Ransomware detection method based on context-aware entropy
· Yoojae Won
© Springer-Verlag GmbH Germany, part of Springer Nature 2018
Numerous countermeasures have been proposed since the ﬁrst appearance of ransomware. However, many ransomware
mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are
signature-dependent and cannot easily detect ransomware attack patterns. If the database used by the antivirus program does
not contain the signature of the new malicious behavior, it is not possible to detect the new malware. Thus, the need has
emerged for a normal/abnormal behavior analysis technique via a context-aware method. Therefore, a multilateral context-
aware-based ransomware detection and response system model is presented in this paper. The proposed model is designed to
preemptively respond to ransomware, and post-detection management is performed. An evaluation was conducted to obtain
evidence that the given ﬁles were altered by ransomware through analyses based on multiple-context awareness. Entropy
information was then used to detect abnormal behavior.
Keywords API hooking · Command and control server · Context-based analysis · Cryptography · Entropy · Kernel system ·
Ransomware · System security process
Ransomware is malicious code that encrypts important ﬁles
of a user and then demands a ransom payment in exchange
for decryption of the ﬁles. When ransomware ﬁrst appeared,
the rate at which it spread was relatively slow compared
to other cyber threats, and it was particularly virulent only
in some international regions. However, once ransomware
gained a reputation as an effective means of extortion,
attacks of this type began proliferating throughout the world
Since 2013, the number of ransomware attacks has been
increasing more than ﬁvefold each year. Kharraz (2015)
stated that ransomware attacks had become one of the most
prominent malicious cyber threats. Ransomware damage
exceeds that of personal computers and has extended to smart
phones, tablet PCs, and smart cars (Kang 2017;Joo2015).
Typical ransomware attacks involve extortion of money from
Communicated by G. Yi.
Department of Computer Science Engineering, Chungnam
National University, Daejeon, South Korea
the user by encrypting important ﬁles on the user’s device and
then demanding that the user deposit a speciﬁed ransom into
a virtual account in exchange for the decryption of those ﬁles
Figure 2 depicts the total number of ransomware attacks
from the second quarter of 2016 to the ﬁrst quarter of 2017.
Figure 3 shows the growth rate of ransomware attacks from
2015 to 2017. The absolute value of ransomware damage is
not as high as for the other malicious programs; nonetheless,
its growth rate is shown to be the highest. Furthermore, owing
to the easy generation of ransomware mutants, the reliability
of detection and response methods has so far been low (Hoe
2011; Scaif 2016).
In this study, ransomware detection has been investigated
based on feature values that are common to all ransomware
behavior. A common feature was found that modiﬁes the
format of a ﬁle during encryption by all known ransomware.
The entropy value of the format of the modulated ﬁle was
calculated through our unique entropy analysis algorithm.
This result was judged to be applicable to the ransomware
detection policy. The approach proposed herein is designed
to enable ransomware detection based on context awareness.
It is thereby possible to detect ransomware regardless of the