You are currently viewing a new version of our website. To view the old version click .
MDPIMDPI
Search all articles
Information
Download PDF
  • Review
  • Open Access

14 August 2024

Earlier Decision on Detection of Ransomware Identification: A Comprehensive Systematic Literature Review

,
and
Department of Computer Networks and Communications, College of Computer Sciences and Information Technology, King Faisal University, Al-Ahsa 31982, Saudi Arabia
*
Author to whom correspondence should be addressed.
Information2024, 15(8), 484;https://doi.org/10.3390/info15080484
This article belongs to the Special Issue Cybersecurity, Cybercrimes, and Smart Emerging Technologies
Version Notes
Order Reprints

Abstract

Cybersecurity is normally defined as protecting systems against all kinds of cyberattacks; however, due to the rapid and permanent expansion of technology and digital transformation, the threats are also increasing. One of those new threats is ransomware, which is a form of malware that aims to steal user’s money. Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon a large payment. Ransomware is a way of stealing money in which a user’s files are encrypted and the decrypted key is held by the attacker until a ransom amount is paid by the victim. This systematic literature review (SLR) highlights recent papers published between 2020 and 2024. This paper examines existing research on early ransomware detection methods, focusing on the signs, frameworks, and techniques used to identify and detect ransomware before it causes harm. By analyzing a wide range of academic papers, industry reports, and case studies, this review categorizes and assesses the effectiveness of different detection methods, including those based on signatures, behavior patterns, and machine learning (ML). It also looks at new trends and innovative strategies in ransomware detection, offering a classification of detection techniques and pointing out the gaps in current research. The findings provide useful insights for cybersecurity professionals and researchers, helping guide future efforts to develop strong and proactive ransomware detection systems. This review emphasizes the need for ongoing improvements in detection technologies to keep up with the constantly changing ransomware threat landscape.

1. Introduction

Cybercriminals from all over the world are making money by using ransomware. Ransomware attacks have been increasing since the Internet was created in 1989. The first attack was executed through floppy disks and asked for USD 189 to be sent to a post office in Panama. The attacker was from Ohio and was quickly caught by the FBI because the attack method was simple and there were fewer people using the Internet at that time [1].
Even if victims pay the ransom, they are sometimes still unable to retrieve their data. This could be because the attacker did not keep their promise or because the victim accidentally deleted the decryption key file [2]. In recent years, many ransomware attacks have caused big losses worldwide because they are easy to carry out and cybercriminals can make a lot of money if they succeed [3].
Cybercriminals like ransomware for a few reasons. First, the Internet is widely used around the world, which makes it easier for cybercriminals to attack across borders. For example, someone in Asia can easily target a company in America [2]. Because of the distance and different laws in each country, it is harder for police to detect them. Second, the use of cryptocurrencies like Bitcoin makes it harder for regulators to track down the owner of the money [2]. This means hacking groups have a reliable way to obtain their ransom money.
In the digital age, ransomware attacks have become a serious concern. Numerous people, companies, and governments suffer from them. These attacks occur when malicious software locks up computers or files and demands payment to be unlocked. There are millions of cases reported globally each year, and they occur frequently. For example, in 2021, there was a huge increase in ransomware attacks, almost over 150 percent, affecting many different sectors like healthcare, finance, and government [4]. Recently, there was been a big increase in ransomware attacks. These attacks are happening more often and are becoming more clever, impacting a wide range of organizations worldwide including governments, corporations, and common people. It is really important to catch these attacks early. Much of the harm they inflict can be stopped if we find them in time. This means organizations might not lose as much data or money and they can keep their operations running smoothly. Catching the attacks early also helps to stop them from spreading through the whole network. This is very important for keeping important information safe, especially in areas like healthcare and finance where trust is a priority.
Detecting ransomware attacks early is crucial to prevent them from causing too much damage. If we detect them early, we can prevent them from locking up more files and spreading to other computers [2,3,4]. This helps to reduce the money and time lost by people and businesses. It is also crucial for protecting important systems like energy, transportation, and communication networks. However, detecting ransomware attacks is difficult as cybercriminals keep changing their methods to avoid detection. They use tricky techniques like changing their malware to look different or taking advantage of new weaknesses and vulnerabilities in systems [3]. Additionally, it can be difficult to distinguish between ransomware activities and legitimate software behaviors, especially in big networks where a lot of abnormal activities happen most of the time. Table 1 [5] defines major ransomware attacks from 2020 to 2023 and involves listing several significant incidents along with key details such as the targeted organization, the date of the attack, the ransomware used, and the impact of the attack.
Table 1. Major ransomware attacks from 2020 to 2023.
Early detection of ransomware is crucial in minimizing the damage caused by these attacks. By identifying ransomware threats early, organizations can reduce the potential data loss and operational disruptions. Early detection allows for swift and effective response measures, such as isolating affected systems and initiating recovery protocols before the ransomware can spread further. This proactive approach is essential in limiting the financial and operational impact, preserving data integrity, and maintaining business continuity. Additionally, early detection enhances the organization’s ability to respond effectively, mitigating the overall risk associated with ransomware attacks.
Ransomware attacks pose significant recovery challenges for affected organizations. The primary difficulty lies in data recovery post-attack, which is often complex and time-consuming. Organizations must restore encrypted or corrupted data, which can be particularly challenging if backups are insufficient or compromised. The financial burden associated with recovery efforts is substantial, encompassing costs related to downtime, lost productivity, and potential ransom payments. Furthermore, the impact on business continuity can be severe, as operations may be disrupted for extended periods, leading to potential loss of revenue and damage to the organization’s reputation.
Table 2 [6] below provides a comprehensive overview of ransomware statistics and insights as of 2024. It highlights the global impact of ransomware attacks and the financial and operational challenges associated. The data include trends over recent years, common entry points for ransomware, and the geographic distribution of attacks, offering a detailed snapshot of the ransomware threat landscape.
Table 2. Comprehensive ransomware statistics and insights (2024).
The contributions of this paper can be summarized in four key points, as follows:
  • Provides a detailed overview of how ransomware has developed over time, focusing on its mechanisms, types, and the vectors used for attacks.
  • Conducts a comprehensive review of the current approaches in ransomware detection. In addition, emphasizes the techniques and methods used at various stages of detection.
  • Highlights how ML is being employed to improve ransomware detection.
  • Identifies the gaps in current research and suggests potential areas for future investigations to enhance the cybersecurity field’s defense against ransomware attacks.
The current literature and practices in ransomware detection are not always efficient. Traditional signature-based detection methods often fail to detect new types of ransomware. Additionally, heuristic and behavior-based approaches have high false-positive rates. These approaches can miss the activities that may indicate ransomware leaving systems vulnerable to attacks. Therefore, we really need new and good detection strategies that can effectively distinguish between ransomware behaviors and legitimate networks activities. This will help keep individuals, businesses, and important systems safe from ransomware attacks. Our paper is all about understanding these challenges and looking for solutions that can help us stay a step ahead of these tricky ransomware attacks.
In our study, we have a few main goals. We are doing a deep dive into lots of research and articles about ransomware. We want to focus on two big things: how to quickly detect ransomware and how to figure out what kind of ransomware it is. Our main goal is to emphasize the need for ongoing improvements in detection technologies to keep up with the constantly changing ransomware threat landscape. We will check if there are any new ideas or tools that seem promising. Also, we are going to look for any gaps or limitations in the research that has been carried out so far. Maybe there are some areas that have not been explored much or ways of detecting ransomware that could be improved. By the end of our review, we hope to have a clearer picture of what works best for detecting ransomware fast and effectively.
This paper delves into the topic of ransomware and aims to provide a thorough understanding and analysis of this significant cybersecurity threat. The paper begins with Section 2, where we explain how we chose the studies and articles that we reviewed with the details of the methods we used to search for relevant literature. Section 3 delves into the background of ransomware, reviewing its types, attack vectors, encryption methods, and detection challenges, and exploring the role of AI in combating such threats. It also addresses preventive measures, legal considerations, and future trends. The discussion in Section 4 focuses on indicators of ransomware incidents, attack frameworks, behavior patterns, and the efficacy of current detection techniques, emerging trends and avoidance strategies. Real-world ransomware incidents are discussed in Section 5, which gives practical insights into the impact of these attacks. Section 6 reviews related studies, providing a critical analysis of the existing literature and identifying research gaps. Open challenges and limitations in ransomware detection and prevention are explored in Section 7. Future directions for research and development are proposed in Section 8. The paper concludes in Section 9, which underscores the importance of enhanced detection capabilities and summarizes the findings of this paper.

2. Papers Selection for Literature Review

2.1. Methodology

The methodology used in this research is a systematic literature review (SLR). SLR is used to present the information in a clear and organized way. It will help in identifying the limitations and research gaps that exist in current studies. It will also help in the determination of the research future direction. Furthermore, the PRISMA flow diagram was used to summarize steps that were followed by researchers during the paper selection process. Identification, screening, and included are the main phases followed in the PRISMA flow diagram. In addition, the research targeted studies that were published between 2020 and 2024. In the identification phase, duplicated and ineligible records were removed, as well as records after filtering the year and source type—whether journal, book, or conference. In the screening phase, additional records were excluded for other reasons like relevance to the research topic or the length of the paper. Finally, the included phase contains only the papers that will be included in the research.

2.2. Search String

The following search string was used to optimize the quality of the search results: (“Detection”) AND (“Ransomware” OR “ransomware identification” OR “identify Ransomware”). It consists of Boolean operators like “AND” and “OR” between the key words. These operators will greatly help in broadening, narrowing, and adjusting the search string.

2.3. Data Sources

The search string was applied in two databases, which are Google Scholar and Saudi Digital Library.

2.4. Screening Process

In the first stage, we filtered the papers based on their titles by searching the database using the search string, looking at whether the title related to our topic or not. If there were difficulties in evaluating the paper’s topic, we added an extra screening stage, which involved reading the abstract of that paper. Figure 1 shows the PRISMA flow diagram, which presents the selection process of the papers.
Figure 1. Paper selection for literature review using PRISMA [7,8].

3. Background

3.1. Overview of Ransomware Attacks

In recent years, ransomware has spread quickly, affecting individuals, organizations, and governments. Ransomware is malicious software that aims to prevent access to victims’ data or computer devices by encrypting their files and then asking them to pay a ransom to access or decrypt them, which is paid using cryptocurrency to avoid tracking them [9]. Figure 2 presents the total values received by ransomware attackers in the last 5 years.
Figure 2. Total values received by ransomware attackers in the last 5 years [10].
The ransomware process consists of five stages, which are infection, downloading malicious files, encryption, demanding payment, and decryption. The infection happens through phishing emails, attachments with malicious code, or malicious websites. Once it gains access to the victim’s device, it quickly searches for valuable files to encrypt. The attackers use robust encryption algorithms to make the victim’s files inaccessible and unreadable. Thus, the victims are forced to pay the ransom to gain access to their files by using the decryption key from the attacker after payment [9]. Figure 3 shows how the ransomware works.
Figure 3. How the ransomware attacks work [11].
Ransomware can significantly impact individuals, organizations, and governments around the world. On the individual side, there are risks related to the theft of personal data, such as usernames, passwords, ID numbers, or financial data such as banking information. On the organization side, there are risks related to severe disruptions in operations, resulting in stopping work, huge financial losses, or even damage to the organization’s reputation. On the government side, there are critical risks that some vital services will stop working, such as healthcare systems, transportation services, and some financial systems, which may affect the general interest of citizens. Also, efforts to recover and repair the loss of these data may be expensive. In many cases, paying the ransom is chosen by the victims to reduce the risk of losing such data [9]. Early detection plays a significant role in combating ransomware attacks and reducing their impacts. Attackers may target organizations of different types and sizes, including government agencies, educational institutions, and health institutions. Recent statistics show that the expected global cost of ransomware may reach USD 265 billion by 2031 [12].

3.2. Types of Ransomware

Ransomware attacks come in different forms, each with their own way of disrupting the victim’s access to their data, as shown in Figure 4. Below, we explain the main types based on their methods [3,13,14,15,16]:
Figure 4. Types of ransomware attacks.
Ransomware classification on malware characteristics:
  • Encrypting Ransomware: This type is the most common and involves encrypting the victim’s files with a strong encryption algorithm, making them inaccessible without a decryption key. Notable examples include Cryptowall, WannaCry, and Cryptolocker. The victim can see the files but cannot open them unless they pay the ransom to obtain the decryption key.
  • Non-Encrypting Ransomware: Also known as locker ransomware, this type locks you out of your entire device, not just specific files. The data remain unharmed but inaccessible. To regain access, the victim must pay a ransom. Examples include CTB-Locker and Winlock.
  • Scareware: also known as fake antivirus, scareware tries to convince the victim that their device is infected by showing a false warning and then asking for payment to access the full version of the software to remove or mitigate the risk. Scareware typically uses social engineering methods rather than encrypting the files or devices to scare the victims and then force them to pay.
Ransomware classification based on platforms:
  • PC/Workstation ransomware: This type targets personal computers and workstations, exploiting vulnerabilities in Windows, macOS, or Linux systems. Examples include the infamous WannaCry attack, which specifically targeted Windows systems using a network exploit.
  • Mobile ransomware: Targeting mobile devices, this type of ransomware affects smartphones and tablets, primarily through malicious apps or compromised websites. Android devices are more frequently targeted due to the ease of installing apps from third-party sources.
  • IoT ransomware: IoT devices, such as smart home gadgets and industrial sensors, are increasingly being targeted due to their poor security measures. Attacks on these devices can lead to significant disruptions, especially when they affect critical infrastructure.
Ransomware classification based on targets:
  • Individual users: This group is often the easiest target due to less stringent security practices. Attackers exploit this by using deceptive emails or malicious websites to initiate ransomware infections.
  • Enterprises: Businesses are targeted for their valuable data and deeper financial resources. Attacks may involve sophisticated strategies to infiltrate network defenses and encrypt critical business data.
  • Government and critical infrastructure: Attacks on government systems and critical infrastructure aim to cause significant disruption, often impacting national security, healthcare, and essential services.
  • Online Services: Cloud services and online platforms, such as social media and banking services, are also targeted, with attackers aiming to encrypt or steal large amounts of data to demand higher ransoms.

3.3. Ransomware Attack Vectors

Ransomware methods and types have varied, as attackers use different techniques to infect the victim’s device. Sufficient knowledge of the various attack vectors used by attackers may help individuals, organizations, and governments predetect and take suitable preventive measures on time. Below are some attack vectors used by attackers:
Phishing emails: Phishing emails are the most common vector used by attackers. Fraudulent emails are sent to the victim that appear to be from a reliable and well-known source, such as some well-known organization or individual. These messages contain PDF attachments, images, voice mail, or malicious links. Once clicked, some malware is installed, which aims to search for valuable files and encrypt them. Therefore, users should be careful and verify the sender before opening the content of the message, and not open suspicious links that may appear to be from an unknown source [17].
Malicious advertisements: The attackers use fake advertisements to attract the victims by injecting malicious code into legitimate advertisements that will contribute to spreading ransomware very quickly. When the victims click on those ads, the ransomware will be activated and installed. Having up-to-date antivirus software will protect against different ransomware and mitigate its potential risk [16].
Social engineering: Attackers use various social engineering techniques, such as luring the victim into clicking on suspicious links, downloading malicious files, or updating fake software that appears to be legitimate. Victims may also receive emails or text messages stating the urgent need to do something by clicking on electronic links or attached files. Therefore, individuals, companies, and governments must have sufficient awareness of the different methods used by attackers [18].
Exploiting vulnerabilities: Attackers aim to spread ransomware by exploiting operating system, program, or network device vulnerabilities. They mostly target un-updated systems by exploiting vulnerabilities, installing ransomware, and then asking for a ransom to be paid. Regularly updating the operating system and software will prevent different types of attacks from occurring. Also, implementing robust countermeasures and applying best-practice scenarios for managing the vulnerabilities will mitigate the risk of ransomware [19].

3.4. Evolution of Ransomware

The evolution of ransomware attacks can be traced back to the late 1980s when the first known attack, the AIDS Trojan, was distributed via floppy disks and demanded a payment for a software lease [5]. Over the years, ransomware has become more sophisticated. In the early 2000s, attackers began using more advanced encryption techniques to lock files, making it nearly impossible for victims to regain access without the decryption key [20]. A significant shift occurred in the 2010s with the rise of cryptocurrency, which provided a secure and anonymous payment method, making ransomware attacks more appealing to criminals. High-profile attacks like WannaCry in 2017 highlighted the global threat of ransomware, prompting improvements in cybersecurity defenses. Today, ransomware attacks are increasingly targeted, aiming at businesses and governments for higher ransom demands and more significant disruption.
Below, Table 3 [5,14,20] summarizes the evolution of ransomware attacks over the years.
Table 3. Evolution of ransomware.
Ransomware attacks have transformed dramatically since their first appearance in 1989. Table 4 traces the progression of these malicious software attacks, highlighting key versions and their distinctive tactics. Each row illustrates the evolution from basic encryption demands to complex strategies involving data theft and high-profile targeting. This summary captures the ongoing challenge that ransomware poses to individuals and organizations, emphasizing the need for evolving security measures [5,13,14,16,20,21,22,23].
Table 4. Timeline of ransomware evolution.

3.5. Ransomware Encryption Techniques

Ransomware uses several ways to encrypt the victim’s files and make them inaccessible. Understanding these ways is important to detecting and responding to ransomware effectively. This section presents encryption techniques used by ransomware, such as symmetric and asymmetric encryption algorithms.
  • Symmetric encryption: an encryption method that uses only a single key in the encrypting and decryption processes [24]. Ransomware typically follows these phases in symmetric encryption:
    • Generate the key: A unique key is generated to be used in symmetric encryption.
    • Encrypt the files: The victim’s files are encrypted by ransomware using a single secret key. Ransomware targets the victim’s sensitive information and files, such as documents, photos, and videos.
    • Protect the key: To prevent key recovery by the victim, ransomware encrypts it until payment is made. Then, the encrypted key is saved on the attacker’s servers.
    • Advanced Encryption Standard (AES): AES is one example of a symmetric encryption algorithm. It is secure and cannot be cracked easily. The key length used in the AES algorithm to encrypt victims’ files is 128-, 192-, or 256-bit [25].
  • Asymmetric encryption: an encryption method that uses two different keys, known as the public key and the private key, in the encrypting and decryption processes [24]. Ransomware typically follows these phases in asymmetric encryption:
    • Generate the keys: a pair of keys is generated to be used in asymmetric encryption.
    • Encrypt the file using the public key: the victim’s files are encrypted using the public key.
    • Protect the private key: the private key is stored on the attacker’s servers until payment is made by the victim.
    • Examples of asymmetric encryption algorithms:
      RSA encryption: RSA is one example of an asymmetric encryption algorithm. It contains two keys, which are the public key and the private key. The public key is used for the encryption algorithm, which is used to encrypt the victim’s files, and the private key is used for the decryption algorithm, which is used for the decryption and stored remotely on the attacker’s servers [26].
      Elliptic Curve Cryptography (ECC): ECC is another example of an asymmetric encryption algorithm. ECC key length is shorter than RSA and more secure. As with RSA, ECC consists of two keys, which are public and private—one for encrypting the files and another for decrypting [27].
Understanding ransomware encryption methods contributes to early detection, mitigation, analysis, and response to ransomware. Thus, knowing the attacker’s methods will help to develop effective countermeasures, including different detection algorithms and systems such as signature-based detection systems. In addition, backup, user education, and antivirus programs are important to protect the victim and mitigate the impact of ransomware.

3.6. Signs of a Ransomware Attack

Predetection of ransomware attacks is very important to reduce the impact of ransomware and prevent revealing or losing data. This section explains different signs that may indicate that the device has been hacked by ransomware.
Unusual activity: Changes in file names that were not made by the victim or strange file extensions that cannot be recognized [28].
Prevent access to files: If the victim is prevented from accessing certain files, this may be a sign of a ransomware attack [29].
Ransom notes: If a specific device is compromised by ransomware, some notes may be left for the victim. It may consist of pop-up messages or text files in which a ransom is demanded or the victim is threatened. These notes are called “README.txt” [30].
Slow system performance: A severe slowdown in the device’s performance that did not previously exist. This may also be an indication that a device has been hacked by malicious ransomware as a lot of malicious code is downloaded by the ransomware, which consumes a lot of system resources [31].
Sudden system restart: If the device is suddenly turned off or restarted without the user’s request, this may indicate a malfunction, or it may be an indication that the system has been infected by a ransomware attack [31].
Turning off anti-virus software: Ransomware disables anti-virus or other security systems so they cannot be detected [31].
Suspicious connection patterns on the network: Ransomware may create suspicious or unknown connection patterns on the network, such as connecting to unknown IP addresses. Therefore, network traffic must be monitored to detect any unknown or suspicious connections [31].
If unusual or suspicious movement is observed on your device, this may be an indicator or evidence of the presence of malicious ransomware. To protect your information, you must isolate the infected device and then contact cybersecurity specialists to solve this problem.

3.7. Challenges in Early Detection of Ransomware

The evolving nature of ransomware attacks and the modern techniques used by attackers create many challenges that hinder early detection. This section reviews the most important challenges that may be faced in the early detection of various ransomware.
Polymorphic malware: Ransomware tends to change its forms, techniques, and signatures with each iteration or attack, making it difficult to detect using traditional methods or using anti-virus programs and other security systems. As a result, it has become extremely difficult to detect them using traditional methods [14].
Evasion techniques: Recently, attackers have been using new techniques, such as evasion techniques, to bypass security controls and evade dynamic analysis systems. These technologies use encryption algorithms to hide malicious payloads, obfuscate to bypass early detection, and make analysis more difficult [32].
Increasing complexity: Attackers increase the complexity of their attacks by constantly developing their skills, techniques, methods, and strategies to bypass detection programs and various security systems. Therefore, users must have the latest versions of anti-virus software to detect zero-day attacks, and experts must develop their skills and techniques to keep pace with this development [33].
Encrypted traffic: The use of encrypted communication channels by attackers to secure their communications is one of the most important challenges hindering early detection. Monitoring encrypted traffic by security experts to distinguish between legitimate and malicious traffic is an extremely difficult task because it requires a lot of time, effort, and computational resources. Moreover, it requires advanced technologies such as analyzing traffic patterns, using ML algorithms to identify legitimate and suspicious activities according to specific criteria, and monitoring the behavior of the network [34].

3.8. The Role of Artificial Intelligence to Improve Ransomware Detection

Artificial intelligence (AI) technologies have revolutionized and helped develop many fields—most notably, cybersecurity—as they have been able to improve and develop methods for early detection and prediction of ransomware attacks. AI has three ways to detect ransomware: ML, deep learning, and artificial neural networks. Some models use one of them and others use a hybrid of them to detect ransomware effectively. AI techniques use static and dynamic analysis, along with ransomware behavioral analysis, to better detect ransomware and prevent its attacks, where large databases are used and appropriate decisions are made based on the analysis of this huge amount of data. Algorithms in ML learn from past attacks and perform some analysis to detect new attacks with the same patterns or behaviors. On the other hand, DL analyzes a huge amount of data with the help of neural networks to identify ransomware attacks. All these methods are efficient and reliable in detecting and preventing ransomware attacks [20]. Figure 5 represents how AI can improve ransomware detection and illustrates the relationships and roles of AI, ML, neural networks, and DL in the context of ransomware detection. AI, being the broadest field, encompasses various techniques, including static and dynamic analysis, and behavioral analysis, to enhance ransomware detection and prevention. Within AI, ML focuses on creating intelligent machines capable of learning from data, utilizing both supervised and unsupervised learning methods; these algorithms analyze past attack patterns to identify new threats. Neural networks, forming a subset of ML, further specialize in pattern recognition tasks. DL, a subset of ML methods, leverages artificial neural networks, such as CNNs and RNNs, to process vast amounts of data. DL is particularly effective in identifying ransomware attacks by analyzing large datasets with the aid of neural networks. Each layer in the diagram highlights the role these technologies play in the detection and mitigation of ransomware, emphasizing their interconnected nature and hierarchical structure within the broader field of AI.
Information 15 00484 g005
Figure 5. Artificial intelligence techniques [35].
  • Machine learning: ML models help improve ransomware detection by depending on features or behavior patterns. This technique focuses on collecting a huge amount of data that contain both malicious and benign samples, and then training the ML model to classify the new sample as benign or malicious based on different features that were extracted from the dataset, as shown in Figure 6. The advantage of ML is being able to detect new or unknown ransomware that does not match existing patterns or signatures. However, this technique has fewer false positives compared with heuristic-based and signature-based detection because it depends on detecting actual behavior patterns rather than predefined rules [9].
    Machine learning detection algorithms: Different ML algorithms are employed to detect ransomware attacks, such as support vector machines, k-nearest neighbors, random forests, decision trees, logistic regression, and XGBoost. Table 5 below summarizes all these algorithms.
    Advanced algorithms are utilized to monitor behavior and identify patterns, which help identify suspicious cases of different forms of ransomware [20].
    Table 5. Machine learning detection algorithms.
    Table 5. Machine learning detection algorithms.
    AlgorithmDescription
    Support vector machinesReliable ML method that can be used to detect and classify ransomware. It can be trained by different features to differentiate between goodware and ransomware, like network traffic, the behavior of the file, and system calls. It can be more beneficial when the data are non-linearly separable and high-dimensional [36].
    Decision treesIt is simple and can be utilized in classification to detect ransomware. The data are divided into subsets based on feature values to create a tree structure for decision-making. It can be trained based on different features like system calls, network traffic, and file modification [37].
    Random forestsAn extension of decision trees that reduce overfitting and enhance performance. Data and features are selected randomly to create multi-decision trees. It can handle high-dimensional data, but these could be difficult to interpret and computationally demanding [38].
    k-nearest neighborsIt is simple and operated by selecting the nearest points of data using the training set. Then, predicting the input label based on the common one among those k-neighbors. It is effective and can be used in different applications. Also, the primary use of this algorithm is in the tasks of regression and classification [39].
    Extreme Gradient Boosting “XGBoost”It is a powerful and popular algorithm for the tasks of gradient-boosting. It combines two algorithms, which are decision trees and gradient boosting, to come up with a more accurate model and enhances the scalability by handling large and complex datasets and extracting relevant features [40].
    Logistic regressionIt is used in the binary tasks of classification where the result could be one of the two possible outputs. It can be trained to discover the optimal parameters that maximize the possibility of the training data. It can be organized to prevent overfitting. It is simple, interpretable, and can be used with small datasets [41].
    Behavioral analysis: Using ML models to analyze all patterns and behaviors of operations, files, and network activities to identify suspicious behaviors that may indicate a ransomware intrusion. Such models can detect a deviation from usual activity when any suspicious activity is detected [42].
    Anomaly detection: Develop models based on ML algorithms that can distinguish between patterns or legitimate and malicious activities in the behavior of a network or system. Furthermore, malicious behavior is flagged as an indication of a ransomware attack [43].
    Signature-based detection: Ransomware signatures can be identified by training ML models to examine a user’s network connections, files, and system logs. Therefore, alarms are sent when the results match the characteristics marked as ransomware [44].
    Data mining and threat intelligence: ML techniques are applied to large datasets to analyze and extract useful insights from these data. Also, the characteristics of legitimate patterns and suspicious or harmful patterns are analyzed. Thus, countermeasures and preventive measures are developed against this type of attack [45].
  • Deep learning: Deep learning (DL) techniques are proposed to solve the restrictions of traditional ransomware detection methods, which help to improve reliability, accuracy, and performance. It is suitable for dealing with an unorganized dataset that requires minimal or no human intervention because of its self-learning capabilities. They operate particularly well at identifying text- and image-based ransomware because of how well they can categorize voice, text, and image data. DL methods can be problematic for general-purpose applications, especially those with tiny datasets or sizes, as they require a large quantity of data to train them. High processing power requirements and trouble adjusting to real-world datasets are two further issues with DL [46].
  • Artificial neural networks: Artificial neural network techniques are used in a broad range, which makes them suitable for detecting many kinds and variations of ransomware data, including variants that target images and text. Because of their capacity for ongoing learning, neural networks make an ideal choice for recognizing zero-day attacks and adjusting to new ransomware data. Neural networks can detect many types of ransomware data and adjust to new threats due to their versatility. However, because of the black-box nature of the technology and their reliance on hardware, these techniques can be susceptible to data dependencies, making it more difficult for human analysts to keep an eye on data processing and spot anomalies [47].
Information 15 00484 g006
Figure 6. Machine learning: detection algorithm.
Successful case studies:
  • Ransomware behavioral analysis: One successful study used ML as a defense mechanism against ransomware attacks. The analysis considered seven ransomware and seven benign software samples to distinguish between benign and malicious software with low false negative and false positive rates. Values from different ransomware, such as Dynamic Link Libraries (DLLs), were extracted in this study. DLLs are a type of file used in Windows operating systems to hold multiple codes and procedures that are shared among various applications. Essentially, DLLs allow programs to use functionalities that are stored in separate files rather than having to include them within the program itself. This not only helps in saving space but also promotes code reuse and modular programming. When a program runs, it can call upon a DLL file to perform certain functions, which helps in efficient memory usage and reduces the application’s load time because it only loads the necessary parts. DLLs are crucial for the operating system to manage shared resources effectively, enabling smoother and more performance-efficient operation of software on your computer.
    Early detection of ransomware attacks and alerting the user about the existing threat are considered a main feature of this proposed system [48].
  • Anomaly detection in network traffic: In [49], AI algorithms and ML techniques were used to detect anomalies by analyzing network traffic. This process is performed by labeling normal and abnormal features and utilizing ML to detect the unusual status of the network. The system succeeded in isolating harmful activities, allowing early detection, and taking the necessary preventive measures.
  • Signature-based ransomware detection: ML models were used in some systems that aim to detect ransomware signatures. Ransomware tends to constantly change its signatures to prevent detection by traditional detection techniques. ML models are constantly updated to identify new forms of ransomware, which allows for early detection and appropriate decision-making [19].

3.9. Preventive Measures and Best Practices

Individuals, organizations, and governments can reduce the risk of ransomware by taking some important preventive measures, such as following cyber-hygiene practices, performing regular backups, and keeping antivirus software up to date. Several preventive measures against ransomware are reviewed in this section.
  • Cybersecurity hygiene: Cybersecurity hygiene is applied in several steps, the most important of which are as follows:
    • Employee education and awareness: Increasing individuals’ awareness of the dangers of ransomware and educating them on cybersecurity best practices, such as detecting suspicious messages and avoiding downloading files or programs from suspicious or unreliable links [13].
    • Strong password policies: Forcing the user to use strong and complex passwords. In addition, it is necessary to change the passwords regularly and use password management programs for better management and security [50].
    • Multi-factor authentication (MFA): Using multi-layer protection to safeguard sensitive data or files such as passwords, voice recognition, and facial recognition [51].
  • Regular backups: Regular backups of sensitive data are made to mitigate the damage in case hackers gain access to the original data [52].
  • Timely updates: Ensure that all programs and operating systems are updated to the latest version and allow automatic updating of these preventive programs once connected to the Internet [22].
  • Network segmentation and access Control: Applying the principle of network segmentation to isolate important data from other data. In addition, implementing the least privilege principle by granting privileges to users as needed to perform tasks [53].

3.10. Regulatory and Legal Considerations

Given the negative impact of ransomware on many individuals, organizations, and governments, many regulatory and legal frameworks have been developed to limit or mitigate its impact. These laws and frameworks vary from country to country, but there are common aspects regarding ransomware detection and response that will be discussed in this section.
Ransomware criminalization: Ransomware attacks or spreading are considered a crime punishable by law in many countries. This is because it results in unauthorized access to sensitive or private data and blackmailing the victim by paying money to recover these data [54].
Data privacy protection laws: Many countries impose strict laws and regulations on organizations to protect the data privacy of their employees and personal information. It asks them to take specific measures to ensure the protection and safety of these data from unauthorized access by ransomware attackers. Once the damage or violation occurs, the organization is legally responsible for compensating the individual affected by this violation [55].
International cooperation against ransomware: Ransomware targets many victims and is implemented in different countries worldwide. Therefore, efforts are unified through international cooperation and agreements that target various types of attacks, especially ransomware attacks. Also, these agreements aim to facilitate exchanging information, searching for criminals, deporting them, and helping victims, thus accelerating the detection and response process [56].
These regulatory and legal regulations have greatly assisted in detecting and responding directly to ransomware. Also, international cooperation between organizations has helped to enhance the role of cybersecurity and develop effective preventive techniques to detect, mitigate, and respond to ransomware attacks.

3.11. Future Trends in Ransomware

In this section, the future trends in ransomware development will be discussed.
Increased complexity: The complexity of ransomware increases as technology continues to evolve, as attackers use these advanced technologies to carry out ransomware attacks, such as using AI techniques and various encryption algorithms to avoid detection and observation until the victim’s data are seized [12].
Targeted attacks: Attackers often conduct reconnaissance to identify their targets, design their attacks, and then carry out the attacks. Usually, governments are targeted to leak sensitive data, large organizations, or specific individuals to obtain greater advantages or benefits [57].
Exploitation of emerging technologies: With technological advancements, attackers aim to exploit the vulnerabilities in new techniques like IoT devices or cloud services [58].

5. Real-World Ransomware Incidents

Ransomware attacks have become a significant threat to individuals, businesses, and government entities worldwide.
  • WannaCry Global Ransomware Attack (2017): In May 2017, the WannaCry ransomware attack spread across over 150 countries and infected more than 250,000 computers [64]. The attack exploited a vulnerability in Microsoft Windows in which a patch had been released but not widely applied [64]. One of the victims of this attack was the UK’s National Health Service (NHS). The ransomware encrypted files and demanded Bitcoin payments to release the encrypted data [64]. The attack highlighted the importance of regular software updated and the strong impact of ransomware on critical infrastructure and services. It also marked a turning point in encouraging global awareness and efforts to combat cyber threats.
  • Colonial Pipeline Attack (2021) The Colonial Pipeline ransomware attack in May 2021 underscored the vulnerability of critical infrastructure to cyberattacks [65]. The Colonial Pipeline, which carries gasoline and jet fuel over 5500 miles (about 8850 km) between Texas and New York [65], was forced to shut down operations due to a ransomware attack by a group known as DarkSide [65]. This disruption led to a significant increase in gas prices, panic buying, and fuel shortages across the Eastern United States [65]. The company paid a ransom of nearly USD 5 million in cryptocurrency to regain access to their systems [65]. This incident encouraged the U.S. government to issue new cybersecurity directives for pipeline operators [65]; moreover, it emphasized the national security implications of ransomware attacks.
  • Atlanta City Government Attack (2018) In March 2018, the city government of Atlanta, Georgia, was hit by a ransomware attack [66]. This attack hit a big part of its digital infrastructure [66]. The SamSam ransomware attack affected multiple city services, which included court proceedings, bill payments, and law enforcement activities [66]. These affected services demonstrated how ransomware could damage the day-to-day operations of a city. They demanded a ransom of USD 51,000 in Bitcoin but the city chose not to pay [66]. The recovery and mitigation efforts cost the city an estimated USD 17 million [66]. This incident provided motivation to other cities across the United States to strengthen their cybersecurity defenses.
  • University of California, San Francisco (UCSF) Attack (2020): The University of California, San Francisco (UCSF), fell victim to a ransomware attack in June 2020. This attack targeted the School of Medicine’s IT infrastructure [67]. They faced the potential loss of critical academic research data, including work related to COVID-19 [67]. UCSF chose to pay a ransom of over USD 1.14 million [67]. The NetWalker ransomware group was responsible for the attack [67]. They exploited vulnerabilities in unsecured networks [67]. This incident satisfied the complex ethical and financial decisions ransomware victims must take when critical scientific research is in danger.

6. Comparison with Other Review Papers

The main goal of our study is to emphasize the need for ongoing improvements in detection technologies to keep up with the constantly changing ransomware threat landscape. By reviewing a wide range of research and articles, this study evaluates different methods for detecting ransomware, new and promising tools, and identifies gaps in the current studies.
The contributions of this paper are significant. It not only identifies existing knowledge on detecting ransomware but also highlights where more research is needed. The paper examines related studies and real-world ransomware cases, highlighting the urgent need for better and more flexible detection technologies. It discusses the complexities of ransomware attacks and the challenges in detecting them early. Furthermore, it emphasizes how new technologies can help in developing better defense mechanisms.
The importance of this study lies in its potential to improve defenses against ransomware by providing a detailed look at how ransomware works and how effective current detection methods are. This research offers valuable insights for both researchers and professionals in cybersecurity. Moreover, it emphasizes the importance of collaboration among all parties involved to develop effective prevention strategies, thus helping protect important information and infrastructure from these harmful threats. This paper serves as a crucial guide for how to more effectively detect, prevent, and respond to ransomware attacks as we move forward in the digital world.
This paper delves into the topic of ransomware and aims to provide a thorough understanding and analysis of this significant cybersecurity threat. We delve into the background of ransomware, reviewing its types, attack vectors, encryption methods, and detection challenges, and exploring the role of AI in combating such threats. It also addresses preventive measures, legal considerations, and future trends. The discussion focuses on indicators of ransomware incidents, attack frameworks, and behavior patterns, as well as the efficacy of current detection techniques, emerging trends, and avoidance strategies. Real-world ransomware incidents are also discussed, which gives practical insights into the impact of these attacks. Furthermore, this study reviews related studies, providing a critical analysis of the existing literature and identifying research gaps. Open challenges and limitations in ransomware detection and prevention are explored in detail. Future directions for research and development are proposed. Lastly, the paper underscores the importance of enhanced detection capabilities.
The authors of [9] discussed the critical issue of ransomware attacks and how these attacks have become a significant cybersecurity threat affecting organizations across various industries. The study provides a comprehensive overview of the ransomware threat landscape, analyzing the factors contributing to the spread of ransomware and exploring potential recommendations for future research. The main focus of the paper is on the development and implementation of machine learning-based ransomware detection systems. The key findings of the research include the importance of collaboration and data sharing among researchers and organizations to enhance the effectiveness of ransomware detection systems. The study emphasizes the challenges in developing effective machine learning-based ransomware detection systems and highlights the need for advanced techniques and collaborative efforts to create strong and accurate detection mechanisms. Additionally, the paper discusses the historical background of ransomware attacks, recent literature on automated ransomware detection approaches, and future research directions in the field. However, a limitation of the paper is the lack of detailed case studies or real-world implementation examples of the discussed detection systems. Providing real world examples could provide more practical insights into their effectiveness in detecting and mitigating ransomware attacks. The paper could discuss the specific ML algorithms and techniques used for ransomware detection; moreover, it could include their strengths, weaknesses, and comparative analysis in different scenarios. Providing a detailed evaluation of the performance metrics of these algorithms in detecting ransomware could offer valuable insights for researchers and practitioners. Furthermore, the paper could explore the implications of evolving ransomware techniques and the adaptability of ML models to detect emerging threats effectively.
In [13], the authors discussed the critical issue of combating ransomware attacks. These attacks have become increasingly prevalent and damaging in the realm of cybersecurity. The authors conducted a thorough investigation into various scenarios and compare existing state-of-the-art research with their own contributions. They incorporated a case study on the Djvu ransomware to illustrate the modus operandi of the latest ransomware strains and provide suggestions. The motivation behind the study was the increase in ransomware attacks that impacting businesses and individuals globally. The authors highlighted the need for a comprehensive analysis that addresses the importance of ransomware avoidance techniques due to the complexity of mitigation and recovery processes.
Key findings of the paper include the proposal of the DAM (Detection, Avoidance, and Mitigation) framework, which is a theoretical model for reviewing and classifying tools, techniques, and strategies to detect ransomware effectively. Additionally, the paper discusses the effectiveness of pre-existing detection techniques. They emphasized the development of ML-based solutions to enhance detection capabilities. However, the paper does have some limitations. One notable limitation is the lack of comparing their methods to existing solutions. Furthermore, the paper focuses on a case study of the Djvu ransomware and does not provide any other cases.
The authors of [3] summarized the crucial issue of detecting and dealing with crypto-ransomware attacks, which is a big problem for Internet and mobile users. They highlighted how hard it is to detect ransomware early because there are not enough datasets showing what ransomware does before it encrypts files. They highlighted the need for modern methodologies in the detection process, the limitations of early detection, and the importance of innovative techniques to develop detection capabilities. The authors identified the importance of finding better ways to collect data and choose features to make detection models more accurate and reliable. The survey looks at different ways to detect ransomware. These ways include using ML methods like Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM). Moreover, they talked about how important it is to pick out the right features to design good detection models. The paper talked about the problems with current detection methods and suggested new ways to fix them, like defining boundaries better for the early stages of ransomware and using data from different places to learn more about the behavior. The paper also highlights the efforts provided by researchers and security professionals to prevent different cyberattacks. One limitation of this paper is that the authors focus on detection solutions by using ML techniques, but the paper also needs a detailed description of the other detection techniques. Further, there is no comparison between their work and others to prove the uniqueness of the paper.
Table 7 shows a comparison between our study and other relevant studies.
Table 7. Comparison with other review papers: (√: the criteria was mentioned and discussed).

8. Open Challenges and Limitations

Early detection of ransomware is tough because cybercriminals keep changing their methods quickly, making it hard for security systems to catch up. They continuously create new types of attacks that older security systems cannot recognize. This means security tools that look for known ransomware do not work well against new or unknown attacks. Also, ransomware can hide by looking like normal software, making it even harder to detect early. Moreover, keeping up with the latest ransomware trends is challenging because there is so much information to track and the attackers are spread out all over the world. Another problem is finding the right balance between watching for ransomware and respecting user privacy. More aggressive monitoring might detect ransomware better but could violate users’ privacy.
Detecting ransomware attacks early is key to avoid their severe consequences. However, there are significant challenges and limitations to achieve this goal starting from the complexity of ransomware tactics, the diversity of attack vectors, and the limitations of current detection technologies.
Moreover, the encryption methods that ransomware use present another challenge. Today’s ransomware uses complex encryption that is hard to notice until it is too late and files are already locked. The way ransomware hides its actions is by appearing as a normal computer process, which makes it harder to detect.
The diversity of attack vectors also complicates early detection. Ransomware can enter through phishing emails, malicious websites, or software vulnerabilities. Each entry point requires different detection strategies. As a result, it is difficult for organizations to guard all possibilities effectively. Moreover, there is an increasing trend of fileless ransomware attacks, which do not rely on traditional files and leave fewer footprints; this poses a significant challenge for existing security tools.
Lastly, the human factor remains a critical weakness. Effective ransomware attacks often begin with social engineering tactics that trick individuals into initiating the infection process themselves. Training users to recognize these tactics is challenging, and a single mistake can lead to a successful attack.

9. Future Directions

Advancements in detection algorithms are essential for combating ransomware effectively. There is a critical need to develop more sophisticated algorithms that utilize ML, DL, and AI. These technologies have the potential to greatly enhance our ability to predict and identify ransomware activities before they cause harm. ML and DL algorithms can learn from vast amounts of data. They also can recognize patterns and signs that indicates a ransomware attack. This learning process enables the detection of new and evolving ransomware chains that traditional and signature-based antivirus tools might miss. AI can further increase these capabilities by automating decision-making processes and enabling systems to respond quickly to detect threats. Early detection is crucial because it allows for immediate action to prevent or minimize damage. Therefore, investing in the research and development of advanced detection algorithms is necessary for the cybersecurity community. This effort not only improves our defense against ransomware but also sets the stage for proactive measures against future cybersecurity threats.

9.1. Development of New Detection Algorithms

The continuous evolution of ransomware techniques necessitates the development of novel detection algorithms that can adapt and respond to new threats effectively. Future research should focus on creating algorithms that are not only robust but also capable of real-time detection and mitigation of ransomware attacks. Current detection methods often rely on signature-based approaches, which can be insufficient against new or modified ransomware strains. Therefore, there is a pressing need to explore heuristic and behavior-based algorithms that can identify malicious activities based on patterns and anomalies in system behavior. Furthermore, hybrid algorithms that combine multiple detection techniques could enhance the accuracy and efficiency of ransomware detection. Researchers should also investigate the use of automated and self-learning systems that can continuously update and improve their detection capabilities without manual intervention.

9.2. Integration of AI and ML

AI and ML have shown significant promise in enhancing cybersecurity measures, including ransomware detection. Future research should delve into the integration of AI and ML techniques to develop intelligent systems capable of identifying and responding to ransomware attacks swiftly. ML models, especially those leveraging DL, can analyze vast amounts of data to detect subtle indicators of ransomware that traditional methods might miss. Research should also focus on the development of unsupervised learning techniques that can detect new ransomware variants without requiring labeled training data. Moreover, the use of reinforcement learning could enable systems to learn optimal defense strategies through continuous interaction with the environment. By incorporating AI, researchers can create more adaptive and proactive ransomware detection systems.

9.3. Impact of Emerging Technologies

Emerging technologies such as blockchain, IoT, and 5G networks present both opportunities and challenges for ransomware detection. Future research should investigate how these technologies can be leveraged to enhance security measures against ransomware. For instance, blockchain technology can be used to create decentralized and tamper-proof records, making it harder for ransomware to disrupt or manipulate data. On the other hand, the proliferation of IoT devices and the advent of 5G networks increase the potential attack surface for ransomware. Researchers need to explore how to secure these technologies and develop detection mechanisms that can operate in such dynamic and heterogeneous environments. Additionally, understanding the impact of quantum computing on cryptographic algorithms used by ransomware can help in developing future-proof security solutions. By examining these emerging technologies, researchers can anticipate future trends and prepare more effective defenses against ransomware.

9.4. Improved Data Collection and Sharing

Effective ransomware detection relies heavily on the availability of high-quality data for analysis and training of detection models. Future research should emphasize the development of standardized frameworks for data collection and sharing among organizations. This can include creating centralized repositories that anonymize and aggregate data from various sources, ensuring privacy while providing a rich dataset for researchers. Collaboration between public and private sectors can also be encouraged to facilitate the exchange of threat intelligence and real-time ransomware indicators. By improving data collection and sharing practices, researchers can build more comprehensive and accurate detection systems.

9.5. Development of Resilient Backup Solutions

Backups are a critical defense mechanism against ransomware attacks; yet, many organizations still struggle with implementing effective backup strategies. Future research should focus on developing resilient backup solutions that can withstand ransomware attacks and ensure quick recovery. This includes exploring innovative backup technologies, such as immutable backups and air-gapped systems, that are resistant to tampering and encryption by ransomware. Additionally, researchers should investigate best practices for backup frequency, storage, and recovery procedures to minimize data loss and downtime. By advancing backup solutions, organizations can improve their ability to recover from ransomware attacks without succumbing to ransom demands.

10. Conclusions

Our exploration of ransomware underscores the critical nature of safeguarding digital infrastructure against these malicious attacks. Ransomware, with its ability to encrypt victim’s files and demand ransom for their release, presents a critical challenge that continues to evolve alongside technological advancements. This paper has delved into the multifaceted aspects of ransomware attacks, ranging from their mechanisms, types, and vectors to the encryption techniques employed. We have also identified the signs of an attack and the inherent challenges in early detection, highlighting the potential of AI in combating these threats. Preventive measures, best practices, and the legal framework surrounding ransomware have been explored to offer a clear understanding of the current landscape and suggest a proactive solution against such attacks.
Our literature review and discussion emphasize the necessity for immediate and efficient detection techniques to mitigate the impact of ransomware attacks. There are various strategies and tools aimed at identifying and preventing these attacks. However, there remains a substantial gap in the effectiveness and reliability of these measures. The dynamic and sophisticated nature of ransomware needs continuous research and development to enhance detection and prevention methods that can adapt to evolving attack patterns.
The significance of this study lies in its comprehensive analysis of ransomware. A collaborative effort is required from individuals, organizations, and governments to enhance digital defenses. It underscores also the urgent need for enhanced detection capabilities, strong prevention strategies, and a clear understanding of ransomware to safeguard sensitive information and critical infrastructure. Our investigation into the taxonomy of ransomware detection techniques, along with the real-world ransomware incidents and emerging trends, offers valuable insights into the complexity of these attacks. Furthermore, it highlights the necessity for a comprehensive approach to cybersecurity.
In conclusion, as ransomware attacks continue to pose a significant threat to global digital security, it is important that the cybersecurity community, policymakers, and stakeholders enhance defenses against these malicious activities. Future research should focus on closing the existing gaps in detection and prevention, explore the potential of emerging technologies, and propose an environment of collaboration and information sharing. As a result, we can hope to stay a step ahead of cybercriminals and protect our digital world from ransomware attacks.

Author Contributions

Conceptualization, L.A. and S.A.; methodology, L.A., S.A. and M.M.H.R.; software, L.A. and S.A.; validation, L.A., S.A. and M.M.H.R.; formal analysis, L.A., S.A. and M.M.H.R.; investigation, L.A. and S.A.; resources, L.A. and S.A.; writing original draft preparation, L.A. and S.A.; writing review and editing, L.A., S.A. and M.M.H.R.; supervision, M.M.H.R.; project administration, M.M.H.R.; funding acquisition, M.M.H.R. All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by the Deanship of Scientific Research, Vice Presidency for Graduate Studies and Scientific Research, King Faisal University, Saudi Arabia [GRANT No. KFU241479].

Institutional Review Board Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Acknowledgments

The authors extend their appreciation to the Deanship of Scientific Research, Vice Presidency for Graduate Studies and Scientific Research, King Faisal University, Saudi Arabia [GRANT No. KFU241479]. The authors would like to thank the anonymous reviewers for their insightful scholastic comments and suggestions, which improved the quality and clarity of the paper.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
SLRSystematic Literature Review
SMBServer Message Block
AESAdvanced Encryption Standard
ECCElliptic Curve Cryptography
DLLsDynamic Link Libraries
MFAMulti-factor authentication
APIsApplication programming Interfaces
DAMDetection, Avoidance, and Mitigation
CNNConvolutional Neural Networks
LSTMLong Short-Term Memory
AIArtificial Intelligence
NLPNatural Language Processing
3LSThree-Layer Security
MLMachine Learning
BCSBinary Cuckoo Search
MOGWOMulti Objective GreyWolf Optimization
HSRHighly Survivable Ransomware
TF-IDFTerm Frequency-Inverse Document Frequency
ANNArtificial Neural Network
SVMSupport Vector Machine
PEPortable Executable
SSFSimplified Silhouette Filter
DLDeep Learning
VMVirtual Machine
CRFConditional Random Fields

References

  1. Ozer, M.; Varlioglu, S.; Gonen, B.; Bastug, M. A prevention and a traction system for ransomware attacks. In Proceedings of the 2019 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 5–7 December 2019; pp. 150–154. [Google Scholar]
  2. Xia, T.; Sun, Y.; Zhu, S.; Rasheed, Z.; Shafique, K. Toward a network-assisted approach for effective ransomware detection. arXiv 2020, arXiv:2008.12428. [Google Scholar] [CrossRef]
  3. Alqahtani, A.; Sheldon, F.T. A survey of crypto ransomware attack detection methodologies: An evolving outlook. Sensors 2022, 22, 1837. [Google Scholar] [CrossRef] [PubMed]
  4. Beaman, C.; Barkworth, A.; Akande, T.D.; Hakak, S.; Khan, M.K. Ransomware: Recent advances, analysis, challenges and future research directions. Comput. Secur. 2021, 111, 102490. [Google Scholar] [CrossRef] [PubMed]
  5. Razaulla, S.; Fachkha, C.; Markarian, C.; Gawanmeh, A.; Mansoor, W.; Fung, B.C.; Assi, C. The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access 2023, 11, 40698–40723. [Google Scholar] [CrossRef]
  6. The Latest Ransomware Statistics (Updated June 2024)|AAG IT Support. Available online: https://aag-it.com/the-latest-ransomware-statistics/ (accessed on 19 June 2024).
  7. Altulaihan, E.; Alismail, A.; Hafizur Rahman, M.; Ibrahim, A.A. Email Security Issues, Tools, and Techniques Used in Investigation. Sustainability 2023, 15, 10612. [Google Scholar] [CrossRef]
  8. The PRISMA 2020 Statement: An Updated Guideline for Reporting Systematic Reviews. Available online: https://www.bmj.com/content/372/bmj.n71 (accessed on 19 June 2024).
  9. Alraizza, A.; Algarni, A. Ransomware detection using machine learning: A survey. Big Data Cogn. Comput. 2023, 7, 143. [Google Scholar] [CrossRef]
  10. Ransomware Payments Exceed 1 Billion in 2023, Hitting Record High after 2022 Decline. Available online: https://databreaches.net/2024/02/09/ransomware-payments-exceed-1-billion-in-2023-hitting-record-high-after-2022-decline/ (accessed on 7 February 2024).
  11. Arslanian, M.; Roberts, H.; Welfer, J.; Xie, S.; Chen, B. The WannaCry Ransomware. Available online: https://verifythesource.org/posts/wannacry (accessed on 20 April 2024).
  12. Permana, G.R.; Trowbridge, T.E.; Sherborne, B. Ransomware mitigation: An analytical investigation into the effects and trends of ransomware attacks on global business. PsyArXiv 2022. [Google Scholar] [CrossRef]
  13. Kapoor, A.; Gupta, A.; Gupta, R.; Tanwar, S.; Sharma, G.; Davidson, I.E. Ransomware detection, avoidance, and mitigation scheme: A review and future directions. Sustainability 2021, 14, 8. [Google Scholar] [CrossRef]
  14. Cen, M.; Jiang, F.; Qin, X.; Jiang, Q.; Doss, R. Ransomware early detection: A survey. Comput. Netw. 2024, 239, 110138. [Google Scholar] [CrossRef]
  15. Kovács, A. Ransomware: A comprehensive study of the exponentially increasing cybersecurity threat. Insights Reg. Dev. 2022, 4, 96–104. [Google Scholar] [CrossRef]
  16. DS, K.P.; HR, P.K. A Systematic Study on Ransomware Attack: Types, Phases and Recent Variants. In Proceedings of the 2024 5th International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), Tirunelveli, India, 11–12 March 2024; pp. 661–668. [Google Scholar]
  17. Chaithanya, B.; Brahmananda, S. Detecting ransomware attacks distribution through phishing URLs Using Machine Learning. In Computer Networks and Inventive Communication Technologies: Proceedings of Fourth ICCNCT 2021; Springer: Singapore, 2022; pp. 821–832. [Google Scholar]
  18. Fuertes, W.; Arévalo, D.; Castro, J.D.; Ron, M.; Estrada, C.A.; Andrade, R.; Peña, F.F.; Benavides, E. Impact of social engineering attacks: A literature review. In Developments and Advances in Defense and Security: Proceedings of MICRADS 2021; Springer: Singapore, 2022; pp. 25–35. [Google Scholar]
  19. Ren, A.; Liang, C.; Hyug, I.; Broh, S.; Jhanjhi, N. A three-level ransomware detection and prevention mechanism. EAI Endorsed Trans. Energy Web 2020, 7, e6. [Google Scholar] [CrossRef]
  20. Fernando, D.W.; Komninos, N.; Chen, T. A study on the evolution of ransomware detection using machine learning and deep learning techniques. IoT 2020, 1, 551–604. [Google Scholar] [CrossRef]
  21. Mohammad, A.H. Ransomware evolution, growth and recommendation for detection. Mod. Appl. Sci. 2020, 14, 68. [Google Scholar] [CrossRef]
  22. Humayun, M.; Jhanjhi, N.; Alsayat, A.; Ponnusamy, V. Internet of things and ransomware: Evolution, mitigation and prevention. Egypt. Inform. J. 2021, 22, 105–117. [Google Scholar] [CrossRef]
  23. Dand, P.; Chudasama, D. A Comparative Study about the Ransomware. J. Adv. Database Manag. Syst. 2021, 8, 8–15. [Google Scholar]
  24. Begovic, K.; Al-Ali, A.; Malluhi, Q. Cryptographic ransomware encryption detection: Survey. Comput. Secur. 2023, 132, 103349. [Google Scholar] [CrossRef]
  25. Cicala, F.; Bertino, E. Analysis of encryption key generation in modern crypto ransomware. IEEE Trans. Dependable Secur. Comput. 2020, 19, 1239–1253. [Google Scholar] [CrossRef]
  26. Reshmi, T. Information security breaches due to ransomware attacks—A systematic literature review. Int. J. Inf. Manag. Data Insights 2021, 1, 100013. [Google Scholar] [CrossRef]
  27. Mohammad, A.H. Analysis of ransomware on windows platform. Int. J. Comput. Sci. Netw. Secur. 2020, 20, 21–27. [Google Scholar]
  28. Vasoya, S.; Bhavsar, K.; Patel, N. A systematic literature review on Ransomware attacks. arXiv 2022, arXiv:2212.04063. [Google Scholar]
  29. Bae, S.I.; Lee, G.B.; Im, E.G. Ransomware detection using machine learning algorithms. Concurr. Comput. Pract. Exp. 2020, 32, e5422. [Google Scholar] [CrossRef]
  30. Lemmou, Y.; Lanet, J.L.; Souidi, E.M. A behavioural in-depth analysis of ransomware infection. IET Inf. Secur. 2021, 15, 38–58. [Google Scholar] [CrossRef]
  31. Anand, V.K.; Bamanjogi, K.; Shaw, A.R.; Faheem, M. Comparative study of ransomwares. In Proceedings of the 2022 7th International Conference on Computing, Communication and Security (ICCCS), Seoul, Republic of Korea, 3–5 November 2022; pp. 1–9. [Google Scholar]
  32. Olaimat, M.N.; Maarof, M.A.; Al-rimy, B.A.S. Ransomware anti-analysis and evasion techniques: A survey and research directions. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021; pp. 1–6. [Google Scholar]
  33. August, T.; Dao, D.; Niculescu, M.F. Economics of ransomware: Risk interdependence and large-scale attacks. Manag. Sci. 2022, 68, 8979–9002. [Google Scholar] [CrossRef]
  34. Lee, I.; Roh, H.; Lee, W. Encrypted malware traffic detection using incremental learning. In Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Toronto, ON, Canada, 6–9 July 2020; pp. 1348–1349. [Google Scholar]
  35. Mahajan, A.; Chakrabarty, N.; Majithia, J.; Ahuja, A.; Agarwal, U.; Suryavanshi, S.; Biradar, M.; Sharma, P.; Raghavan, B.; Arafath, R.; et al. Multisystem imaging recommendations/guidelines: In the pursuit of precision oncology. Indian J. Med. Paediatr. Oncol. 2023, 44, 002–025. [Google Scholar] [CrossRef]
  36. Ghouti, L.; Imam, M. Malware classification using compact image features and multiclass support vector machines. IET Inf. Secur. 2020, 14, 419–429. [Google Scholar] [CrossRef]
  37. Akhtar, M.S.; Feng, T. Malware analysis and detection using machine learning algorithms. Symmetry 2022, 14, 2304. [Google Scholar] [CrossRef]
  38. Hwang, J.; Kim, J.; Lee, S.; Kim, K. Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wirel. Pers. Commun. 2020, 112, 2597–2609. [Google Scholar] [CrossRef]
  39. Mezquita, Y.; Alonso, R.S.; Casado-Vara, R.; Prieto, J.; Corchado, J.M. A review of k-nn algorithm based on classical and quantum machine learning. In Distributed Computing and Artificial Intelligence, Special Sessions, 17th International Conference; Springer: Cham, Switzerland, 2021; pp. 189–198. [Google Scholar]
  40. Saadat, S.; Joseph Raymond, V. Malware classification using CNN-XGBoost model. In Artificial Intelligence Techniques for Advanced Computing Applications: Proceedings of ICACT 2020; Springer: Cham, Switzerland, 2021; pp. 191–202. [Google Scholar]
  41. Shah, K.; Patel, H.; Sanghvi, D.; Shah, M. A comparative analysis of logistic regression, random forest and KNN models for the text classification. Augment. Hum. Res. 2020, 5, 12. [Google Scholar] [CrossRef]
  42. Faruk, M.J.H.; Shahriar, H.; Valero, M.; Barsha, F.L.; Sobhan, S.; Khan, M.A.; Whitman, M.; Cuzzocrea, A.; Lo, D.; Rahman, A.; et al. Malware detection and prevention using artificial intelligence techniques. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December 2021; pp. 5369–5377. [Google Scholar]
  43. Stoian, N.A. Machine Learning for Anomaly Detection in Iot Networks: Malware Analysis on the Iot-23 Data Set. Bachelor’s Thesis, University of Twente, Enschede, The Netherlands, 2020. [Google Scholar]
  44. Goyal, M.; Kumar, R. The pipeline process of signature-based and behavior-based malware detection. In Proceedings of the 2020 IEEE 5th International Conference on Computing Communication and Automation (ICCCA), Greater Noida, India, 30–31 October 2020; pp. 497–502. [Google Scholar]
  45. Sun, N.; Ding, M.; Jiang, J.; Xu, W.; Mo, X.; Tai, Y.; Zhang, J. Cyber threat intelligence mining for proactive cybersecurity defense: A survey and new perspectives. IEEE Commun. Surv. Tutor. 2023, 25, 1748–1774. [Google Scholar] [CrossRef]
  46. Sharmeen, S.; Ahmed, Y.A.; Huda, S.; Koçer, B.Ş.; Hassan, M.M. Avoiding future digital extortion through robust protection against ransomware threats using deep learning based adaptive approaches. IEEE Access 2020, 8, 24522–24534. [Google Scholar] [CrossRef]
  47. Swami, S.; Swami, M.; Nidhi, N. Ransomware Detection System and Analysis Using Latest Tool. Int. J. Adv. Res. Sci. Commun. Technol. 2021, 7, 2581–9429. [Google Scholar] [CrossRef]
  48. Arabo, A.; Dijoux, R.; Poulain, T.; Chevalier, G. Detecting ransomware using process behavior analysis. Procedia Comput. Sci. 2020, 168, 289–296. [Google Scholar] [CrossRef]
  49. Manavi, F.; Hamzeh, A. A new method for ransomware detection based on PE header using convolutional neural networks. In Proceedings of the 2020 17th International ISC Conference on Information Security and Cryptology (ISCISC), Tehran, Iran, 9–10 September 2020; pp. 82–87. [Google Scholar]
  50. Singh, D.; Mohanty, N.P.; Swagatika, S.; Kumar, S. Cyber-hygiene: The key concept for cyber security in cyberspace. Test Eng. Manag. 2020, 83, 8145–8152. [Google Scholar]
  51. Kitchen, D.E.; Valach, A.P. How to Avoid the Ransomware Onslaught. Natl. Def. 2020, 105, 18–19. [Google Scholar]
  52. Möller, D.P. Ransomware Attacks and Scenarios: Cost Factors and Loss of Reputation. In Guide to Cybersecurity in Digital Transformation: Trends, Methods, Technologies, Applications and Best Practices; Springer: Cham, Switzerland, 2023; pp. 273–303. [Google Scholar]
  53. Berrueta, E.; Morato, D.; Magaña, E.; Izal, M. Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Syst. Appl. 2022, 209, 118299. [Google Scholar] [CrossRef]
  54. Lubin, A. The Law and Politics of Ransomware. Vand. J. Transnat’l L. 2022, 55, 1177. [Google Scholar]
  55. Uandykova, M.; Lisin, A.; Stepanova, D.; Baitenova, L.; Mutaliyeva, L.; Yüksel, S.; Dincer, H. The social and legislative principles of counteracting ransomware crime. Entrep. Sustain. Issues 2020, 8, 777–798. [Google Scholar] [CrossRef]
  56. Force, R.T. Combating Ransomware; Intel Security Group: Plano, TX, USA, 2021. [Google Scholar]
  57. Ryan, P.; Fokker, J.; Healy, S.; Amann, A. Dynamics of targeted ransomware negotiation. IEEE Access 2022, 10, 32836–32844. [Google Scholar] [CrossRef]
  58. AlSabeh, A.; Safa, H.; Bou-Harb, E.; Crichigno, J. Exploiting ransomware paranoia for execution prevention. In Proceedings of the ICC 2020-2020 IEEE International Conference on Communications (ICC), Dublin, Ireland, 7–11 June 2020; pp. 1–6. [Google Scholar]
  59. Urooj, U.; Al-rimy, B.A.S.; Zainal, A.; Ghaleb, F.A.; Rassam, M.A. Ransomware detection using the dynamic analysis and machine learning: A survey and research directions. Appl. Sci. 2021, 12, 172. [Google Scholar] [CrossRef]
  60. Chittooparambil, H.J.; Shanmugam, B.; Azam, S.; Kannoorpatti, K.; Jonkman, M.; Samy, G.N. A review of ransomware families and detection methods. In Recent Trends in Data Science and Soft Computing: Proceedings of the 3rd International Conference of Reliable Information and Communication Technology (IRICT 2018); Springer: Cham, Switzerland, 2019; pp. 588–597. [Google Scholar]
  61. Sechel, S. A comparative assessment of obfuscated ransomware detection methods. Inform. Econ. 2019, 23, 45–62. [Google Scholar] [CrossRef]
  62. Bijitha, C.; Sukumaran, R.; Nath, H.V. A survey on ransomware detection techniques. In Secure Knowledge Management in Artificial Intelligence Era: 8th International Conference, SKM 2019, Goa, India, 21–22 December 2019; Proceedings 8; Springer: Cham, Switzerland, 2020; pp. 55–68. [Google Scholar]
  63. Ramesh, G.; Menen, A. Automated dynamic approach for detecting ransomware using finite-state machine. Decis. Support Syst. 2020, 138, 113400. [Google Scholar] [CrossRef]
  64. Puat, H.A.M.; Abd Rahman, N.A. Ransomware as a service and public awareness. PalArch’s J. Archaeol. Egypt/Egyptol. 2020, 17, 5277–5292. [Google Scholar]
  65. Beerman, J.; Berent, D.; Falter, Z.; Bhunia, S. A review of colonial pipeline ransomware attack. In Proceedings of the 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), Bangalore, India, 1–4 May 2023; pp. 8–15. [Google Scholar]
  66. Zimba, A.; Chishimba, M. On the economic impact of crypto-ransomware attacks: The state of the art on enterprise systems. Eur. J. Secur. Res. 2019, 4, 3–31. [Google Scholar] [CrossRef]
  67. Liluashvili, G.B. Cyber risk mitigation in higher education. Law World 2021, 17, 15. [Google Scholar]
  68. Khammas, B.M. Ransomware detection using random forest technique. ICT Express 2020, 6, 325–331. [Google Scholar] [CrossRef]
  69. Poudyal, S.; Dasgupta, D. AI-powered ransomware detection framework. In Proceedings of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI), Canberra, ACT, Australia, 1–4 December 2020; pp. 1154–1161. [Google Scholar]
  70. Alqahtani, A.; Gazzan, M.; Sheldon, F.T. A proposed crypto-ransomware early detection (CRED) model using an integrated deep learning and vector space model approach. In Proceedings of the 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 6–8 January 2020; pp. 0275–0279. [Google Scholar]
  71. Khan, F.; Ncube, C.; Ramasamy, L.K.; Kadry, S.; Nam, Y. A digital DNA sequencing engine for ransomware detection using machine learning. IEEE Access 2020, 8, 119710–119719. [Google Scholar] [CrossRef]
  72. Ahmed, Y.A.; Kocer, B.; Al-rimy, B.A.S. Automated analysis approach for the detection of high survivable ransomware. KSII Trans. Internet Inf. Syst. (TIIS) 2020, 14, 2236–2257. [Google Scholar]
  73. Davies, S.R.; Macfarlane, R.; Buchanan, W.J. Differential area analysis for ransomware attack detection within mixed file datasets. Comput. Secur. 2021, 108, 102377. [Google Scholar] [CrossRef]
  74. Noorbehbahani, F.; Saberi, M. Ransomware detection with semi-supervised learning. In Proceedings of the 2020 10th International Conference on Computer and Knowledge Engineering (ICCKE), Mashhad, Iran, 29–30 October 2020; pp. 024–029. [Google Scholar]
  75. Bello, I.; Chiroma, H.; Abdullahi, U.A.; Gital, A.Y.; Jauro, F.; Khan, A.; Okesola, J.O.; Abdulhamid, S.M. Detecting ransomware attacks using intelligent algorithms: Recent development and next direction from deep learning and big data perspectives. J. Ambient. Intell. Humaniz. Comput. 2021, 12, 8699–8717. [Google Scholar] [CrossRef]
  76. van Boven, L.S.; Kusters, R.W.; Tin, D.; van Osch, F.H.; De Cauwer, H.; Ketelings, L.; Rao, M.; Dameff, C.; Barten, D.G. Hacking acute care: A qualitative study on the health care impacts of ransomware attacks against hospitals. Ann. Emerg. Med. 2024, 83, 46–56. [Google Scholar] [CrossRef]
  77. Urooj, U.; Maarof, M.A.B.; Al-rimy, B.A.S. A proposed adaptive pre-encryption crypto-ransomware early detection model. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021. [Google Scholar]
  78. Roy, K.C.; Chen, Q. Deepran: Attention-based bilstm and crf for ransomware early detection and classification. Inf. Syst. Front. 2021, 23, 299–315. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Article Metrics

Citations

Article Access Statistics

Journal Statistics
Multiple requests from the same IP address are counted as one view.
Download PDF
Combined-Step-Size Affine Projection Andrew’s Sine Estimate for Robust Adaptive Filtering
Previous
Application of Multi-Source Remote Sensing Data and Machine Learning for Surface Soil Moisture Mapping in Temperate Forests of Central Japan
Next