Understanding the Behavior of Ransomware: An I/O Request Packet (IRP) Driven Study on Ransomware Detection against Execution Time.

Industries of diverse sizes, ranging from retail to critical infrastructure, are experiencing a worldwide upswing in ransomware attacks. On a daily basis, ransomware researchers encounter fresh samples and uncover novel ransomware families in the wild. This research investigates ransomware's I/ORequest Packet (IRP), a low-level file system I/O log, to understand their behavior. We analyze IRP logs of 383 ransomware samples belonging to 21 families to execute these tasks. To evaluate our schemes' capabilities on detection against execution time, we report our empirical findings between 15 and 40 minutes of IRP logs, whereas each sample covers 90 minutes of logs on average. By utilizing one-class classification algorithms, e.g., One-Class SVM, Isolation Forests, and Local Outlier Factor (LOF), we demonstrate the identified sequences successfully discover new ransomware upon which the classifiers were not trained. We achieve exceptional experimental results in identifying ran-somware families by applying Decision Trees, Random Forests, Extra Trees, and Bagging classifiers. To highlight, we at best obtain an accuracy of 93.94%, precision score of 93.27%, recall score of 91.28%, and F1 score of 91.90%.