Abstract
In the rapidly evolving field of cybersecurity, ransomware poses an escalating threat; adversaries employ advanced encryption techniques to render critical data inaccessible and evade traditional defenses. Specifically, ransomware developers utilize intricate strategies that undermine heuristic file monitoring and file system attribute analysis, rendering current detection methods ineffective against such attacks. This study tests and analyzes the performance of models that focus on the file system level. The goal is to improve detection by using statistically measurable attributes that are specific to the file system. For instance, statistically measurable data can be derived from the blocks of the write buffer transmitted from endpoints to storage servers. We investigate the effectiveness of various machine learning classifiers in detecting encryption activities at the storage level, using a substantial dataset of 32.6 GB comprising 11,928 files encrypted by 75 ransomware families. We integrate novel statistical components to augment the system’s ability to detect encryption, notwithstanding the adaptive tactics of ransomware that reduce entropy measures and alter call frequencies to evade classification. Our in-depth study looks at these classifiers in the context of ransomware that uses partial and intermittent encryption and online learning methods to make them more flexible in a threat environment that changes quickly. In benchmark tests, the Hoeffding Tree algorithm consistently performs well. It works especially well against types of ransomware that use intermittent encryption methods.