Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks

Arash Mahboubi; Hamed Aboutorab; Seyit Camtepe; Hang Thanh Bui; Khanh Luong; Keyvan Ansari; Shenlu Wang; Bazara Barry

doi:10.48550/arxiv.2504.20681

Back

Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks

Preprint

Open access

Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks

Arash Mahboubi, Hamed Aboutorab, Seyit Camtepe, Hang Thanh Bui, Khanh Luong, Keyvan Ansari, Shenlu Wang and Bazara Barry

ArXiv.org

Cornell University

2025

DOI: https://doi.org/10.48550/arxiv.2504.20681

Files and links (1)

pdf

Preprint4.95 MBDownload View

CC BY-NC-ND V4.0, Open Access

Abstract

ransomware

intermittent

partial encryption

incremental online learning

Base64 encoding

file system

Hoeffding Tree

In the rapidly evolving landscape of cybersecurity threats, ransomware represents a significant challenge. Attackers increasingly employ sophisticated encryption methods, such as entropy reduction through Base64 encoding, and partial or intermittent encryption to evade traditional detection methods. This study explores the dynamic battle between adversaries who continuously refine encryption strategies and defenders developing advanced countermeasures to protect vulnerable data. We investigate the application of online incremental machine learning algorithms designed to predict file encryption activities despite adversaries evolving obfuscation techniques. Our analysis utilizes an extensive dataset of 32.6 GB, comprising 11,928 files across multiple formats, including Microsoft Word documents (doc), PowerPoint presentations (ppt), Excel spreadsheets (xlsx), image formats (jpg, jpeg, png, tif, gif), PDFs (pdf), audio (mp3), and video (mp4) files. These files were encrypted by 75 distinct ransomware families, facilitating a robust empirical evaluation of machine learning classifiers effectiveness against diverse encryption tactics. Results highlight the Hoeffding Tree algorithms superior incremental learning capability, particularly effective in detecting traditional and AES-Base64 encryption methods employed to lower entropy. Conversely, the Random Forest classifier with warm-start functionality excels at identifying intermittent encryption methods, demonstrating the necessity of tailored machine learning solutions to counter sophisticated ransomware strategies.

Details

Title: Data Encryption Battlefield: A Deep Dive into the Dynamic Confrontations in Ransomware Attacks
Authors/Creators: Arash Mahboubi
Hamed Aboutorab
Seyit Camtepe
Hang Thanh Bui
Khanh Luong
Keyvan Ansari
Shenlu Wang
Bazara Barry
Publication Details: ArXiv.org
Publisher: Cornell University
Identifiers: 991005775230907891
Murdoch Affiliation: School of Information Technology; College of Science, Technology, Engineering and Mathematics
Language: English
Resource Type: Preprint

Metrics

20 File views/ downloads

28 Record Views