longer sequences with n = 5 across the classifiers, indicating a significant drop in AUC values. This could be because extended sequences of n-grams are not efficacious in differentiating ransomware behavior from benign processes. Moreover, the increment in the length of n-gram sequences has a direct correlation with the training duration required for the model.

4.2. Enhanced Analysis of Classifier Efficacy Based on Variable N-Gram Feature Sizes

The objective of this investigation was to assess the classifiers’ effectiveness when applied to an array of n-gram feature sizes, utilizing a tenfold cross-validation method. A notable limitation observed with the train-test splitting approach is the potential for class imbalance post-dataset division, which may lead to an erroneous estimate of the holdout error rate. To circumvent this issue, tenfold cross-validation was employed, which serves to mitigate overfitting and more accurately evaluate the model’s performance. In this method, the dataset was thoroughly shuffled and partitioned into ten equal-sized segments. During each of the ten iterations, nine segments were utilized to develop the model, and the remaining segment was used for evaluation.

The Support Vector Machine (SVM), when employing a 3-gram scheme, demonstrated remarkable accuracy levels, varying from 66.1% to 98.1%, accompanied by a diminished false-positive rate of approximately 0.0261. The SVM’s consistency was notable across the board, with the 4-gram and 5-gram feature sequences showing stable performance metrics. According to Table 3, k-Nearest Neighbors (kNN) and Decision Tree (DT) algorithms exhibited commensurate levels of accuracy. The 2-gram feature set resulted in lower accuracy rates for these classifiers, which noticeably improved upon the adoption of a 3-gram sequence.

Random Forest (RF) classifiers yielded the least precise outcomes among the spectrum of classifiers when evaluated across diverse n-gram lengths. In particular, the RF classifier’s accuracy was moderately acceptable with a 67.1% for 2-grams and 78.1% for 3-grams. A downward trend in accuracy was noted for 4-grams and 5-grams, registering at 61.1% and 59.1% respectively. Such a trend suggests an escalation in computational demands as the n-gram size increases, potentially causing overfitting during the training phase and a subsequent inability to generalize when confronted with new features in the testing phase. In stark contrast, Logistic Regression (LR) outshone other classifiers with an accuracy of 72.3% and a lower false-positive rate of 0.0413 for 2-gram features, attributed to its lesser computational requirements for smaller n-gram sizes.

5. Discussions

6. Conclusions and Future Research Directions

References

1. Almashhadani, A.O.; Kaiiali, M.; Sezer, S.; O’Kane, P. A multi-classifier network-based crypto ransomware detection system: a case study of Locky ransomware. Ieee Access 2019, 7, 47053–47067. [Google Scholar] [CrossRef]
2. Ahmed, U.; Lin, J.C.W.; Srivastava, G. Mitigating adversarial evasion attacks of ransomware using ensemble learning. Computers and Electrical Engineering 2022, 100, 107903. [Google Scholar] [CrossRef]
3. McIntosh, T.; Kayes, A.; Chen, Y.P.P.; Ng, A.; Watters, P. Dynamic user-centric access control for detection of ransomware attacks. Computers & Security 2021, 111, 102461. [Google Scholar]
4. Eliando, E.; Purnomo, Y. LockBit 2.0 Ransomware: Analysis of infection, persistence, prevention mechanism. CogITo Smart Journal 2022, 8, 232–243. [Google Scholar] [CrossRef]
5. Hwang, J.; Kim, J.; Lee, S.; Kim, K. Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wireless Personal Communications 2020, 112, 2597–2609. [Google Scholar] [CrossRef]
6. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation 2020, 33, 300979. [Google Scholar] [CrossRef]
7. McIntosh, T.; Kayes, A.; Chen, Y.P.P.; Ng, A.; Watters, P. Applying Staged Event-Driven Access Control to Combat Ransomware. Computers & Security 2023, 103160. [Google Scholar]
8. Zuhair, H.; Selamat, A.; Krejcar, O. A Multi-Tier Streaming Analytics Model of 0-Day Ransomware Detection Using Machine Learning. Applied Sciences 2020, 10, 3210. [Google Scholar] [CrossRef]
9. Ahmed, M.E.; Kim, H.; Camtepe, S.; Nepal, S. Peeler: Profiling kernel-level events to detect ransomware. In Proceedings of the Computer Security–ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4–8, 2021, Proceedings, Part I 26. Springer, 2021, pp. 240–260.
10. Al-Hawawreh, M.; Sitnikova, E.; Aboutorab, N. Asynchronous peer-to-peer federated capability-based targeted ransomware detection model for industrial IoT. IEEE Access 2021, 9, 148738–148755. [Google Scholar] [CrossRef]
11. Al-Dwairi, M.; Shatnawi, A.S.; Al-Khaleel, O.; Al-Duwairi, B. Ransomware-Resilient Self-Healing XML Documents. Future Internet 2022, 14, 115. [Google Scholar] [CrossRef]
12. AlMajali, A.; Qaffaf, A.; Alkayid, N.; Wadhawan, Y. Crypto-Ransomware Detection Using Selective Hashing. 2022 International Conference on Electrical and Computing Technologies and Applications (ICECTA)2022, pp. 328–331.
13. Axon, L.; Erola, A.; Agrafiotis, I.; Uuganbayar, G.; Goldsmith, M.; Creese, S. Ransomware as a Predator: Modelling the Systemic Risk to Prey. Digital Threats: Research and Practice. [CrossRef]
14. Bekkers, L.; van’t Hoff-de Goede, S.; Misana-ter Huurne, E.; van Houten, Y.; Spithoven, R.; Leukfeldt, E.R. Protecting Your Business against Ransomware Attacks? Explaining the Motivations of Entrepreneurs to Take Future Protective Measures against Cybercrimes Using an Extended Protection Motivation Theory Model. Computers & Security 2023, 127, 103099. [Google Scholar]
15. Bold, R.; Al-Khateeb, H.; Ersotelos, N. Reducing False Negatives in Ransomware Detection: A Critical Evaluation of Machine Learning Algorithms. Applied Sciences 2022, 12, 12941. [Google Scholar] [CrossRef]
16. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Review of Current Ransomware Detection Techniques. In Proceedings of the Proc. of the 7 th International Conference on Engineering and Emerging Technologies (ICEET). Institute of Electrical and Electronics Engineers, 2022.
17. Abbasi, M.S.; Al-Sahaf, H.; Mansoori, M.; Welch, I. Behavior-based ransomware classification: A particle swarm optimization wrapper-based approach for feature selection. Applied Soft Computing 2022, 121, 108744. [Google Scholar] [CrossRef]
18. Albulayhi, K.; Al-Haija, Q.A. Early-stage Malware and Ransomware Forecasting in the Short-Term Future Using Regression-based Neural Network Technique. In Proceedings of the 2022 14th International Conference on Computational Intelligence and Communication Networks (CICN). IEEE, 2022, pp. 735–742.
19. Almeida, F.; Imran, M.; Raik, J.; Pagliarini, S. Ransomware Attack as Hardware Trojan: A Feasibility and Demonstration Study. IEEE Access 2022, 10, 44827–44839. [Google Scholar] [CrossRef]
20. Aurangzeb, S.; Rais, R.N.B.; Aleem, M.; Islam, M.A.; Iqbal, M.A. On the classification of Microsoft-Windows ransomware using hardware profile. PeerJ Computer Science 2021, 7, e361. [Google Scholar] [CrossRef]
21. Baksi, R.P. Pay or Not Pay? A Game-Theoretical Analysis of Ransomware Interactions Considering a Defender’s Deception Architecture 2022. pp. 53–54.
22. Beaman, C.; Barkworth, A.; Akande, T.D.; Hakak, S.; Khan, M.K. Ransomware: Recent advances, analysis, challenges and future research directions. Computers & security 2021, 111, 102490. [Google Scholar]
23. Berrueta, E.; Morato, D.; Magaña, E.; Izal, M. Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Systems with Applications 2022, 209, 118299. [Google Scholar] [CrossRef]
24. McIntosh, T.; Kayes, A.; Chen, Y.P.P.; Ng, A.; Watters, P. Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR) 2021, 54, 1–36. [Google Scholar] [CrossRef]
25. Borah, P.; Bhattacharyya, D.K.; Kalita, J.K. Cost effective method for ransomware detection: an ensemble approach 2021. pp. 203–219.
26. Celdrán, A.H.; Sánchez, P.M.S.; Scheid, E.J.; Besken, T.; Bovet, G.; Pérez, G.M.; Stiller, B. Policy-based and Behavioral Framework to Detect Ransomware Affecting Resource-constrained Sensors 2022. pp. 1–7.
27. Connolly, A.Y.; Borrion, H. Reducing ransomware crime: analysis of victims’ payment decisions. Computers & Security 2022, 119, 102760. [Google Scholar]
28. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. NapierOne: A modern mixed file data set alternative to Govdocs1. Forensic Science International: Digital Investigation 2020, 40, 301330. [Google Scholar]
29. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Differential area analysis for ransomware attack detection within mixed file datasets. Computers & Security 2021, 108, 102377. [Google Scholar]
30. De Gaspari, F.; Hitaj, D.; Pagnotta, G.; De Carli, L.; Mancini, L.V. Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques. Neural Computing and Applications 2022, 34, 12077–12096. [Google Scholar] [CrossRef]
31. Du, J.; Raza, S.H.; Ahmad, M.; Alam, I.; Dar, S.H.; Habib, M.A. Digital Forensics as Advanced Ransomware Pre-Attack Detection Algorithm for Endpoint Data Protection. Security and Communication Networks 2022, 2022, 1–16. [Google Scholar] [CrossRef]
32. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Majority Voting Ransomware Detection System. Journal of Information Security 2023, 14. [Google Scholar] [CrossRef]
33. Ahmed, Y.A.; Koçer, B.; Al-rimy, B.A.S. Automated Analysis Approach for the Detection of High Survivable Ransomware. KSII Transactions on Internet and Information Systems (TIIS) 2020, 14, 2236–2257. [Google Scholar]
34. Ahmed, Y.A.; Koçer, B.; Huda, S.; Al-rimy, B.A.S.; Hassan, M.M. A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection. Journal of Network and Computer Applications 2020, 167, 102753. [Google Scholar] [CrossRef]
35. Faghihi, F.; Zulkernine, M. RansomCare: Data-centric detection and mitigation against smartphone crypto-ransomware. Computer Networks 2021, 191, 108011. [Google Scholar] [CrossRef]
36. Adamov, A.; Carlsson, A. Reinforcement learning for anti-ransomware testing. In Proceedings of the 2020 IEEE East-West Design & Test Symposium (EWDTS). IEEE, 2020, pp. 1–5.
37. Iqbal, M.J.; Aurangzeb, S.; Aleem, M.; Srivastava, G.; Lin, J.C.W. RThreatDroid: A Ransomware Detection Approach to Secure IoT Based Healthcare Systems. IEEE Transactions on Network Science and Engineering 2022. [Google Scholar] [CrossRef]
38. McIntosh, T.; Liu, T.; Susnjak, T.; Alavizadeh, H.; Ng, A.; Nowrozy, R.; Watters, P. Harnessing GPT-4 for generation of cybersecurity GRC policies: A focus on ransomware attack mitigation. Computers & Security 2023, 134, 103424. [Google Scholar]
39. Al-rimy, B.A.S.; Maarof, M.A.; Alazab, M.; Alsolami, F.; Shaid, S.Z.M.; Ghaleb, F.A.; Al-Hadhrami, T.; Ali, A.M. A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction. IEEE Access 2020. [Google Scholar] [CrossRef]
40. Al-rimy, B.A.S.; Maarof, M.A.; Alazab, M.; Shaid, S.Z.M.; Ghaleb, F.A.; Almalawi, A.; Ali, A.M.; Al-Hadhrami, T. Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection. Future Generation Computer Systems 2020. [Google Scholar] [CrossRef]
41. Al-Haija, Q.A.; Alsulami, A.A. High performance classification model to identify ransomware payments for heterogeneous bitcoin networks. Electronics 2021, 10, 2113. [Google Scholar] [CrossRef]
42. Zhang, C.; Luo, F.; Ranzi, G. Multistage Game Theoretical Approach for Ransomware Attack and Defense. IEEE Transactions on Services Computing 2022. [Google Scholar] [CrossRef]
43. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Exploring the Need For an Updated Mixed File Research Data Set. In Proceedings of 2021 International Conference on Engineering and Emerging Technologies (ICEET). IEEE, 2021, pp. 1–5.
44. A. Alissa, K.; H. Elkamchouchi, D.; Tarmissi, K.; Yafoz, A.; Alsini, R.; Alghushairy, O.; Mohamed, A.; Al Duhayyim, M. Dwarf mongoose optimization with machine-learning-driven ransomware detection in internet of things environment. Applied Sciences 2022, 12, 9513. [Google Scholar] [CrossRef]