Skip to main content

Peeler: Profiling Kernel-Level Events to Detect Ransomware

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)


Because the recent ransomware families are becoming progressively more advanced, it is challenging to detect ransomware using static features only. However, their behaviors are still more generic and universal to analyze due to their inherent goals and functions. Therefore, we can capture their behaviors by monitoring their system-level activities on files and processes. In this paper, we present a novel ransomware detection system called “Peeler” (Profiling kErnEl -Level Events to detect Ransomware). Peeler first identifies ransomware’s inherent behavioral characteristics such as stealth operations performed during the attack, processes execution patterns, and correlations among different kernel-level events by analysing a large-scaled OS-level provenance data collected from a diverse set of ransomware families. Peeler specifically uses a novel NLP-based deep learning model to fingerprint the contextual behavior of applications by leveraging Bidirectional Encoder Representations from Transformers (BERT) pre-trained model. We evaluate Peeler on a large ransomware dataset including 67 ransomware families and demonstrate that it achieves a 99.5% F1-score.


  • Fileless malware
  • Ransomware detection
  • Deep learning
  • Screen-locker
  • Malware behavior analysis
  • Machine learning

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_12
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.


  1. 1.

    Windows OS is becoming the most attractive targets for ransomware writers, i.e., 87% of the existing ransomware were developed to target Windows [10].

  2. 2.

    ETW was first introduced in Windows 2000 and is now built-in to all Windows OS versions.


  1. About Event Tracing.

  2. Global Ransomware Damage Costs Predicted To Reach \$20 Billion (USD) By 2021.

  3. Krabsetw.

  4. A Live Malware Repository.

  5. Malware samples.

  6. MalwareBazaar.

  7. Pretrained models.

  8. VirtualBox.

  9. VirusTotal.

  10. What systems have you seen infected by ransomware?

  11. Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: A 0-day aware crypto-ransomware early behavioral detection framework. In: International Conference of Reliable Information and Communication Technology, pp. 758–766 (2017)

    Google Scholar 

  12. Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347 (2016)

    Google Scholar 

  13. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)

  14. Gómez-Hernández, J., Álvarez-González, L., García-Teodoro, P.: R-Locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)

    CrossRef  Google Scholar 

  15. Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187–197 (2018)

    Google Scholar 

  16. Hendler, D., Kels, S., Rubin, A.: Amsi-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 679–693 (2020)

    Google Scholar 

  17. Hirano, M., Kobayashi, R.: Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In: Sixth IEEE International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pp. 1–6 (2019)

    Google Scholar 

  18. Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE transactions on emerging topics in computing (2017)

    Google Scholar 

  19. Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2231–2244 (2017)

    Google Scholar 

  20. Jin, B., Choi, J., Kim, H., Hong, J.B.: Fumvar: a practical framework for generating fully-working and unseen malware variants. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC) (2021)

    Google Scholar 

  21. Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 757–772 (2016)

    Google Scholar 

  22. Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 98–119 (2017)

    Google Scholar 

  23. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 3–24 (2015)

    Google Scholar 

  24. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)

    Google Scholar 

  25. Lab, E.M.: The State of Ransomware in the US.

  26. Lelonek, B., Rogers, N.: Make ETW greate again.

  27. Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114–136 (2018)

    Google Scholar 

  28. Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1795–1812 (2019)

    Google Scholar 

  29. Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009–1024 (2017)

    Google Scholar 

  30. Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Network Comput. Appl. 124, 14–32 (2018)

    CrossRef  Google Scholar 

  31. Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper, MWR Labs Whitepaper (2017)

    Google Scholar 

  32. Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 303–312 (2016)

    Google Scholar 

  33. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

  34. Sivakorn, S., et al.: Countering malicious processes with process-dns association. In: Network and Distributed Systems Security (2019)

    Google Scholar 

  35. Wang, Q., et al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: Symposium on Network and Distributed System Security (NDSS) (2020)

    Google Scholar 

  36. WatchGuard: Internet Security Report - Q4 2020.

  37. Zhao, L., Mannan, M.: TEE-aided write protection against privileged data tampering. arXiv preprint arXiv:1905.10723 (2019)

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Muhammad Ejaz Ahmed .

Editor information

Editors and Affiliations

A Dataset

A Dataset

1.1 A.1 Ransomware families

We provide a comprehensive list of both ransomware families and benign applications used to evaluate Peeler. Table 6 presents two sets of ransomware families used in Sect. 6.1 and Sect. 6.3, respectively.

Table 6. Ransomware families and samples.

1.2 A.2 Benign applications

In this section, we present benign applications that potentially show ransomware-like behaviors that are used in the evaluation of Peeler: 1) benign encryption, compression, and shredder applications (see Table 7); 2) benign application spawning multiple processes; and 3) benign applications that are most popularly used on Windows PC (see Table 8).

Table 7. Ransomware-like benign applications.
Table 8. Benign applications spawning multiple processes.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Ahmed, M.E., Kim, H., Camtepe, S., Nepal, S. (2021). Peeler: Profiling Kernel-Level Events to Detect Ransomware. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)