Due to the expeditious inclination of online services usage, the incidents of ransomware proliferation being reported are on the rise. Ransomware is a more hazardous threat than other malware as the victim of ransomware cannot regain access to the hijacked device until some form of compensation is paid. In the literature, several dynamic analysis techniques have been employed for the detection of malware including ransomware; however, to the best of our knowledge, hardware execution profile for ransomware analysis has not been investigated for this purpose, as of today. In this study, we show that the true execution picture obtained via a hardware execution profile is beneficial to identify the obfuscated ransomware too. We evaluate the features obtained from hardware performance counters to classify malicious applications into ransomware and non-ransomware categories using several machine learning algorithms such as Random Forest, Decision Tree, Gradient Boosting, and Extreme Gradient Boosting. The employed data set comprises 80 ransomware and 80 non-ransomware applications, which are collected using the VirusShare platform. The results revealed that extracted hardware features play a substantial part in the identification and detection of ransomware with F-measure score of 0.97 achieved by Random Forest and Extreme Gradient Boosting.

中文翻译：

---

使用硬件配置文件对Microsoft-Windows勒索软件进行分类

由于在线服务使用的迅速发展，据报道勒索软件泛滥的事件正在增加。勒索软件比其他恶意软件更具威胁性，因为勒索软件的受害者在支付某种形式的赔偿之前无法重新获得对被劫持设备的访问权限。在文献中，已经采用了几种动态分析技术来检测包括勒索软件在内的恶意软件。但是，据我们所知，迄今为止，尚未为此目的研究用于勒索软件分析的硬件执行配置文件。在这项研究中，我们证明了通过硬件执行配置文件获得的真实执行画面也有助于识别混淆的勒索软件。我们评估从硬件性能计数器获得的功能，以使用几种机器学习算法将恶意应用程序分为勒索软件和非勒索软件类别，例如随机森林，决策树，梯度提升和极端梯度提升。所使用的数据集包括使用VirusShare平台收集的80个勒索软件和80个非勒索软件应用程序。结果表明，提取的硬件功能在勒索软件的识别和检测中起着重要作用，通过随机森林和极度梯度增强实现的F-measure得分为0.97。这些是使用VirusShare平台收集的。结果表明，提取的硬件功能在勒索软件的识别和检测中起着重要作用，通过随机森林和极度梯度增强实现的F-measure得分为0.97。这些是使用VirusShare平台收集的。结果表明，提取的硬件功能在勒索软件的识别和检测中起着重要作用，通过随机森林和极度梯度增强实现的F-measure得分为0.97。