Dynamic Analysis of Ransomware using Opcodes and Opcode Categories

International Journal On Cyber Situational Awareness (IJCSA)

ISSN: (Print) 2057-2182 ISSN: (Online) 2057-2182

DOI: 10.22619/IJCSA

Published Semi-annually. Est. 2014


Dr Cyril Onwubiko, Chair – Cyber Security & Intelligence, E-Security Group, Research Series, London, UK; IEEE UK & Ireland Section Secretary

Associate Editors:

Professor Frank Wang, Head of School / Professor of Future Computing, Chair IEEE Computer Society, UK&RI, School of Computing, University of Kent, Canterbury, UK

Professor Karen Renaud, Professor of Cyber Security, University of Abertay, Dundee, Scotland, UK

Dynamic Analysis of Ransomware using Opcodes and Opcode Categories

Domhnall Carlin, Philip O’Kane, Sakir Sezer


The explosion of ransomware in recent years has served as a costly re-minder that the malware threatscape has moved from that of socially-inept hobbyists to career criminals. This paper investigates the efficacy of dynamic opcode analysis in distinguishing cryptographic ransom-ware from benignware, and presents several novel contributions. Firstly, a new dataset of cryptoransomware dynamic run-traces, the largest of its kind in the literature. We release this to the wider research communi-ty to foster further research in the field. Our second novel contribution demonstrates that a short run- length of 32k opcodes can provide highly accurate detection of ransomware (99.56%) compared to benign soft-ware. Third, our model offers a distinct advantage over other models in the literature, in that it can detect a form of benign encryption (i.e. file zipping) with 100% accuracy against not only ransomware, but also the non-encrypting benignware in our dataset. The research presented here demonstrates that dynamic opcode tracing is capable of detecting ransomware in comparable times to static analysis, without being thwarted by obfuscation tactics.

Keyword: Malware, Invasive Software, Ransomware, Cryptoransom-ware, Machine Learning, Opcode, Dynamic Analysis

ISSN: 2057-2182

Volume 3. No. 1

DOI: 10.22619/IJCSA.2018.100121

Date: Dec. 2018

Reference to this paper should be made as follows: Carlin, D., O’Kane, P., and Sezer, S. (2018). Dynamic Analysis of Ransomware Using Opcodes and Opcode Categories. International Journal on Cyber Situational Awareness, Vol. 3, No. 1, pp. 84-97.

PDF Download