Ransomware Detection and Response Model for Windows-Based Internet of Things (IoT)

Ransomware attacks targeting the Internet of Things (IoT) have increased globally, posing significant risks and financial losses to critical infrastructures. Many solutions have been developed to tackle this challenge; however, these solutions primarily focus on the development of detection models and effective response mechanisms. This research is designed to address some of the problems associated with the evolution of ransomware, including new variants and attacks at the application layer of the IoT, where applications and services are built on Windows. Hence, this research proposes a ransomware classification model for Windows-based IoT systems that leverages file operations, registry activity, and API calls, inspired by a phylogenetic approach. The classification model underpins the development of a ransomware detection framework with enhanced accuracy, which is further integrated with a response mechanism guided by severity levels. The study was conducted in a controlled virtual environment using Oracle VM, with Process Monitor (Procmon) utilized to capture the sequence of the ransomware's dynamic behavior. The experiment was conducted using dynamic analysis of 30 ransomware samples sourced from the TheZoo Github repository, together with 100 samples from the Napierone dataset as benign, were used for training, whereas 200 samples from the CICdatasetMalAnal2017 and another 100 samples from Napierone were labeled as benign for testing. As a result, 53 key features from file behaviors, registry keys, and API have been identified from the analysis of the Zoo dataset for the ransomware detection model. The ransomware classification was then developed using phylogenetics as the underlying concept for detecting new variants of ransomware of the same or similar origin. The proposed detection model achieved a high accuracy rate of 99.45% on the testing dataset. While the response part achieved an accuracy of 98.8% using the combined classifier CL-PFS (Classifier: privacy, finance and system). In conclusion, this research demonstrates the effectiveness of the proposed model in detecting and responding to ransomware relating to IoT.