SwiftR: Cross-platform ransomware fingerprinting using hierarchical neural networks on hybrid features

Ransomware has been largely exploited by cybercriminals to target individuals and organizations. In response to the increasing number and magnitude of ransomware attacks, it is important to consider the following problems when designing a ransomware fingerprinting solution: (i) how to make the solution portable to different hardware platforms and different dynamic analysis reports, (ii) how to design a solution that considers real-world use-cases, and (iii) how to evaluate the solution under realistic and challenging evaluation scenarios. To deal with these problems, we propose SwiftR, a novel portable framework for cross-platform ransomware detection and fingerprinting. SwiftR provides an accurate ransomware detection capability that relies on raw hybrid features along with advanced deep learning techniques. SwiftR is cross-platform as it is agnostic to architectures and operating systems by leveraging two novel types of features: (1) the assembly code Intermediate Representation (IR) features that are derived from static analysis, and (2) word-based features that are derived from the behavioral analysis reports, which are produced during dynamic analysis. SwiftR is supervised, and consists of two novel components: (a) Static SwiftR that proposes a novel architecture, called Hierarchical Neural Network (HNN), and (b) Dynamic SwiftR that applies LSTM on word embedding sequences when the Static SwiftR provides a low probability confidence. SwiftR aims to address the limitations of previous works by considering real-world use cases and challenging evaluation scenarios, i.e., time-resiliency, unknown family resiliency, and production evaluation scenarios. In addition, we extensively evaluate SwiftR on a dataset of 40.3K samples, which is the largest one compared to previous works. An F1-score of 98%, 96%, and 94% is achieved for ransomware detection, segregation between ransomware and other malware, and ransomware family attribution respectively. Furthermore, SwiftR maintains its high performance when deployed in a production environment where it processes 183K samples.