Ransomware Detection using Process Memory


  • Avinash Singh University of Pretoria, South Africa
  • Richard Ikuesan Community College Qatar, Doha, Qatar
  • Hein Venter University of Pretoria, South Africa




ransomware detection, process memory, memory-based malware analysis, machine learning, cuckoo sandbox


Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, which encouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38% – 96.28%. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.