Cybersecurity solutions have shown promising performance when detecting ransomware samples that use fixed algorithms and encryption rates. However, due to the current explosion of Artificial Intelligence (AI), sooner than later, ransomware (and malware in general) will incorporate AI techniques to intelligently and dynamically adapt its encryption behavior to be undetected. It might result in ineffective and obsolete cybersecurity solutions, but the literature lacks AI-powered ransomware to verify it. Thus, this work proposes RansomAI, a Reinforcement Learning-based framework that can be integrated into existing ransomware samples to adapt their encryption behavior and stay stealthy while encrypting files. RansomAI presents an agent that learns the best encryption algorithm, rate, and duration that minimizes its detection (using a reward mechanism and a fingerprinting intelligent detection system) while maximizing its damage function. The proposed framework was validated in a ransomware, Ransomware-PoC, that infected a Raspberry Pi 4, acting as a crowdsensor. A pool of experiments with Deep Q-Learning and Isolation Forest (deployed on the agent and detection system, respectively) has demonstrated that RansomAI evades the detection of Ransomware-PoC affecting the Raspberry Pi 4 in a few minutes with >90% accuracy.

翻译：网络安全解决方案在检测采用固定算法和加密速率的勒索软件样本时已展现出良好性能。然而，随着当前人工智能技术的爆发式发展，勒索软件（及通用恶意软件）将很快融入AI技术，以智能动态调整其加密行为从而实现隐蔽逃逸。这可能导致现有网络安全解决方案失效且过时，但学界尚缺乏基于AI的勒索软件对此进行验证。为此，本研究提出RansomAI——一种可集成至现有勒索软件样本、通过强化学习框架自适应调整加密行为以保持文件加密隐秘性的框架。RansomAI配置的智能体通过奖励机制与指纹智能检测系统，学习能最小化检测概率（同时最大化破坏函数）的最优加密算法、速率与持续时间。该框架在感染树莓派4（作为群智传感器）的勒索软件Ransomware-PoC上完成验证。基于深度Q学习与孤立森林（分别部署于智能体与检测系统）的系列实验表明，RansomAI可在数分钟内以超过90%的准确率规避影响树莓派4的Ransomware-PoC检测。