Heldroid: Fast and Efficient Linguistic-Based Ransomware Detection

In every era, there has always been a slice of society devoted to deception and subtlety. Sadly, but inexorably, progress in technology has changed the approach of criminals to thievery and blackmailing. In our time, information is the real merchandise and it is thus subject to theft as any other goods: credit card numbers, cryptocurrency and illegal digital material are on the top of the list. Since information is so important, it can also be used to blackmail people. The most recent trend consists in denying victims access to their own files and requiring a relatively large amount of money to restore data back to normal. Applications exhibiting this kind of behaviour have been unsurpisingly named ransomware and their keen already produced millions of dollars worth of losses in the past two years. Since they exploit social engineering, there isn’t any suitable form of prevention apart from backing up data frequently. Recovery tools may have worked in the past, but as attacks become more and more aggressive and sophisticated, they are not future proof. Motivated by an in-depth analysis of existing ransomware, the fallacy of currently available detection methods and the absence of any consistent prevention technique, we devised Heldroid, an efficient, fully automated and learning-based approach aimed at recognizing ransomware proactively. We built it by first considering the building blocks of ransomware attacks and then composing them into a tool that actually percieves the intent behind an application behaviour. Our results show that Heldroid is able to correctly identify never-seen-before threats with high precision and speed.