Early Detection of Ransomware Activity based on Hardware Performance Counters

Modern-day ransomware variants are quick in their operations and start to encrypt the files within a few seconds after the initial payload execution. This poses an exigency towards early detection of ransomware payloads. Although there are multiple methods of ransomware detection based on API calls, file entropy, memory forensics, and network indicators - fast and early detection is hard to achieve through these methods. Hardware performance counters (HPC) are special-purpose registers built into current microprocessors that allow for low-level system performance analysis. Although HPC counters provide significant information for identifying ransomware behavior at the hardware level, the difficulty lies in deciding the optimal HPC features required for early detection and the time granularity at which these features are to be collected. In this work, we address this research gap by examining the HPC counters statistics gathered for every 100ms, 500ms, and five seconds to recommend the most effective time frame and the appropriate HPC registers for early detection of ransomware. According to our findings, capturing only 5 HPC registers per 100ms until 3 seconds of payload execution delivers the best results with the AdaBoost classifier, with an accuracy above 90%. Furthermore, we validate our model against recent wiper malware variants (used against organizations in Ukraine). We highlight behavioral patterns of ransomware and wiper malware based on HPC statistics and the challenges in identifying wiper payload behavior using an HPC-based approach.