Detection of Ransomware Attacks Using Processor and Disk Usage Data

Ransomware often evades antivirus tools, encrypts files, and renders the target computer and its data unusable. The current approaches to detect such ransomware include monitoring processes, system calls, and file activities on the target system and analyzing the data collected. Monitoring multiple processes has a very high overhead; newer ransomware may interfere with the monitoring and corrupt the collected data. This paper presents a robust and practical approach to detecting ransomware in execution on a virtual machine (VM). We collect data for selected processor and disk I/O events for the entire VM from the host machine and use a machine learning (ML) classifier to develop a detection model. This approach avoids the overhead of continuously monitoring every process on the target machine and prevents the risk of data contamination by ransomware. Furthermore, it is resilient to variations in user workloads. It provides fast detection with a high probability for known (used for training the ML model) and unknown (not used for training) ransomware. The random forest (RF) classifier performed the best of the seven ML classifiers we tested. Over six different user loads and 22 ransomware, the RF model detected ransomware within 400 milliseconds with a 0.98 probability.