Identifying File Interaction Patterns in Ransomware Behaviour

Abstract

Malicious software (malware) has a rich history of causing significant challenges for both users and system developers alike. The development of different malware types is often resulting from criminal opportunity. The monetisation of ransomware, coupled with the continuous growing importance of user data, is resulting in ransomware becoming one of the most prominent forms of malware. Detecting and stopping a ransomware attack is challenging due to the large verity of different types, as well as the speed of new instances being developed. This results in static approaches (e.g. signature-based detection) ineffective at identifying all ransomware instances. This chapter investigates the behavioural characteristics of ransomware, and in particular focusses on interaction with the underlying file system. This study identifies that ransomware instances have unique behavioural patterns, which are significantly different from those of normal user interaction.