Ransomware Detection By Mining Api Call Usage

In the recent past one of the harmful forms of malware seen is the Ransomware. The year 2016 has seen a huge rise in ransomware attacks. According to the study by Tripwire, Ransomware has done the most amount of damage to organizations in 2017, followed by DDoS, Malicious Insiders, Phishing, and Known/ Unknown Vulnerabilities. In this work, Application Programming Interface (API) calls are extracted from the executables and the most discriminating API calls are used to train a classifier to detect unknown ransomware. We have tested our method on various classifiers like Decision trees, KNN, Random forest. Class imbalance due to the difference in the number of samples available in two classes - Ransomware and benign is also considered. It is seen that Random forest with smote for class imbalance has given a detection rate of over 98 %. A large number of ransomware samples have been analyzed and the discriminating API calls have been identified.