2.

1 Malware Detection Based On Opcode Frequency (2016)

This research paper was presented by Abhijit Yewale & Maninder Singh of
Computer Science and Engineering Department Thapar University in International
Conference on Advanced Communication Control and Computing Technologies
(ICACCCT) &IEEE 2016.
This paper proposed a new method to detect malwares based on the frequency of
opcodes in the portable executable file. This research applied machine learning
algorithm to find false positives, false negatives, true positives and true negatives
for malwares. Success rate is 96.67%. It also had some challenges and drawbacks
like Signature based antivirus system is not useful for unknown malware detection
and they are facing difficulties because of polymorphic viruses and zero-day
attack. Signature based methods along with machine learning algorithm should be
developed for unknown malware. They classified portable executable(PE) file into
two categories only as goodware and malware. They should classify it further into
Torjan, Spyware, Backdoor etc.

2.2 Detecting Ransomware with Honeypot techniques (2016)

This research paper was presented by Chris Moore Computing and Media Services
University of St Mark & St John Plymouth, England in Cybersecurity and Cyber
forensics Conference & IEEE2016.
They researched on techniques to implement a honeypot to detect ransomware
activity. and selected two options, the File Screening service of the Microsoft File
Server Resource Manager feature and EventSentry to manipulate the Windows
Security logs. While it is possible to deploy honeypot type fake folders with
tripwire files for ransomware to interact with, the nature of the decoy folders is that
there is no guarantee the malware would attempt to invade these areas, and
therefore bypassing this defense. This limited view of a system is a disadvantage of
honeypots, as a honeypot free from attack alerts is not an indicator that other areas
are not being targeted.

2.3 Ransomware detection by mining API call usage (2016)

This research paper was presented by Shina Sheen, Ashwitha Yadav “Department
of Applied Mathematics and Computational Sciences” “PSG College of
Technology” Coimbatore, India in IEEE International.
In this research Application Programming Interface (API) calls are extracted from
the executables and the most discriminating API calls are used to train a classifier
to detect unknown ransomware. It is seen that Random forest with smote for class
imbalance has given a detection rate of over 98%. A large number of ransomware
samples have been analyzed and the discriminating API calls have been identified.
There were few drawbacks in dataset that was the number of ransomware samples
from virus share was very huge, the number of benign files became a minority
class which may lead to class imbalance problem. Features extracted through
dynamic analysis is also to be considered.

2.4 A Novel Method for Recovery from Crypto Ransomware Infections (2016)
This research paper was presented by Mattias Wecksten, Jan Frick, Andreas
Sjostrom, Eric Jarpe Halmstad University Sweden in 2nd IEEE International
Conference on Computer and Communications. In this research paper they used
crypto ransomware methods not only for prevention, but also focuses on how to
recreate the files. By renaming the system tool that handles shadow copies it is
possible to recover from infections from all four of the most common Crypto
Ransomwares. The solution is packaged in a single, easy to use script. The solution
presented in this paper should be implemented alongside other recommended
techniques, such as an updated antivirus, a properly configured firewall, updated
operating system and software, and a proper backup scheme.

2.5 Strategies for Ransomware Removal and Prevention (2018)

This research paper was presented by Smruti Saxena, Hemant Kumar Soni
Department of Computer Science and Engineering, Amity School of Engineering
and Technology, Amity University Madhya Pradesh, Gwalior in 4th International
Conference on Advances in Electrical, Electronics, Information, Communication
and Bio-Informatics (AEEICB-18).
This paper explores the various ransomware attack. In this paper they converse the
analysis of ransomware and the suggested action against ransomware attack. This
paper also discusses ransomware removal and preventional methodology. This
method has limited efficacy. This approach cannot trace modified ransomware
with new pattern. Hence an active instead of a passive prevention method is
required.

2.6 Detection and Prevention of Crypto-Ransomware (2017)

This research paper was presented by Daniel Gonzalez Thaier Hayajneh Fordham
Center for Cybersecurity Fordham University, New York, NY, USA in IEEE 2017.
This research paper discusses ransomware methods of infection, technology behind
it and what can be done to help prevent becoming the next victim. The paper
investigates the most common types of crypto-ransomware, various payload
methods of infection, typical behavior of crypto ransomware. They don’t give any
specific technique for prevention or recovery. They have not used any specific
dataset or method but tested already existing methods without suggesting new
changes.
2.7 Ransomware detection using process mining and classification algorithms
(2019)
This research paper was presented by Ala Bahrani, Amir Jalaly Bidgly Department
of computer engineering and IT University of Qom, Iran at 16th International ISC
Conference on Information Security and Cryptology (ISCISC).
The proposed method uses process mining to discover the process model from the
events logs, and then extracts features from this process model and using these
features and classification algorithms to classify ransomwares. This paper shows
that the use of classification algorithms along with the process mining can be
suitable to identify ransomware. It concludes that J48 and random forest
algorithms have the best accuracy to be used as the classifier in our proposed
method. The proposed method can be extended to identify other malware. The
proposed method can also be extended to various operating systems such as
Android, IOS etc.

2.8 An Intelligent Behavior-Based Ransomware Detection System for Android

Platform (2019)
This research paper was presented by Abdulrahman Alzahrani, Hani Alshahrani,
Ali Alshehri, and Huirong Fu Department of Computer Science and Engineering
Oakland University Rochester, Michigan 48309 at 2019 First IEEE International
Conference on Trust, Privacy and Security in Intelligent Systems and Applications
(TPS-ISA).
This paper introduces RanDetector, a new automated and lightweight system for
detecting ransomware applications in Android platform based on their behavior. In
particular, this detection system investigates the appearance of some information
that is related to ransomware operations in an inspected application before
integrating some supervised machine learning models to classify the application.
2.9 Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA
Rules (2019)
This research paper was presented by Nitin Naik & Paul Jenkins, Defence School
of Communications and Information Systems, U.K. Nick Savage: School of
Computing, University of Portsmouth, U.K., Longzhi Yang: Department of
Computer and Information Sciences, Northumbria University, U.K. at IEEE
Cyberthreat Hunting.
This paper presents an evaluation of fuzzy hashing, import hashing and YARA
rules, for triaging the four most pertinent ransomware categories WannaCry,
Locky, Cerber and CryptoWall. It evaluates their triaging performance and run-
time system performance, highlighting the limitations of each method.

2.10 Tracking Ransomware Threat Actors using Fuzzy Hashing and Fuzzy C-
Means Clustering (2019)
This research paper was presented by Nitin Naik & Paul Jenkins, Defence School
of Communications and Information Systems, U.K. Nick Savage: School of
Computing, University of Portsmouth, U.K., Longzhi Yang: Department of
Computer and Information Sciences, Northumbria University, U.K. at IEEE
Cyberthreat Hunting.
This paper proposes an efficient fuzzy analysis approach to cluster ransomware
samples based on the combination of two fuzzy techniques fuzzy hashing and
fuzzy c-means (FCM) clustering. The performance of the proposed fuzzy method
is compared against k-means clustering and the two fuzzy hashing methods
SSDEEP and SDHASH which are evaluated based on their FCM clustering results
to understand how the similarity score affects the clustering results.
Publication/year Title Author Overview Challenges
International Malware Abhijit Yewale & They proposed a new method to Signature based antivirus system is not useful for
Conference on Detection Maninder Singh : detect malwares based on the unknown malware detection and they are facing
Advanced Based On Computer Science frequency of opcodes in the difficulties because of polymorphic viruses and
Communication Opcode and Engineering portable executable file. This zero-day attack. Signature based methods along
Control and Frequency Department research applied machine with machine learning algorithm should be
Computing . Thapar University learning algorithm to find false developed for unknown malware.
Technologies positives, false negatives, true They classified portable executable(PE) file into
(ICACCCT) positives and true negatives for two categories only as goodware and malware.
&IEEE 2016 malwares. Success rate is They should classify it further into Torjan,
96.67%. Spyware, Backdoor etc.
Cybersecurity and Detecting Chris Moore They researched on techniques While it is possible to deploy honeypot type fake
Cyber forensics Ransomw Computing and to implement a honeypot to folders with tripwire files for ransomware to
Conference & are with Media Services detect ransomware activity. and interact with, the nature of the decoy folders is
IEEE2016 Honeypot University of St selected two options, the File that there is no guarantee the malware would
techniques Mark & St John Screening service of the attempt to invade these areas, and therefore
Plymouth, England Microsoft File Server Resource bypassing this defense. This limited view of a
Manager feature and system is a disadvantage of honeypots, as a
EventSentry to manipulate the honeypot free from attack alerts is not an
Windows Security logs. The indicator that other areas are not being targeted.
research developed a staged
response to attacks to the
 system along with thresholds
when there were triggered. The
research ascertained that
witness tripwire files offer
limited value as there is no way
to influence the malware to
access the area containing the
monitored files.
2016 2nd IEEE A Novel Mattias Wecksten, Using crypto ransomware The results show that with proper preventive
International Method Jan Frick, Andreas methods not only for measures the files encrypted with one of the four
Conference on for Sjostrom, Eric prevention, but also focuses on most commonly available Crypto Ransomwares
Computer and Recovery Jarpe Halmstad how to recreate the files. By can easily and automatically be restored to a state
Communications. from University Sweden renaming the system tool that before the encryption occurred. The solution
Crypto handles shadow copies it is presented in this paper should be implemented
Ransomw possible to recover from alongside other recommended techniques, such
are infections from all four of the as an updated antivirus, a properly configured
Infections most common Crypto firewall, updated operating system and software,
Ransomwares. The solution is and a proper backup scheme.
packaged in a single, easy to
use script.
IEEE 2018 Ransomw Shina Sheen, Application Programming the number of ransomware samples from virus
are Ashwitha Yadav Interface (API) calls are share was very huge, the number of benign files
detection “Department of extracted from the executables became a minority class which may lead to class
by mining Applied and the most discriminating API imbalance problem. Features extracted through
API call Mathematics and calls are used to train a dynamic analysis is also to be considered.
usage Computational classifier to detect unknown
Sciences” “PSG ransomware. It is seen that
College of Random forest with smote for
Technology” class imbalance has given a
Coimbatore, India detection rate of over 98%. A
large number of ransomware
samples have been analyzed and
the discriminating API calls
have been identified.
4th International Strategies Smruti Saxena , This paper explores the various Users can avoid the infections of ransomware by
Conference on for Hemant Kumar ransomware attack. In this updating vaccination system from time to time.
Advances in Ransomw Soni Department of paper they converse the analysis However, this method has limited efficacy. This
Electrical, are Computer Science of ransomware and the approach cannot trace modified ransomware with
Electronics, Removal and Engineering, suggested action against new pattern. Hence an active instead of a passive
Information, and Amity School of ransomware attack. This paper prevention method is required.
Communication Prevention Engineering and also discusses ransomware
and Bio- Technology, Amity removal and preventional
Informatics University Madhya methodology.
(AEEICB-18) Pradesh, Gwalior
IEEE 2017 Detection Daniel Gonzalez It discusses ransomware They don’t give any specific technique for
and Thaier Hayajneh methods of infection, prevention or recovery. They have not used any
Prevention Fordham Center for technology behind it and what specific dataset or method but tested already
of Crypto- Cybersecurity can be done to help prevent existing methods without suggesting new
Ransomw Fordham becoming the next victim. The changes
are University, New paper investigates the most
York, NY, USA common types of crypto-
ransomware, various payload
methods of infection, typical
behavior of crypto ransomware.
16th International Ransomw Ala Bahrani, Amir The proposed method uses It concludes that J48 and random forest
ISC Conference are Jalaly Bidgly process mining to discover the algorithms have the best accuracy to be used as
on Information detection Department of process model from the events the classifier in our proposed method. The study
Security and using computer logs, and then extracts features use process mining and classification algorithms
Cryptology process engineering and IT from this process model and could be useful for identifying other
(ISCISC 2019) mining University of Qom, using these features and ransomware. The proposed method can be
and Iran classification algorithms to extended to identify other malware. The
classificati classify ransomwares. This proposed method can also be extended to various
on paper shows that the use of operating systems such as Android, IOS etc.
algorithms classification algorithms along
with the process mining can be
suitable to identify ransomware.
2019 First IEEE An Abdulrahman This paper introduces To increase RanDetector precision, different
International Intelligent Alzahrani, Hani RanDetector, a new automated types of information should be added into dataset
Conference on Behavior- Alshahrani, Ali and lightweight system for to increase the number of features by considering
Trust, Privacy and Based Alshehri , and detecting ransomware dynamic analysis. Also other supervised
Security in Ransomw Huirong Fu applications in Android classification machine learning algorithms
Intelligent are Department of platform based on their should be added into consideration to guarantee
Systems and Detection Computer Science behavior. In particular, this the optimal precision and accuracy.
Applications System for and Engineering detection system investigates
(TPS-ISA) Android Oakland University the appearance of some
Platform Rochester, information that is related to
Michigan 48309. ransomware operations in an
inspected application before
integrating some supervised
machine learning models to
classify the application.
IEEE 2019 Triaging Nitin Naik & Paul This paper presents an This paper presents an evaluation of fuzzy
Cyberthreat Ransomw Jenkins, Defence evaluation of fuzzy hashing, hashing, import hashing and YARA rules, for
Hunting - Part 1 are using School of import hashing and YARA triaging the four most pertinent ransomware
Fuzzy Communications rules, for triaging the four most categories WannaCry, Locky, Cerber and
Hashing, and Information pertinent ransomware categories CryptoWall. It evaluates their triaging
Import Systems, U.K. WannaCry, Locky, Cerber and performance and run-time system performance,
Hashing Nick Savage: CryptoWall. It evaluates their highlighting the limitations of each method
and School of triaging performance and run-
YARA Computing, time system performance,
Rules University of highlighting the limitations of
Portsmouth, U.K. each method
Longzhi Yang
:Department of
Computer and
Information
Sciences,
Northumbria
University, U.K.
IEEE 2019 Tracking Nitin Naik & Paul This paper proposes an efficient this evaluation found some of the lowest values
Cyberthreat Ransomw Jenkins, Defence fuzzy analysis approach to of performance metrics for the SDHASH
Hunting - Part 2 are Threat School of cluster ransomware samples method, which indicated the poor data quality
Actors Communications based on the combination of (i.e. insignificant similarity scores). This was
using and Information two fuzzy techniques fuzzy verified through the analysis of the SDHASH
Fuzzy Systems, U.K. hashing and fuzzy c-means results manually. It was discovered that several
Hashing Nick Savage: (FCM) clustering. The SDHASH similarity scores are trivial and in the
and Fuzzy School of performance of the proposed range of 1 to 10%, this could have affected the
C-Means Computing, fuzzy method is compared evaluation metrics and quality of clustering
Clustering University of against k-means clustering and
Portsmouth, U.K. the two fuzzy hashing methods
Longzhi Yang SSDEEP and SDHASH which
:Department of are evaluated based on their
Computer and FCM clustering results to
Information understand how the similarity
Sciences, score affects the clustering
Northumbria results.
University, U.K.