Ransomware infections are increasing and approaches to detect ransomware and protect devices are necessary. Most approaches to detect cryptolockers rely on dynamic behavioral analysis of typical ransomware behavior like file access, filesystem activity and network activity. Some approaches work with a mix of static and dynamic analysis to detect features unique to ransomware, like some form of ransom demand. But since all of those techniques are highly specific to what is considered typical ransomware behavior it can be assumed that ransomware developers will soon adapt to detection tools and new families with different behavior will spread. After a discussion of current ransomware families, a classification of detection methods and discussion of research regarding ransomware detection, a tool evaluation is presented. Several detection tools were tested and it could be shown that with minimum effort detection could either be completely avoided or at least to a point where between 30 and 50 files could be properly encrypted before detection.
Download: pdf