Abstract
Crypto-ransomware is a malware category that targets user-related files to encrypt them and hold them to ransom. The irreversible effect of crypto-ransomware attacks entails early detection before it starts encrypting the files. Although several works have been proposed to detect such attacks at the pre-encryption phase before the encryption takes place, the main limitation of these works is the way in which they define the boundaries of the pre-encryption phase. That is, these studies determine the pre-encryption boundaries based on tracking the first call of any cryptography-related Application Programming Interface (API). However, relying on the first call of cryptography-related APIs to delineate the pre-encryption boundaries is not accurate as these APIs might be related to other (normal) tasks done by the crypto-ransomware, such as unpacking and/or decrypting the metamorphic payload, before the ransomware starts the malicious activities. In that case, the collected preencryption data lack many relevant pre-encryption attack patterns that come after the mistakenly-identified pre-encryption boundary. Such data insufficiency adversely affects the accuracy of the detection model and increases the rate of false alarms. To overcome such limitations, this paper proposes an early detection model (CRED) that can determine the pre-encryption boundaries and collect the data related to this phase more accurately. Unlike the extant research, the CRED model employs data-centric and process-centric detection approaches to combine both IRP and API data. These data will then be used to train a deep learning-based model. The CRED model will be evaluated using a data-benchmark collected by executing real-world crypto-ransomware samples downloaded from a widely-used repository. The performance of the detection model will be validated using the k-fold cross validation and compared against the models proposed by the existing works.