Phylogenetic Analysis for Ransomware Detection and Classification into Families

The widespread of ransomware experienced in the last years has been caused also by the ability of attackers to introduce changes and mutations that make the malware hard to identify from antimalware software. In this paper we propose a two-phase method based on machine learning on API-level analysis aimed (i) to effectively detect ransomware despite the applied techniques for obfuscation and introduced variations, (ii) to provide a tool for security analysts to track phylogenetic relationships exploiting the binary tree obtained by the classification analysis. We preliminary experimented the proposed method on real-world ransomware applications belonging to three widespread families (i.e., petya, badrabbit and wannacry), obtaining encouraging results in ransomware detection and family identification. A discussion about the ransomware-related phylogenetic relationships is also provided.