Detecting Ransomware Using Alignment of the Different Sections of the PE Header

Abstract Ransomware is one of the most challenging types of malware that uses cryptology to attack victims' computers. The attackers then demand ransom payments to recover encrypted resources. Ransomware is currently one of the most serious threats to individuals and organizations. Therefore, it is essential to detect them before they cause serious problems. Because of the obfuscation tactics used in Polymorphic and Metamorphic ransomware, it is difficult to detect them before they infect the system. Therefore, features from a program must be extracted in a way that is resistant to obfuscation techniques. The executable file header includes the fields that define the program structure. Extract this section of executable file does not require preprocessing or special resources. Note that changing the structure of the program changes, the header fields as well. The aims of ransomware and benign programs differ, resulting in discrepancies in parts of their headers. In recent paper, we propose a technique to detect ransomware utilizing executable file header bytes. According to the sequential character of header information, sequence processing algorithms are used to process it. Based on the alignment score of the important sections of the header and weighted vote technique, the proposed method determines the desired sample label. The results confirmed that this approach can detect up to 95% accuracy of ransomware, which is a significant improvement over previous methods.