Large scale behavioral analysis of ransomware attacks

Timothy R. McIntosh*, Julian Jang-Jaccard, Paul A. Watters

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

9 Citations (Scopus)


Ransomware is now the highest risk attack vector in cybersecurity. Reliable and accurate ransomware detection and removal solutions require a deep understanding of the techniques and strategies adopted by malicious code at the file system level. We conducted a large-scale analysis of more than 1.7 billion lines of I/O request packets (IRPs), and additional file system event logs, to gain deeper insights into malicious ransomware behaviors. Such behaviors include crypto-ransomware file system attacks achieved by either encrypting individual files or modifying the Master Boot Record (MBR). Our large-scale analysis shows that crypto-ransomware preferentially attacks certain file types; greedily performs file operations more frequently on more diverse types of files; randomizes novel filename generation for malicious executables; and exhibits a preference for alternating file access. We believe that these insights are vital to building the next generation of ransomware detection and removal solutions.

Original languageEnglish
Title of host publicationNeural Information Processing
Subtitle of host publication25th International Conference, ICONIP 2018: Proceedings
EditorsLong Cheng, Andrew Chi Sing Leung, Seiichi Ozawa
Place of PublicationCham, Switzerland
PublisherSpringer, Springer Nature
Number of pages13
ISBN (Print)9783030042233
Publication statusPublished - 2018
Externally publishedYes
Event25th International Conference on Neural Information Processing, ICONIP 2018 - Siem Reap, Cambodia
Duration: 13 Dec 201816 Dec 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference25th International Conference on Neural Information Processing, ICONIP 2018
CitySiem Reap


  • Cybersecurity
  • File system
  • Malware
  • Ransomware


Dive into the research topics of 'Large scale behavioral analysis of ransomware attacks'. Together they form a unique fingerprint.

Cite this