Analyzing early indicators of ransomware: pre-encryption behavior patterns

Mujeeb ur Rehman; M. Fadzil Hassan; Rehan Akbar; Bander Ali Saleh Al-rimy; K. S. Savita; Rafi Ullah; Zymul Zafar

doi:10.1007/978-981-96-5848-0_46

Analyzing early indicators of ransomware: pre-encryption behavior patterns

Mujeeb ur Rehman^*, M. Fadzil Hassan, Rehan Akbar, Bander Ali Saleh Al-rimy, K. S. Savita, Rafi Ullah, Zymul Zafar

^*Corresponding author for this work

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Ransomware attacks are a growing threat, impacting individuals, businesses, and organizations globally. Understanding the tactics used by ransomware operators in the pre-encryption phase is essential for developing effective defenses. This research investigates the pre-encryption tactics, techniques, and procedures (TTPs) employed by attackers before they encrypted data. Through a comprehensive analysis of real-world incidents and malware samples, the study identifies common attack patterns across various stages of the attack lifecycle, including initial access, reconnaissance, privilege escalation, and lateral movement. By studying these patterns, organizations can enhance their threat intelligence and strengthen their defenses. The research introduces a heuristic-based pre-encryption ransomware detection (HB-PERD) method, leveraging machine learning to improve detection rates and reduce false positives and negatives. This approach offers valuable insights for cybersecurity professionals, incident responders, and policymakers to implement proactive measures and reinforce access controls, ultimately aiding in the defense against evolving ransomware threats.

Original language	English
Title of host publication	Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024
Editors	Hisham Mohamad, Mohd Hilmi Hasan, Said Jadid Abdulkadir, Nasir Shafiq
Publisher	Springer Nature
Pages	566-578
Number of pages	13
ISBN (Electronic)	9789819658480
ISBN (Print)	9789819658473, 9789819658503
DOIs	https://doi.org/10.1007/978-981-96-5848-0_46
Publication status	Published - 26 Jul 2025
Event	1st International Conference on Smart Cities, ICSC 2024 - Kota Kinabalu, Malaysia Duration: 10 Sept 2024 → 11 Sept 2024

Publication series

Name	Lecture Notes in Electrical Engineering
Volume	1417
ISSN (Print)	1876-1100
ISSN (Electronic)	1876-1119

Conference

Conference	1st International Conference on Smart Cities, ICSC 2024
Country/Territory	Malaysia
City	Kota Kinabalu
Period	10/09/24 → 11/09/24

Keywords

Cybersecurity
Heuristic Approach
Machine Learning
Pre-Encryption
Prediction
Ransomware Detection

Access to Document

10.1007/978-981-96-5848-0_46

Cite this

Rehman, M. U., Hassan, M. F., Akbar, R., Al-rimy, B. A. S., Savita, K. S., Ullah, R., & Zafar, Z. (2025). Analyzing early indicators of ransomware: pre-encryption behavior patterns. In H. Mohamad, M. H. Hasan, S. J. Abdulkadir, & N. Shafiq (Eds.), Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024 (pp. 566-578). (Lecture Notes in Electrical Engineering; Vol. 1417). Springer Nature. https://doi.org/10.1007/978-981-96-5848-0_46

Rehman, Mujeeb ur ; Hassan, M. Fadzil ; Akbar, Rehan et al. / Analyzing early indicators of ransomware : pre-encryption behavior patterns. Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024. editor / Hisham Mohamad ; Mohd Hilmi Hasan ; Said Jadid Abdulkadir ; Nasir Shafiq. Springer Nature, 2025. pp. 566-578 (Lecture Notes in Electrical Engineering).

@inproceedings{ca432d124eff463d8afe0b8b406082bf,

title = "Analyzing early indicators of ransomware: pre-encryption behavior patterns",

abstract = "Ransomware attacks are a growing threat, impacting individuals, businesses, and organizations globally. Understanding the tactics used by ransomware operators in the pre-encryption phase is essential for developing effective defenses. This research investigates the pre-encryption tactics, techniques, and procedures (TTPs) employed by attackers before they encrypted data. Through a comprehensive analysis of real-world incidents and malware samples, the study identifies common attack patterns across various stages of the attack lifecycle, including initial access, reconnaissance, privilege escalation, and lateral movement. By studying these patterns, organizations can enhance their threat intelligence and strengthen their defenses. The research introduces a heuristic-based pre-encryption ransomware detection (HB-PERD) method, leveraging machine learning to improve detection rates and reduce false positives and negatives. This approach offers valuable insights for cybersecurity professionals, incident responders, and policymakers to implement proactive measures and reinforce access controls, ultimately aiding in the defense against evolving ransomware threats.",

keywords = "Cybersecurity, Heuristic Approach, Machine Learning, Pre-Encryption, Prediction, Ransomware Detection",

author = "Rehman, \{Mujeeb ur\} and Hassan, \{M. Fadzil\} and Rehan Akbar and Al-rimy, \{Bander Ali Saleh\} and Savita, \{K. S.\} and Rafi Ullah and Zymul Zafar",

note = "Publisher Copyright: {\textcopyright} Institute of Technology PETRONAS Sdn Bhd (Universiti Teknologi PETRONAS) 2025.; 1st International Conference on Smart Cities, ICSC 2024 ; Conference date: 10-09-2024 Through 11-09-2024",

year = "2025",

month = jul,

day = "26",

doi = "10.1007/978-981-96-5848-0\_46",

language = "English",

isbn = "9789819658473",

series = "Lecture Notes in Electrical Engineering",

publisher = "Springer Nature",

pages = "566--578",

editor = "Hisham Mohamad and Hasan, \{Mohd Hilmi\} and Abdulkadir, \{Said Jadid\} and Nasir Shafiq",

booktitle = "Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024",

address = "United Kingdom",

}

Rehman, MU, Hassan, MF, Akbar, R, Al-rimy, BAS, Savita, KS, Ullah, R & Zafar, Z 2025, Analyzing early indicators of ransomware: pre-encryption behavior patterns. in H Mohamad, MH Hasan, SJ Abdulkadir & N Shafiq (eds), Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024. Lecture Notes in Electrical Engineering, vol. 1417, Springer Nature, pp. 566-578, 1st International Conference on Smart Cities, ICSC 2024, Kota Kinabalu, Malaysia, 10/09/24. https://doi.org/10.1007/978-981-96-5848-0_46

Analyzing early indicators of ransomware: pre-encryption behavior patterns. / Rehman, Mujeeb ur; Hassan, M. Fadzil; Akbar, Rehan et al.
Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024. ed. / Hisham Mohamad; Mohd Hilmi Hasan; Said Jadid Abdulkadir; Nasir Shafiq. Springer Nature, 2025. p. 566-578 (Lecture Notes in Electrical Engineering; Vol. 1417).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Analyzing early indicators of ransomware

T2 - 1st International Conference on Smart Cities, ICSC 2024

AU - Rehman, Mujeeb ur

AU - Hassan, M. Fadzil

AU - Akbar, Rehan

AU - Al-rimy, Bander Ali Saleh

AU - Savita, K. S.

AU - Ullah, Rafi

AU - Zafar, Zymul

N1 - Publisher Copyright: © Institute of Technology PETRONAS Sdn Bhd (Universiti Teknologi PETRONAS) 2025.

PY - 2025/7/26

Y1 - 2025/7/26

N2 - Ransomware attacks are a growing threat, impacting individuals, businesses, and organizations globally. Understanding the tactics used by ransomware operators in the pre-encryption phase is essential for developing effective defenses. This research investigates the pre-encryption tactics, techniques, and procedures (TTPs) employed by attackers before they encrypted data. Through a comprehensive analysis of real-world incidents and malware samples, the study identifies common attack patterns across various stages of the attack lifecycle, including initial access, reconnaissance, privilege escalation, and lateral movement. By studying these patterns, organizations can enhance their threat intelligence and strengthen their defenses. The research introduces a heuristic-based pre-encryption ransomware detection (HB-PERD) method, leveraging machine learning to improve detection rates and reduce false positives and negatives. This approach offers valuable insights for cybersecurity professionals, incident responders, and policymakers to implement proactive measures and reinforce access controls, ultimately aiding in the defense against evolving ransomware threats.

AB - Ransomware attacks are a growing threat, impacting individuals, businesses, and organizations globally. Understanding the tactics used by ransomware operators in the pre-encryption phase is essential for developing effective defenses. This research investigates the pre-encryption tactics, techniques, and procedures (TTPs) employed by attackers before they encrypted data. Through a comprehensive analysis of real-world incidents and malware samples, the study identifies common attack patterns across various stages of the attack lifecycle, including initial access, reconnaissance, privilege escalation, and lateral movement. By studying these patterns, organizations can enhance their threat intelligence and strengthen their defenses. The research introduces a heuristic-based pre-encryption ransomware detection (HB-PERD) method, leveraging machine learning to improve detection rates and reduce false positives and negatives. This approach offers valuable insights for cybersecurity professionals, incident responders, and policymakers to implement proactive measures and reinforce access controls, ultimately aiding in the defense against evolving ransomware threats.

KW - Cybersecurity

KW - Heuristic Approach

KW - Machine Learning

KW - Pre-Encryption

KW - Prediction

KW - Ransomware Detection

UR - https://www.scopus.com/pages/publications/105012926525

U2 - 10.1007/978-981-96-5848-0_46

DO - 10.1007/978-981-96-5848-0_46

M3 - Conference contribution

AN - SCOPUS:105012926525

SN - 9789819658473

SN - 9789819658503

T3 - Lecture Notes in Electrical Engineering

SP - 566

EP - 578

BT - Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024

A2 - Mohamad, Hisham

A2 - Hasan, Mohd Hilmi

A2 - Abdulkadir, Said Jadid

A2 - Shafiq, Nasir

PB - Springer Nature

Y2 - 10 September 2024 through 11 September 2024

ER -

Rehman MU, Hassan MF, Akbar R, Al-rimy BAS, Savita KS, Ullah R et al. Analyzing early indicators of ransomware: pre-encryption behavior patterns. In Mohamad H, Hasan MH, Abdulkadir SJ, Shafiq N, editors, Proceedings of the International Conference on Smart Cities - Volume 2 - ICSC 2024. Springer Nature. 2025. p. 566-578. (Lecture Notes in Electrical Engineering). doi: 10.1007/978-981-96-5848-0_46

Analyzing early indicators of ransomware: pre-encryption behavior patterns

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this