Static Detection of Ransomware Using LSTM Network and PE Header

Abstract

Ransomware is a type of malware from cryptovirology that perpetually blocks access to a victim’s data unless a ransom is paid. Today, this type of malware has grown dramatically and has targeted the computer systems of some important organizations such as hospitals, banks, and Water Organization. Therefore, early detection of this type of malware is very important. This paper describes a solution to ransomware detection based on executable file headers. Header of the executable file expresses important information about the structure of the program. In other words, the header’s information is a sequence of bytes, and changing it changes the structure of the program file. In the proposed method, using LSTM network, the sequence of bytes that constructs the header is processed and the ransomware samples are separated from the benign samples. The proposed method can detect a ransomware sample with 93.25 accuracy without running the program and using a raw header, so it is suitable for quick detection of suspicious samples.