Behavioral Analysis of Ransomware Families and Their Temporal Evolution

Ransomware is a well-known type of malware that has existed for many years. Its use and impact have increased significantly in recent times, with modern ransomware attacks causing severe financial and operational damage to organizations and individual users. These attacks typically encrypt user files and demand a ransom for their recovery. In some cases, they also block access to the user’s desktop or entire system, displaying a ransom note that cannot be closed. Over the years, several detection systems have been developed to identify and mitigate ransomware attacks as early as possible. However, ransomware continues to evolve, adapting its behavior to evade these detection mechanisms and increase its disruptive impact. While many studies focus on detection techniques, there is a need for a deeper understanding of ransomware behavior and how it changes over time. This thesis focuses on the behavioral analysis of ransomware by examining samples from various families and time periods. A custom dataset of ransomware samples was constructed by collecting binaries from multiple sources. Some of these samples were executed in a sandbox environment, and the resulting execution logs were analyzed to extract behavioral features. In particular, the analysis focuses on three key aspects of ransomware behavior: setup operations, process management and encryption approach. Different features are extracted from the collected logs. The goal is to compare the behavior of different ransomware families and observe how their characteristics have evolved over time. The analysis highlights common patterns and family-specific behaviors, showing that some ransomware families maintain consistent strategies over time, while others evolve their techniques to increase stealth or effectiveness. These findings provide a detailed characterization of ransomware behavior and its evolution.