Document Type : Research Article


Department of Computer Engineering and IT, Shiraz University, Shiraz, Iran.


With the spread of information technology in human life, data protection is a critical task. On the other hand, malicious programs are developed, which can manipulate sensitive and critical data and restrict access to this data. Ransomware is an example of such a malicious program that encrypts data, restricts users' access to the system or their data, and then request a ransom payment. Many types of research have been proposed for ransomware detection. Most of these methods attempt to identify ransomware by relying on program behavior during execution. The main weakness of these methods is that it is not explicit how long the program should be monitored to show its real behavior. Therefore, sometimes, these researches cannot detect ransomware early. In this paper, a new method for ransomware detection is proposed that does not need executing the program and uses the PE header of the executable file. To extract effective features from the PE header file, an image is constructed based on PE header. Then, according to the advantages of Convolutional Neural Networks in extracting features from images and classifying them, CNN is used. The proposed method achieves high detection rates. Our results indicate the usefulness and practicality of our method for ransomware detection.


[1] Nabie Y Conteh and Paul J Schmick. Cybersecurity risks, vulnerabilities, and countermeasures to prevent social engineering attacks. In Ethical Hacking Techniques and Countermeasures for Cybercrime Prevention, pages 19–31. IGI Global,2021.
[2] Fakhroddin Noorbehbahani, Farzaneh Rasouli, and Mohammad Saberi. Analysis of machine learning techniques for ransomware detection. In 2019 16th International ISC (Iranian Society of Cryptology) Conference on Information Security
and Cryptology (ISCISC), pages 128–133. IEEE, 2019.
[3] Kim-Kwang Raymond Choo. Cryptocurrency and virtual currency: Corruption and money laundering/terrorism financing risks? In Handbook of digital currency, pages 283–307. Elsevier, 2015.
[4] Masarah Paquet-Clouston, Bernhard Haslhofer, and Benoit Dupont. Ransomware payments in the bitcoin ecosystem. Journal of Cybersecurity, 5(1):tyz003, 2019.
[5] Abbas Yazdinejad, Hamed HaddadPajouh, Ali Dehghantanha, Reza M Parizi, Gautam Srivastava, and Mu-Yen Chen. Cryptocurrency malware hunting: A deep recurrent neural network approach. Applied Soft Computing, 96:106630, 2020.
[6] Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, and Kim-Kwang Raymond Choo. Detecting crypto-ransomware in iot networks base on energy consumption footprint. Journal of Ambient Intelligence and Humanized Computing, 9(4):1141–1152, 2018.
[7] Mamoona Humayun, NZ Jhanjhi, Ahmed Alsayat, and Vasaki Ponnusamy. Internet of things and ransomware: Evolution, mitigation and prevention. Egyptian Informatics Journal, 22(1):105–117, 2021.
[8] Wira Zanoramy A Zakaria, Mohd Faizal Abdollah, Othman Mohd, and Aswami Fadillah Mohd Ariffin. The rise of ransomware. In Proceedings of the 2017 International Conference on Software and e-Business, pages 66–70, 2017.
[9] Pierre-Luc Pomerleau and David L Lowery. The evolution of the threats to canadian financial institutions, the actual state of public and private partnerships in canada. In Countering Cyber Threats to Financial Institutions, pages 47–85. Springer, 2020.
[10] K Savage, P Coogan, and H Lau. The evolution of ransomware, symantec security response. Symantec Corporation, Mountain View, CA, 2015.
[11] Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, and Raouf Khayami. Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE transactions on emerging topics in computing, 8(2):341–351, 2017.
[12] Bander Ali Saleh Al-Rimy, Mohd Aizaini Maarof, Mamoun Alazab, Syed Zainudeen Mohd Shaid, Fuad A Ghaleb, Abdulmohsen Almalawi, Abdullah Marish Ali, and Tawfik Al-Hadhrami. Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection. Future Generation Computer Systems, 115:641–658, 2021.
[13] Ala Bahrani and Amir Jalaly Bidgly. Ransomware detection using process mining and classification algorithms. In 2019 16th International ISC (Iranian Society of Cryptology) Conference on Information Security and Cryptology(ISCISC), pages 73–77. IEEE, 2019.
[14] Laxmi B Bhagwat and Balaji M Patil. Detection of ransomware attack: A review. In Proceeding of International Conference on Computational Science and Applications, pages 15–22. Springer,2020.
[15] Amir Afianian, Salman Niksefat, Babak Sadeghiyan, and David Baptiste. Malware dynamic analysis evasion techniques: A survey. ACM Computing Surveys (CSUR), 52(6):1–28, 2019.
[16] Daniele Sgandurra, Luis Mu˜noz-Gonz´alez, Rabih Mohsen, and Emil C Lupu. Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020, 2016.
[17] Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM computing surveys (CSUR), 44(2):1–42, 2008.
[18] Mahboobe Ghiasi, Ashkan Sami, and Zahra Salehi. Dyvsor: dynamic malware detection based on extracting patterns from value sets of registers. The ISC International Journal of Information Security, 5(1):71–82, 2013.
[19] Ibrahim Bello, Haruna Chiroma, Usman A Abdullahi, Abdulsalam Yau Gital, Fatsuma Jauro, Abdullah Khan, Julius O Okesola, and M Abdulhamid Shafii. Detecting ransomware attacks using intelligent algorithms: recent development
and next direction from deep learning and big data perspectives. Journal of Ambient Intelligence and Humanized Computing, pages 1–19,2020.
[20] Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. Detecting environmentsensitive malware. In International Workshop on Recent Advances in Intrusion Detection, pages 338–357. Springer, 2011.
[21] Hanqi Zhang, Xi Xiao, Francesco Mercaldo, Shiguang Ni, Fabio Martinelli, and Arun Kumar Sangaiah. Classification of ransomware families with machine learning based on n-gram of opcodes. Future Generation Computer Systems, 90:211–221, 2019.
[22] Jeong Kyu Lee, Seo Yeon Moon, and Jong Hyuk Park. Cloudrps: a cloud analysis based enhanced ransomware prevention system. The Journal of Supercomputing, 73(7):3065–3084, 2017.
[23] Juan A Herrera Silva, Lorena Isabel Barona L´opez, Angel Leonardo Val- ´divieso Caraguay, and Myriam Hern´andez Alvarez. A survey on situational awareness of ´ransomware attacksdetection and prevention parameters. Remote Sensing, 11(10):1168, 2019.
[24] Arslan Ashraf, Abdul Aziz, Umme Zahoora, Muttukrishnan Rajarajan, and Asifullah Khan. Ransomware analysis using feature engineering and deep neural networks. arXiv preprint arXiv:1910.00286, 2019.
[25] Deepti Vidyarthi, CRS Kumar, Subrata Rakshit, and Shailesh Chansarkar. Static malware analysis to identify ransomware properties. International Journal of Computer Science Issues(IJCSI), 16(3):10–17, 2019.
[26] Ban Mohammed Khammas. Ransomware detection using random forest technique. ICT Express,6(4):325–331, 2020.
[27] Alberto Ferrante, Miroslaw Malek, Fabio Martinelli, Francesco Mercaldo, and Jelena Milose Extinguishing ransomware-a hybrid approach to android ransomware detection. In International Symposium on Foundations and Practice of Security, pages 242–258. Springer, 2017.
[28] Suyeon Yoo, Sungjin Kim, Seungjae Kim, and Brent Byunghoon Kang. Ai-hydra: Advanced hybrid approach using random forest and deep learning for malware classification. Information Sciences, 546:420–435, 2021.
[29] James Baldwin and Ali Dehghantanha. Leveraging support vector machine for opcode density based detection of crypto-ransomware. In Cyber threat intelligence, pages 107–136. Springer, 2018.
[30] Bin Zhang, Wentao Xiao, Xi Xiao, Arun Kumar Sangaiah, Weizhe Zhang, and Jiajia Zhang. Ransomware classification using patch-based cnn and self-attention network on embedded n-grams of opcodes. Future Generation Computer Systems,
110:708–720, 2020.
[31] Hyunji Kim, Jaehoon Park, Hyeokdong Kwon, Kyoungbae Jang, and Hwajeong Seo. Convolutional neural network-based cryptography ransomware detection for low-end embedded processors. Mathematics, 9(7):705, 2021.
[32] G Radhakrishnan, K Srinivasan, S Maheswaran, K Mohanasundaram, D Palanikkumar, and Abhay Vidyarthi. A deep-rnn and meta-heuristic feature selection approach for iot malware detection. Materials Today: Proceedings, 2021.
[33] Muna Al-Hawawreh and Elena Sitnikova. Leveraging deep learning models for ransomware detection in the industrial internet of things environment. In 2019 Military Communications and Information Systems Conference (MilCIS), pages
1–6. IEEE, 2019.
[34] Farnoush Manavi and Ali Hamzeh. Static detection of ransomware using lstm network and pe header. In 2021 26th International Computer Conference, Computer Society of Iran (CSICC),pages 1–5. IEEE, 2021.
[35] Seong Il Bae, Gyu Bin Lee, and Eul Gyu Im. Ransomware detection using machine learning algorithms. Concurrency and Computation: Practice and Experience, 32(18):e5422, 2020.
[36] Digit Oktavianto and Iqbal Muhardianto. Cuckoo malware analysis. Packt Publishing Ltd, 2013.
[37] Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
[38] Asifullah Khan, Anabia Sohail, Umme Zahoora, and Aqsa Saeed Qureshi. A survey of the recent architectures of deep convolutional neural networks. Artificial Intelligence Review, 53(8):5455–5516, 2020.
[39] Neha Sharma, Vibhor Jain, and Anju Mishra. An analysis of convolutional neural networks for image classification. Procedia computer science,132:377–384, 2018.
[40] Dmytro Mishkin, Nikolay Sergievskiy, and Jiri Matas. Systematic evaluation of convolution neural network advances on the imagenet. Computer Vision and Image Understanding, 161:11–19, 2017.
[41] David MW Powers. Evaluation: from precision, recall and f-measure to roc, informedness, markedness and correlation. arXiv preprint arXiv:2010.16061, 2020.
[42] Ron Kohavi et al. A study of cross-validation and bootstrap for accuracy estimation and model selection. In Ijcai, volume 14, pages 1137–1145. Montreal, Canada, 1995.
[43] Daniel Gibert, Carles Mateu, Jordi Planes, and Ramon Vicens. Using convolutional neural networks for classification of malware represented as images. Journal of Computer Virology and Hacking Techniques, 15(1):15–28, 2019.
[44] Quan Le, Ois´ın Boydell, Brian Mac Namee, and Mark Scanlon. Deep learning at the shallow end: Malware classification for non-domain experts. Digital Investigation, 26:S118–S126, 2018.
[45] Ajit Kumar, KS Kuppusamy, and G Aghila. A learning model to detect maliciousness of portable executable using integrated feature set. Journal of King Saud University-Computer and Information Sciences, 31(2):252–265, 2019.