On Tracking Ransomware on the File System

Ransomware detection is gaining growing importance in the scientific literature because of widespread and economic impact of this type of malware. A successful ransomware detection system must identify a malicious behaviour as soon as possible while reducing false positive detection. To this end, different strategies have been explored. Recently, a promising approach has risen. It consists in looking for possible running ransomware by measuring the different activities every process does on the filesystem. Such measurements are represented with quantitative "indicators". Indicators selection and their interpretation, is a critical and challenging task. In this paper we survey some of most representative file-system centered ransomware detectors and describe their chosen behavioural indicators and strategies used to measure them. Then we compare the different solutions and discuss pros, cons and open issues of every approach.