Manara - Qatar Research Repository
1-s2.0-S0167404823002596-main.pdf (1.38 MB)

Cryptographic Ransomware Encryption Detection: Survey

Download (1.38 MB)
Version 2 2023-10-08, 10:40
Version 1 2023-06-19, 12:05
journal contribution
revised on 2023-10-08, 10:39 and posted on 2023-10-08, 10:40 authored by Kenan Begovic, Abdulaziz Al-Ali, Qutaibah Malluhi

The ransomware threat has loomed over our digital life since 1989. Criminals use this type of cyber attack to lock or encrypt victims' data, often coercing them to pay exorbitant amounts in ransom. The damage ransomware causes ranges from monetary losses paid for ransom at best to endangering human lives. Cryptographic ransomware, where attackers encrypt the victim's data, stands as the predominant ransomware variant. The primary characteristics of these attacks have remained the same since the first ransomware attack. For this reason, we consider this a key factor differentiating ransomware from other cyber attacks, making it vital in tackling the threat of cryptographic ransomware. This paper proposes a cyber kill chain that describes the modern crypto-ransomware attack. The survey focuses on the Encryption phase as described in our proposed cyber kill chain and its detection techniques. We identify three main methods used in detecting encryption-related activities by ransomware, namely API and System calls, I/O monitoring, and file system activities monitoring. Machine learning (ML) is a tool used in all three identified methodologies, and some of the issues within the ML domain related to this survey are also covered as part of their respective methodologies. The survey of selected proposals is conducted through the prism of those three methodologies, showcasing the importance of detecting ransomware during pre-encryption and encryption activities and the windows of opportunity to do so. We also examine commercial crypto-ransomware protection and detection offerings and show the gap between academic research and commercial applications.

Other Information

Published in: Computers & Security
See article on publisher's website:


Open Access funding provided by the Qatar National Library



  • English



Publication Year

  • 2023

License statement

This Item is licensed under the Creative Commons Attribution 4.0 International License

Institution affiliated with

  • Qatar University
  • College of Engineering - QU

Usage metrics

    Qatar University



    Ref. manager