Ransomware is a type of malware that affects the victim data by modifying, deleting, or blocking their access. In recent years, ransomware attacks have resulted in critical data and financial losses to individuals and industries. These disruptions force the need for developing effective anti-ransomware methods in the research community. However, most of the existing techniques are designed to detect a specific ransomware variant instead of providing a generic solution mainly because of the obfuscation techniques used by ransomware or the use of static analysis methods. In this context, this paper proposes a novel ransomware-detection technique that identifies ransomware attacks by evaluating the current state of a computer system with knowledge of a ransomware attack. The finite-state machine model is used to synthesise the knowledge of the ransomware attack with respect to the victim machine. The proposed method monitors the changes happening in the computer system in terms of utilisation, persistence, and lateral movement of its resources to detect ransomware attacks. The experimental results demonstrate that the proposed method can accurately detect attacks from different ransomware variants with significantly few false predictions.

勒索软件是一种恶意软件，它通过修改，删除或阻止其访问来影响受害者数据。近年来，勒索软件攻击已导致关键数据以及个人和行业的财务损失。这些破坏迫使需要在研究界开发有效的反勒索软件方法。但是，大多数现有技术旨在检测特定的勒索软件变种，而不是提供通用解决方案，这主要是因为勒索软件使用了混淆技术或使用了静态分析方法。在这种情况下，本文提出了一种新颖的勒索软件检测技术，该技术可以通过利用勒索软件攻击的知识评估计算机系统的当前状态来识别勒索软件攻击。有限状态机模型用于综合针对受害者计算机的勒索软件攻击的知识。所提出的方法可以从计算机系统的利用率，持久性和横向移动方面监视计算机系统中发生的变化，以检测勒索软件攻击。实验结果表明，所提出的方法可以准确地检测来自不同勒索软件变种的攻击，而虚假预测却很少。