Crypto-ransomware remains a significant threat to governments and companies alike, with high-profile cyber security incidents regularly making headlines. Many different detection systems have been proposed as solutions to the ever-changing dynamic landscape of ransomware detection. In the majority of cases, these described systems propose a method based on the result of a single test performed on either the executable code, the process under investigation, its behaviour, or its output. In a small subset of ransomware detection systems, the concept of a scorecard is employed where multiple tests are performed on various aspects of a process under investigation and their results are then analysed using machine learning. The purpose of this paper is to propose a new majority voting approach to ransomware detection by developing a method that uses a cumulative score derived from discrete tests based on calculations using algorithmic rather than heuristic techniques. The paper describes 23 candidate tests, as well as 9 Windows API tests which are validated to determine both their accuracy and viability for use within a ransomware detection system. Using a cumulative score calculation approach to ransomware detection has several benefits, such as the immunity to the occasional inaccuracy of individual tests when making its final classification. The system can also leverage multiple tests that can be both comprehensive and complimentary in an attempt to achieve a broader, deeper, and more robust analysis of the program under investigation. Additionally, the use of multiple collaborative tests also significantly hinders ransomware from masking or modifying its behaviour in an attempt to bypass detection.

翻译：加密勒索软件仍然是政府和企业面临的重大威胁，高调的网络安全事件频繁登上新闻头条。针对不断变化的勒索软件检测动态格局，已提出许多不同的检测系统作为解决方案。在大多数情况下，这些描述的系统提出了一种基于对可执行代码、被调查进程、其行为或其输出进行的单次测试结果的方法。在少数勒索软件检测系统中，采用了记分卡的概念，即对被调查进程的各个方面进行多次测试，然后使用机器学习分析其结果。本文的目的是通过开发一种方法，提出一种新的勒索软件检测多数投票方法，该方法使用基于算法而非启发式技术计算得出的离散测试累积得分。本文描述了23项候选测试以及9项Windows API测试，这些测试经过验证以确定其在勒索软件检测系统中的准确性和可行性。使用累积得分计算方法进行勒索软件检测具有若干优点，例如在做出最终分类时能够抵御个别测试偶尔出现的不准确性。该系统还可以利用多种测试，这些测试既全面又互补，旨在对被调查程序进行更广泛、更深入、更稳健的分析。此外，使用多种协作测试也显著阻碍了勒索软件通过掩盖或修改其行为来规避检测。