It's too late if exfiltrate: Early stage Android ransomware detection

Ransomware attacks disrupt and disable systems, demanding a ransom from the victim to restore functionality. Most of the state-of-the-art approaches focus on analyzing their behavior at the post-infection, to identify ransomware and therefore, fails to detect at the early stage. This work proposes a ransomware detection mechanism named Weapon, to identify the threat at the pre-operational stage in Android system. Weapon extracts the key features from the behavioural characteristics (permissions and API calls) of the APK file and generates semantic features. Consequently, the MITRE ATT&CK framework is used to correlate with the semantic features to detect ransomware before its operational stage efficiently. The experimental results demonstrate that our approach could successfully identify 89.82% ransomware samples at the pre-operational stage.