E cient Ransomware Detection via Portable

Executable File Image Analysis By LLaMA-7b

Xiang Li (  lixiangsh1996@hotmail.com )
Changsha Institute of Technology https://orcid.org/0009-0008-6067-533X
Tingting Zhu
Changsha Institute of Technology https://orcid.org/0009-0007-4693-1571
Wenbo Zhang
Changsha Institute of Technology https://orcid.org/0009-0009-6296-1628

Research Article

Keywords: Ransomware Detection, Large Language Models, Image Analysis, Portable Executable Files,
Cybersecurity, LLaMA-7b Model

Posted Date: November 30th, 2023

DOI: https://doi.org/10.21203/rs.3.rs-3679775/v1

License:   This work is licensed under a Creative Commons Attribution 4.0 International License.
Read Full License
 Efficient Ransomware Detection via Portable Executable File Image Analysis By
LLaMA-7b

Xiang Lia , Tingting Zhua , Wenbo Zhanga

a Changsha Institute of Technology, Furong District, Changsha, 410000, Hunan, PRC

Abstract
This research focuses on developing a novel ransomware detection methodology leveraging the capabilities of the open source large
language model LLaMA-7b and image analysis of Portable Executable (PE) files. By transforming PE files into grayscale bitmap
images and analyzing these using the LLaMA-7b model, the study introduces an innovative approach in cybersecurity. The model
demonstrates high accuracy in distinguishing ransomware from benignware, with a significant true positive rate and minimal false
positives and negatives. This method overcomes the limitations of traditional static and dynamic analysis, proving effective against
modern ransomware variants. The findings suggest that integrating advanced technologies like LLMs in cybersecurity offers a
promising direction for enhancing ransomware detection and prevention.
Keywords: Ransomware Detection, Large Language Models, Image Analysis, Portable Executable Files, Cybersecurity,
LLaMA-7b Model

1. Introduction tection of ransomware are fraught with considerable shortcom-

Ransomware, a malicious type of software engineered to
blackmail users with compromised access to valuable data until
a specified sum is remitted, has risen as an intimidating threat
in the domain of cybersecurity [1, 2]. This category includes
crypto-ransomware, known for its file encryption capabilities
that render data inaccessible to users, and data breach ransomware, threat [13]. Conversely, dynamic analysis, focusing on the ob-
characterized by the unauthorized acquisition of confidential
data, often coupled with the menace of public exposure if a
ransom is not paid [3]. The repercussions of ransomware as-
saults are far-reaching, impacting not just individual users but
also extensive organizations, leading to disruptions in opera-
tions, notable financial setbacks, and harm to their public stand-
ing [4]. As a result, the effective detection of ransomware has
become crucial in counteracting these hazards [2, 5]. By iden-
tifying such threats promptly, it is possible to thwart the activa- efficient and effective in promptly recognizing ransomware but
tion of ransomware, protect vital data, and uphold the integrity
of computer systems [6]. The rapid ascent of ransomware as a
critical security concern is underscored by the increasing com-
plexity and sophistication of these attacks [7]. In the recent
past, the landscape of ransomware has evolved, demonstrating
a shift towards more advanced methods of evasion and attack
[8]. This evolution necessitates a continual adaptation of de-
tection strategies [5, 9]. Traditional detection mechanisms are
often outpaced by these evolving threats, and the need for in-
novative approaches in ransomware identification is more pro-
nounced than ever [10, 5]. Given the significant potential for
damage and disruption caused by ransomware, it is evident that
the development of effective detection methodologies is not just
beneficial but essential for the security of digital infrastructures LLMs, with a particular emphasis on the fine-tuned LLaMA-
[9].
However, the methodologies currently employed for the de-
ings. The approach of static analysis, which entails scrutiniz-
ing the code of a program without actual execution, is often
rendered ineffective by the advanced obfuscation techniques
adopted in contemporary ransomware [11, 12]. These sophis-
ticated methods can skillfully mask the malicious intent of the
code, making it challenging for static analysis to discern the
servation of a program’s behavior while it is running, tends to
be demanding in terms of resources [14]. More critically, it
has been observed that this method frequently fails to identify
ransomware until it has already commenced its malicious op-
erations [15]. Such a lag in detection can lead to devastating
consequences, especially when dealing with ransomware vari-
ants that act swiftly [16]. The crux of the research void lies in
the necessity to devise a detection methodology that is not only
also possesses the resilience to withstand the evasion tactics
employed by cyber attackers [17]. This method should ide-
ally identify ransomware threats before they inflict irreversible
harm, thereby bridging the current gap in cybersecurity mea-
sures [18].
The strategy adopted in this research seeks to bridge the
existing gap through the innovative use of image analysis of
Portable Executable (PE) files in tandem with large language
models (LLMs). This involves the conversion of PE files into a
visual format, enabling the subsequent analysis of these images
to uncover patterns and irregularities that are often characteris-
tic of ransomware. This technique capitalizes on the sophisti-
cated pattern recognition and learning proficiencies inherent in
7b model. In contrast to conventional machine learning algo-
rithms, which necessitate substantial feature engineering and
November 29, 2023
are frequently constrained by the availability and quality of la-
beled data, LLMs have demonstrated an ability to generalize ef-
fectively from extensive pools of unlabeled data, an ability that
can translate to enhanced flexibility and precision in detection.
Moreover, the application of LLMs in analyzing these images is
particularly apt for managing the intricacies and diversities in-
herent in contemporary ransomware. Such an approach, lever-
aging LLMs, offers a more robust and efficient framework for
the early detection and prevention of ransomware, standing as a
testament to the potential of integrating advanced technologies
in cybersecurity endeavors.
2. Related Studies
This section reviews existing literature relevant to ransomware cious intent [39, 40].
detection and the application of Portable Executable file analy-
sis in this domain.
2.1. Ransomware Detection
Ransomware’s evolution has been marked by an increas-
ingly significant threat within the cybersecurity domain [3, 8].
Initially, extensive research has been conducted on the utiliza-
tion of behavioral analysis for the detection of ransomware ac-
tivities [16, 19]. This research has primarily concentrated on
understanding the ways in which ransomware interacts with file
systems and network resources, thereby disrupting traditional
operational flows [20, 21]. Furthermore, the field has witnessed
considerable exploration into the capabilities of anomaly detec-
tion systems in pinpointing ransomware [22, 5]. These systems
are notably effective when focusing on irregularities diverging
from established patterns of network traffic [10, 23]. Addition-
ally, the realm of deep learning, with a specific focus on convo-
lutional neural networks (CNNs), has emerged as a central area
of study [6, 24]. This approach has proven particularly adept
at enhancing the precision of identifying complex and intricate
patterns associated with ransomware activities [7, 2].
Moreover, the development of dynamic analysis methods,
underpinned by machine learning technologies, has provided
valuable insights [14, 15]. These methods enable the moni-
toring of ransomware in a real-time context, shedding light on
the behavioral dynamics of ransomware during its active phases
[25, 26]. Alongside these developments, there has been a grow-
ing recognition of the potential that cloud-based solutions hold
for ransomware detection [27]. By harnessing the power of
distributed computing, these solutions offer a scalable and ef-
fective means of identifying and mitigating ransomware threats
[28, 29]. Finally, the contribution of big data analytics in the
arena of ransomware detection has gained attention [17, 30].
This approach underscores the role that large-scale data sets
play in forecasting and pre-empting potential ransomware at-
tacks, thereby fortifying defenses against such cyber threats
[31, 32].
2.2. Portable Executable Files in Ransomware Analysis
The examination of Portable Executable (PE) files assumes
a critical role in the realms of understanding and detecting ran-
somware [11, 33]. Initially, investigations into this domain have
2
highlighted the shortcomings in traditional machine learning
methodologies when applied to the analysis of PE files [18, 12].
Often, these limitations stem from the selection of inadequate
features, which fail to capture the nuanced characteristics of
ransomware [13, 34]. Following this, a significant amount of
research has delved into the extraction and comprehensive anal-
ysis of metadata derived from PE files [5, 1]. This scrutiny has
been instrumental in shedding light on the distinct attributes of
ransomware [35, 36]. Moreover, the application of static anal-
ysis in scrutinizing the structure of PE files, without executing
the underlying code, has been an area receiving considerable
attention [37, 38]. However, the efficacy of this method is fre-
quently challenged by the advanced obfuscation techniques em-
ployed by ransomware, which are designed to conceal its mali-
Further advancements in the field have seen the exploration
of novel methodologies, such as the application of graph the-
ory [41, 42]. This approach involves modeling the intricate
relationships within PE files, aiding significantly in the detec-
tion of ransomware [9, 43]. Additionally, the incorporation of
deep learning algorithms in the analysis of PE file attributes
has been a promising development [6, 24]. These algorithms
have demonstrated enhanced capacity in detecting ransomware,
owing to their ability to recognize complex patterns and irreg-
ularities [7, 2]. Finally, there has been a concerted effort in
research circles to develop hybrid analysis methods [33, 12].
These methods synergize the strengths of both static and dy-
namic analysis techniques when applied to PE files, leading
to a more robust and effective detection of ransomware threats
[17, 30].
3. Methodology
This section outlines the methodologies employed in our re-
search to detect ransomware through image analysis of Portable
Executable files.
3.1. Data Collection
The collection of Portable Executable (PE) file data was
a meticulous process, involving the aggregation of a compre-
hensive dataset from various reliable sources. These sources
included online malware repositories, cybersecurity databases,
and collaborations with IT security organizations. For this study,
a focused collection of four types of new ransomware vari-
ants, namely BlackCat, LockBit, Hive, and BlackBasta, was
conducted. Older variants such as WannaCry and Petya were
deliberately excluded as they are no longer active threats. Ad-
ditionally, four types of benignware were collected, including
different PE files from widely used applications such as Mi-
crosoft Office, Adobe Reader, 7-Zip, and VLC Player. This
dual focus was maintained during this phase to ensure the col-
lection of both ransomware and benignware PE files, to pro-
vide a balanced dataset. The collected data was then subjected
to a verification process to confirm its integrity and relevance.
Each file was meticulously cataloged, ensuring the maintenance
of a structured dataset conducive for further analysis. Table 1
 Table 1: Distribution of PE files in the dataset
Start
Category Type Number of Files
BlackCat 27
LockBit 35
Ransomware
Hive 19
Read PE File as Binary Stream
BlackBasta 24
Microsoft Office 52
Adobe Reader 38
Benignware
7-Zip 7
VLC Player 19 Map Binary Data to Pixel Intensities

presents the distribution of the collected PE files, categorized

into ransomware and benignware:
3.2. Image Generation from PE Files
The transformation of PE files into images involved a com-
prehensive and innovative process, designed to translate the bi-
nary structure of these files into a visual format. Each file, clas-
sified as either ransomware or benignware, underwent a series
of steps to be converted into a grayscale bitmap image. Initially,
each PE file was read as a binary stream, where each byte of
data represented a unique value. These bytes were then mapped
to pixel intensity values, ranging from 0 (black) to 255 (white),
corresponding to the binary data’s numerical value. This map-
ping was critical in ensuring that the visual representation ac-
curately reflected the underlying binary structure of the PE file.
A crucial aspect of this conversion was the determination of
image dimensions. The width of the images was fixed, while
the height was dynamically calculated based on the file size,
ensuring that the entire binary content of the PE file was rep-
resented without truncation. After setting the dimensions, the
binary data was rendered into a grayscale bitmap image, with
each byte corresponding to a pixel in the image. Special at-
tention was given to maintaining the integrity of the file’s data
during this conversion process. It was essential to ensure that no
data loss occurred, as even a single byte’s alteration could lead
to misrepresentation in the visual analysis. This meticulous ap-
proach allowed for the intricate patterns, often characteristic of
either benign or malicious software, to be visually represented
and analyzed. Figure 1 outlines the steps involved in the image
generation process from PE files, when the image generation
process is a systematic approach to converting PE files into a
format suitable for further analysis.
3.3. Base64 Encoding
Following the generation of grayscale bitmap images from
PE files, these images were transformed into Base64 encoded
strings. The rationale behind choosing Base64 encoding lies
in its efficiency and universality in representing binary data in
an ASCII string format. This format is widely recognized and
compatible across various systems and platforms, making it an
ideal choice for data interchange and processing. Base64 en-
coding simplifies the handling of binary data, particularly for
systems that may not support binary formats natively. It en-
codes each set of three bytes of binary data into four ASCII
3
Determine Image Dimensions
Render Grayscale Bitmap Image
Output Grayscale Image
End
Figure 1: Flowchart of the Image Generation Process from PE Files
characters, ensuring that the encoded data remains intact and
unaltered during transmission or storage. Moreover, Base64
encoding is critical in preparing the image data for analysis by
machine learning models like LLaMA-7b. Machine learning
models often require input data in a standardized and consis-
tent format. Base64 encoding offers this standardization, en-
abling the LLaMA-7b model to process and analyze the data
efficiently. The encoded string format also facilitates easier ma-
nipulation and analysis of the data, as it converts the binary im-
age data into a text-based format that can be easily handled by
various data processing tools.
As depicted in Algorithm 1, the conversion process is sys-
tematic, ensuring that every byte of the image data is accurately
represented in the encoded string. This encoding not only pre-
serves the integrity of the data but also prepares it for further
analytical processes.
3.4. Fine-Tuning LLaMA-7b
The fine-tuning of the LLaMA-7b model to detect our Base64-
encoded images of ransomware and benignware was an intri-
cate and crucial phase in our research methodology. The LLaMA-
7b model, which was initially pre-trained on a wide array of
language understanding tasks, provided an extensive founda-
tional understanding necessary for complex pattern recognition.
Algorithm 1 Base64 Encoding of Grayscale Bitmap Images
Require: Grayscale Bitmap Image
Ensure: Base64 Encoded String
1: Initialize an empty string for the Base64 encoded output
2: for each byte in the binary stream of the grayscale image
do
3: Encode the byte into ASCII characters using Base64
encoding rules
4: Append the encoded characters to the output string
5: end for
6: Return the Base64 encoded string
This pre-training was instrumental in equipping the model with
a broad learning base, enhancing its capacity to adapt to the spe-
cific requirements of image recognition and classification tasks.
To fine-tune this model for our specific use case, the Base64-
encoded images were first decoded back into binary format, en-
suring that the model could process the image data effectively.
This conversion was critical as it allowed the model to inter-
pret and analyze the images in a format akin to its pre-training
data. The fine-tuning process was iterative and methodically
structured. It involved several rounds of training, where the
model was exposed to our curated dataset of decoded images.
This exposure was followed by a phase of validation, where the
model’s performance in classifying the images was rigorously
assessed. The parameters of the LLaMA-7b model were con-
tinuously adjusted and optimized during these rounds to im-
prove its accuracy in distinguishing between ransomware and
benignware images. The exit criteria for the fine-tuning pro-
cess were stringently defined. Success was determined not only
by high accuracy in classification but also by the model’s abil-
ity to generalize from the training data and maintain consistent
performance on unseen test data. This criterion ensured that the
fine-tuned model was robust and reliable.
As depicted in Figure 2, the fine-tuning of LLaMA-7b is a
cyclical process, ensuring continual improvement and adjust-
ment until the desired level of performance is achieved. This
approach justifies the robustness and adaptability of the model
in handling the complexities associated with ransomware de-
tection.
4. Experiment and Results
This section presents the experimental setup and the out-
comes derived from the application of the LLaMA-7b model
on our dataset.
4.1. Image Generation
The visual analysis of Portable Executable (PE) files pro-
vides insightful contrasts between ransomware and benignware.
Figures 3 illustrate the grayscale bitmap images generated from
PE files of both ransomware and benignware. It can be ob-
served that the images representing ransomware (subfigures 3a
4
Start
Decode Base64-Encoded Images
Train Model with Decoded Images
Validate Model Performance
no
Is Performance Satisfactory? Adjust Model Parameters
yes
End
Figure 2: Flowchart of the Fine-Tuning Process for the LLaMA-7b Model
to 3d) exhibit notably darker regions compared to those of be-
nignware (subfigures 3e to 3h). This darkness potentially signi-
fies a higher degree of encryption and code obfuscation in ran-
somware, which is a common tactic to evade detection. In con-
trast, the lighter appearance of benignware images may reflect
a more straightforward and less obfuscated binary structure.
4.2. Detection Accuracy
The LLaMA-7b model’s efficacy in identifying ransomware
and benignware was thoroughly evaluated using established per-
formance metrics. The primary metrics for this evaluation were
true positives (TP) for ransomware detection, true negatives
(TN) for benignware identification, false positives (FP), and
false negatives (FN). In this context, true positives refer to ran-
somware files correctly identified as such, while true negatives
denote benign files accurately classified as non-malicious. False
positives represent benign files misclassified as ransomware,
and false negatives are ransomware files that were mistakenly
overlooked. These metrics collectively offer an extensive view
of the model’s accuracy and reliability.
As demonstrated in Table 2, the LLaMA-7b model exhib-
ited a commendable level of accuracy in detecting various types
of ransomware. The true positive rates for ransomware, ranging
from 90% to 96%, indicate a high success rate in correctly iden-
tifying malicious files. This is particularly significant for newer
ransomware types like BlackCat and Hive, where a true positive
rate of 94% and 96% respectively suggests the model’s effec-
tiveness in adapting to and identifying the latest ransomware
threats. This robust detection capability is crucial in cybersecu-
rity, where the early and accurate identification of ransomware
can significantly mitigate potential damage.
 Table 2: Detection Accuracy of LLaMA-7b Model
Category File Type True Positives/Negatives (%)
BlackCat 94%
LockBit 92%
Ransomware
Hive 96%
BlackBasta 90%
Microsoft Office 98%
Adobe Reader 97%
Benignware
7-Zip 95%
VLC Player 93%
The false positive rates, being relatively low (ranging from
1% to 6%), indicate the model’s precision in distinguishing be-
nign files from ransomware. This is critical to avoid unnec-
essary alarms and ensure that normal operations are not dis-
rupted due to false detections. For instance, the low false pos-
itive rate of 1% for widely used software like Microsoft Of-
fice and Adobe Reader highlights the model’s ability to cor-
rectly identify legitimate software, thereby reducing the likeli-
hood of impeding user productivity with false alerts. Similarly,
the false negative rates, which reflect the model’s efficiency
in not overlooking actual ransomware files, are maintained at
low levels (ranging from 1% to 4%). This is vital for ensuring
that ransomware does not evade detection, as even a small per-
centage of missed detections could lead to significant security
breaches. These results collectively underscore the LLaMA-7b
model’s capability in effectively balancing sensitivity (true pos-
itives) and specificity (low false positives), making it a reliable
tool in the fight against ransomware. The model’s proficiency
in distinguishing between benign and malicious software with
high accuracy minimizes the risk of both over-reacting to non-
threatening files and under-reacting to actual security threats.
Consequently, these metrics not only validate the efficacy of the
fine-tuning process undertaken but also highlight the practical
applicability of the LLaMA-7b model in real-world cybersecu-
rity scenarios.
4.3. Comparative Analysis
In the realm of cybersecurity research, particularly in the
context of ransomware detection, comparative analyses between
different models and methodologies play a crucial role in under-
standing the effectiveness and advancements in the field. How-
ever, our study encountered a notable challenge in drawing di-
rect comparisons with other machine learning-based ransomware
studies. A key reason for this challenge lies in the nature of
the ransomware samples used in contemporary research. We
observed that even recent studies in ransomware detection of-
ten rely on outdated samples, such as WannaCry and Petya.
These samples, while historically significant, do not accurately
represent the current landscape of ransomware threats. Ran-
somware has evolved rapidly, with newer variants like Black-
Cat and LockBit exhibiting significantly different code struc-
tures and attack vectors. The use of older samples like Wan-
naCry and Petya in comparative studies could lead to skewed
results, as these variants no longer reflect the sophisticated tech-
5
False Positives (%) False Negatives (%)
4% 2%
5% 3%
3% 1%
6% 4%
1% 1%
2% 1%
4% 1%
5% 2%
niques employed by modern ransomware. Moreover, the attack
vectors and mechanisms employed by newer ransomware vari-
ants differ markedly from those used by older variants. The
evolution in ransomware tactics includes changes in encryption
methods, payload delivery, and evasion techniques, making the
newer variants more complex and challenging to detect. Hence,
models trained and tested on outdated samples may not perform
effectively against current ransomware threats, limiting the va-
lidity of comparative analysis.
In light of these observations, our study consciously chose
to exclude older ransomware samples (e.g., WannaCry, Petya),
focusing instead on recent variants (e.g. Lockbit, Blackcat)
to ensure relevance and accuracy in detection. This decision,
while enhancing the applicability of our model to contemporary
threats, poses a limitation in conducting a comparative analysis
with other studies. Looking forward, a more meaningful com-
parison could be considered as the field evolves. This would
require the development of standardized datasets that include
recent ransomware variants and the emergence of more stud-
ies employing large language models (LLMs) in ransomware
detection. A standardized dataset, encompassing a wide range
of recent ransomware types, would provide a common ground
for evaluating different models and methodologies, paving the
way for a comprehensive comparative analysis. Until such ad-
vancements materialize, our study stands as a pioneering effort
in applying LLMs, specifically the LLaMA-7b model, to the
detection of modern ransomware threats.
5. Discussion
This section critically examines the findings of the study,
discussing their implications in the cybersecurity domain, and
acknowledging the limitations and potential biases inherent in
the research methodology.
5.1. In-depth Analysis of Results
The outcomes derived from employing the LLaMA-7b model,
particularly in the detection of ransomware through the analyt-
ical process of Base64-encoded images of Portable Executable
files, have revealed considerable effectiveness. The model ex-
hibited high accuracy rates in identifying ransomware, with true
positive rates consistently surpassing 90%. Such figures are in-
dicative of the model’s robust capability to accurately detect

(a) BlackCat ransomware
security domain, specifically for ransomware detection, repre-
sents a viable and highly effective strategy [22, 4].
Moreover, the model’s effectiveness in discerning between
benign and malicious software, while minimizing erroneous clas-
sifications, underscores the importance of precision in such se-
curity applications [20, 1]. The ability to maintain a false nega-
tive rate under 4% is crucial in ensuring that potentially harmful
ransomware does not go undetected, thus safeguarding digital
assets and infrastructures from compromise [13]. The study’s
findings, therefore, not only emphasize the model’s adeptness
(b) LockBit ransomware
in recognizing and responding to the characteristics of ransomware
but also highlight the model’s potential as a groundbreaking
tool in the ongoing battle against these sophisticated cyber threats
[44, 14].

5.2. Implications of Findings in the Context of Cybersecurity

(c) Hive ransomware
(e) Microsoft Office benignware
(g) 7-Zip benignware
Figure 3: Grayscale images of PE files from ransomware and benignware.
(d) BlackBasta ransomware
(f) Adobe Reader benignware
(h) VLC Player benignware
The outcomes of this research carry substantial connota-
tions for the cybersecurity domain. They primarily indicate
that the utilization of cutting-edge technologies, such as large
language models, can markedly elevate the capabilities in de-
tecting contemporary ransomware [17, 43]. This method could
serve as an enhancement to existing cybersecurity strategies,
providing a more flexible and responsive shield against the con-
tinuously evolving cyber threats [35, 39]. The employment of
image analysis techniques on Portable Executable files for the
purpose of ransomware detection inaugurates novel prospects
for exploration and advancement in cybersecurity tools and method-
ologies [29, 36]. This aspect emphasizes the necessity for ongo-
ing innovation to effectively counteract the dynamic and ever-
evolving strategies of cyber adversaries [18, 30].
Furthermore, these findings highlight the potential shift in
cybersecurity paradigms, where traditional methods may be in-
tegrated with advanced technological solutions to form a more
fortified defense mechanism [28, 21]. The exploration of image-
based analysis in this context not only broadens the scope of
detection capabilities but also introduces a new dimension in
the interpretation of digital threats [41, 42]. Such advance-
ments could potentially lead to more sophisticated detection al-
gorithms that are adept at navigating the complexities of mod-
ern ransomware, thereby enhancing overall cybersecurity re-
silience [9, 25]. The integration of large language models in
this sphere reflects a proactive approach in adapting to the so-
phisticated nature of modern cyber threats, offering a beacon
of innovation in the ongoing efforts to safeguard digital ecosys-
tems [26, 27, 45].

5.3. Limitations and Potential Biases in the Study

new variants of ransomware, a significant achievement consid-
ering the rapidly evolving and increasingly complex nature of
these cybersecurity threats [10, 7]. The model’s proficiency
in differentiating between benignware and ransomware, while
maintaining minimal rates of false positives and negatives, fur-
ther reflects its advanced pattern recognition skills [8, 15]. These
results, with true positive rates for ransomware hovering around
91.7% and false positives kept under 5%, provide a strong indi-
cation that incorporating large language models into the cyber-
Although the research yields encouraging results, it remains
essential to recognize its limitations and potential biases. A
notable limitation resides in the specific nature of the dataset
employed, which deliberately omits older ransomware variants
like WannaCry and Petya. This exclusion was strategic to en-
sure the study’s contemporaneity, yet it could potentially re-
strict the applicability of the findings across a more extensive
array of ransomware types. The focus on recent ransomware
variants, while beneficial for current relevance, might not fully

6
encapsulate the diverse behaviors and characteristics present in
the broader spectrum of ransomware. Moreover, the reliance on
the LLaMA-7b model as the primary analytical tool introduces
a potential bias toward the strengths and limitations inherent to
this model [46, 47, 48]. This aspect might skew the results in
favor of the model’s specific analytical capabilities, potentially
overlooking nuances that other models might capture [49, 50].
Future research endeavors could benefit from incorporating a
variety of models or extending the dataset to include a wider
range of ransomware types. This expansion would not only
validate the current findings but also broaden the understanding
of ransomware detection methodologies.
In addition, the ever-evolving landscape of ransomware threats
necessitates continuous refinement and adaptation of both the
model and the analytical methods. As ransomware developers
innovate and adapt, the models used for detection must also
evolve to maintain their effectiveness [29, 16, 42, 37]. The
study’s methodology, while effective under current conditions,
might require modifications to address future ransomware evo-
lutions, not to mention that we have not considered LLM hal-
lucinations, which may have contributed to the false positives
or false negatives [50, 51, 52, 53]. Regular updates and en-
hancements to the model, along with an adaptable approach to
methodological frameworks, will be crucial in sustaining the
relevance and efficacy of ransomware detection tools [16, 17,
54]. Thus, while the study presents a significant step forward in
the use of large language models for ransomware detection, it
also highlights the dynamic nature of cybersecurity challenges
and the need for ongoing research and development in this field.
6. Conclusion
This research has made substantial contributions to the field
of cybersecurity, specifically in the domain of ransomware de-
tection. The innovative approach of employing the LLaMA-
7b model, in conjunction with image analysis of Portable Ex-
ecutable files, has proven to be highly effective. The study
demonstrated that the model could accurately identify ransomware
with high true positive rates, while maintaining low false posi-
tives and negatives. This indicates the model’s robust capability
in detecting various ransomware types, particularly newer vari-
ants, and its effectiveness in distinguishing them from benign
software. The findings reinforce the potential of integrating ad-
vanced technologies, like large language models, in enhancing
cybersecurity measures. The study successfully addressed the
limitations of traditional ransomware detection methods, offer-
ing a novel approach that is both adaptable and efficient in the
face of the evolving nature of cyber threats.
Looking ahead, there are several avenues for future research
that emerge from this study. One key direction is the explo-
ration of different large language models and their application
in ransomware detection. Comparative studies involving vari-
ous models could provide deeper insights into the strengths and
weaknesses of each approach, potentially leading to more so-
phisticated and robust detection tools. Additionally, expanding
the dataset to include a broader range of ransomware types, in-
cluding both older and emerging variants, would enhance the
7
generalizability of the findings and provide a more compre-
hensive understanding of ransomware behaviors. There is also
a need for continuous refinement of the models and method-
ologies to keep pace with the rapidly evolving tactics of ran-
somware developers. Future research should focus on develop-
ing adaptive models that can predict and counteract new ran-
somware strategies as they emerge. Furthermore, investigating
the potential biases and limitations of current models, includ-
ing addressing issues like LLM hallucinations, will be crucial
in developing more accurate and reliable ransomware detection
systems. Finally, integrating the findings from this research
with traditional cybersecurity approaches could lead to the de-
velopment of a more holistic and multi-faceted defense strategy
against ransomware attacks.
Declaration
There is no conflict of interest to be declared by the authors.
References
[1] A. AlSabeh, H. Safa, E. Bou-Harb, J. Crichigno, Exploiting ransomware
paranoia for execution prevention, in: ICC 2020-2020 IEEE International
Conference on Communications (ICC), IEEE, 2020, pp. 1–6.
[2] S. Johnson, R. Gowtham, A. R. Nair, Ensemble model ransomware classi-
fication: A static analysis-based approach, in: Inventive Computation and
Information Technologies: Proceedings of ICICIT 2021, Springer, 2022,
pp. 153–167.
[3] T. McIntosh, A. Kayes, Y.-P. P. Chen, A. Ng, P. Watters, Ransomware
mitigation in the modern era: A comprehensive review, research chal-
lenges, and future directions, ACM Computing Surveys (CSUR) 54 (9)
(2021) 1–36, survey.
[4] J. Jones, Ransomware analysis and defense-wannacry and the win32 en-
vironment, International Journal of Information Security Science 6 (4)
(2017) 57–69.
[5] M. A. Ayub, A. Sirai, Similarity analysis of ransomware based on portable
executable (pe) file metadata, in: 2021 IEEE Symposium Series on Com-
putational Intelligence (SSCI), IEEE, 2021, pp. 1–6.
[6] F. Manavi, A. Hamzeh, A new method for ransomware detection based
on pe header using convolutional neural networks, in: 2020 17th Interna-
tional ISC Conference on Information Security and Cryptology (ISCISC),
IEEE, 2020, pp. 82–87.
[7] M. Xiao, C. Guo, G. Shen, Y. Cui, C. Jiang, Image-based malware clas-
sification using section distribution information, Computers & Security
110 (2021) 102420.
[8] X. Ling, L. Wu, J. Zhang, Z. Qu, W. Deng, X. Chen, Y. Qian, C. Wu, S. Ji,
T. Luo, et al., Adversarial attacks against windows pe malware detection:
A survey of the state-of-the-art, Computers & Security (2023) 103134.
[9] W. Liu, Modeling ransomware spreading by a dynamic node-level
method, IEEE Access 7 (2019) 142224–142232.
[10] T. Rezaei, F. Manavi, A. Hamzeh, A pe header-based method for mal-
ware detection using clustering and deep embedding techniques, Journal
of Information Security and Applications 60 (2021) 102876.
[11] S. Poudyal, K. D. Gupta, S. Sen, Pefile analysis: a static approach to
ransomware analysis, Int J Forens Comput Sci 1 (34-39) (2019) 88.
[12] M. Medhat, S. Gaber, N. Abdelbaki, A new static-based framework
for ransomware detection, in: 2018 IEEE 16th Intl Conf on Depend-
able, Autonomic and Secure Computing, 16th Intl Conf on Perva-
sive Intelligence and Computing, 4th Intl Conf on Big Data Intelli-
gence and Computing and Cyber Science and Technology Congress
(DASC/PiCom/DataCom/CyberSciTech), IEEE, 2018, pp. 710–715.
[13] M. A. Ayub, A. Siraj, B. Filar, M. Gupta, Rwarmor: a static-informed
dynamic analysis approach for early detection of cryptographic windows
ransomware, International Journal of Information Security (2023) 1–24.
[14] D. Carlin, P. O’Kane, S. Sezer, Dynamic opcode analysis of ransomware,
in: 2018 International Conference on Cyber Security and Protection of
Digital Services (Cyber Security), IEEE, 2018, pp. 1–4.
[15] S. Usharani, P. M. Bala, M. M. J. Mary, Dynamic analysis on crypto-
ransomware by using machine learning: Gandcrab ransomware, in: Jour-
nal of Physics: Conference Series, Vol. 1717, IOP Publishing, 2021, p.
012024.
[16] P. S. Goyal, A. Kakkar, G. Vinod, G. Joseph, Crypto-ransomware detec-
tion using behavioural analysis, in: Reliability, Safety and Hazard As-
sessment for Risk-Based Technologies: Proceedings of ICRESH 2019,
Springer, 2020, pp. 239–251.
[17] Q. Kang, Y. Gu, A survey on ransomware threats: Contrasting static and
dynamic analysis methodsSurvey (2023).
[18] H. Zhang, X. Xiao, F. Mercaldo, S. Ni, F. Martinelli, A. K. Sangaiah,
Classification of ransomware families with machine learning based onn-
gram of opcodes, Future Generation Computer Systems 90 (2019) 211–
221.
[19] M. Alam, S. Bhattacharya, S. Dutta, S. Sinha, D. Mukhopadhyay,
A. Chattopadhyay, Ratafia: Ransomware analysis using time and fre-
quency informed autoencoders, in: 2019 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST), IEEE, 2019, pp. 218–
227.
[20] P. Sharma, S. Kapoor, R. Sharma, Ransomware detection, prevention and
protection in iot devices using ml techniques based on dynamic analy-
sis approach, International Journal of System Assurance Engineering and
Management 14 (1) (2023) 287–296.
[21] J. K. Lee, S. Y. Moon, J. H. Park, Cloudrps: a cloud analysis based en-
hanced ransomware prevention system, The Journal of Supercomputing
73 (2017) 3065–3084.
[22] R. Almohaini, I. Almomani, A. AlKhayer, Hybrid-based analysis impact
on ransomware detection for android systems, Applied Sciences 11 (22)
(2021) 10976.
[23] S. G. Prasad, V. C. Sharmila, M. Badrinarayanan, Role of artificial intel-
ligence based chat generative pre-trained transformer (chatgpt) in cyber
security, in: 2023 2nd International Conference on Applied Artificial In-
telligence and Computing (ICAAIC), IEEE, 2023, pp. 107–114.
[24] F. Manavi, A. Hamzeh, Ransomware detection based on pe header using
convolutional neural networks., ISeCure 14 (2) (2022).
[25] Y. Lemmou, J.-L. Lanet, E. M. Souidi, A behavioural in-depth analysis of
ransomware infection, IET Information Security 15 (1) (2021) 38–58.
[26] M. Kanwal, S. Thakur, An app based on static analysis for android ran-
somware, in: 2017 International Conference on Computing, Communica-
tion and Automation (ICCCA), IEEE, 2017, pp. 813–818.
[27] H. Pearce, B. Tan, P. Krishnamurthy, F. Khorrami, R. Karri, B. Dolan-
Gavitt, Pop quiz! can a large language model help with reverse engineer-
ing?, arXiv preprint arXiv:2202.01142 (2022).
[28] A. Zimba, Z. Wang, L. Simukonda, Towards data resilience: The ana-
lytical case of crypto ransomware data recovery techniques, International
Journal of Information Technology & Computer Science 10 (1) (2018)
40–51.
[29] A. Cuzzocrea, F. Mercaldo, F. Martinelli, A framework for supporting
ransomware detection and prevention based on hybrid analysis, in: Com-
putational Science and Its Applications–ICCSA 2021: 21st International
Conference, Cagliari, Italy, September 13–16, 2021, Proceedings, Part III
21, Springer, 2021, pp. 16–27.
[30] J. Schoenbachler, V. Krishnan, G. Agarwal, F. Li, Sorting ransomware
from malware utilizing machine learning methods with dynamic analysis,
in: Proceedings of the Twenty-fourth International Symposium on The-
ory, Algorithmic Foundations, and Protocol Design for Mobile Networks
and Mobile Computing, 2023, pp. 516–521.
[31] M. Gupta, C. Akiri, K. Aryal, E. Parker, L. Praharaj, From chatgpt to
threatgpt: Impact of generative ai in cybersecurity and privacy, IEEE Ac-
cess (2023).
[32] N. Rani, S. V. Dhavale, Leveraging machine learning for ransomware de-
tection, arXiv preprint arXiv:2206.01919 (2022).
[33] D. F. Netto, K. Shony, E. R. Lalson, An integrated approach for de-
tecting ransomware using static and dynamic analysis, in: 2018 Inter-
national CET Conference on Control, Communication, and Computing
(IC4), IEEE, 2018, pp. 410–414.
[34] M. Almousa, S. Basavaraju, M. Anwar, Api-based ransomware detection
using machine learning-based threat detection models, in: 2021 18th In-
8
ternational Conference on Privacy, Security and Trust (PST), IEEE, 2021,
pp. 1–7.
[35] L. Iffländer, A. Dmitrienko, C. Hagen, M. Jobst, S. Kounev, Hands off my
database: Ransomware detection in databases through dynamic analysis
of query sequences, arXiv preprint arXiv:1907.06775 (2019).
[36] R. Umar, I. Riadi, R. S. Kusuma, Analysis of conti ransomware attack on
computer network with live forensic method, IJID (International Journal
on Informatics for Development) 10 (1) (2021) 53–61.
[37] G. McDonald, P. Papadopoulos, N. Pitropakis, J. Ahmad, W. J. Buchanan,
Ransomware: Analysing the impact on windows active directory domain
services, Sensors 22 (3) (2022) 953.
[38] S. Sheen, A. Yadav, Ransomware detection by mining api call usage, in:
2018 International Conference on Advances in Computing, Communica-
tions and Informatics (ICACCI), IEEE, 2018, pp. 983–987.
[39] F. Cicala, E. Bertino, Analysis of encryption key generation in modern
crypto ransomware, IEEE Transactions on Dependable and Secure Com-
puting 19 (2) (2020) 1239–1253.
[40] C. Sendner, L. Iffländer, S. Schindler, M. Jobst, A. Dmitrienko,
S. Kounev, Ransomware detection in databases through dynamic anal-
ysis of query sequences, in: 2022 IEEE Conference on Communications
and Network Security (CNS), IEEE, 2022, pp. 326–334.
[41] S. Aurangzeb, R. N. B. Rais, M. Aleem, M. A. Islam, M. A. Iqbal, On the
classification of microsoft-windows ransomware using hardware profile,
PeerJ Computer Science 7 (2021) e361.
[42] P. M. Anand, P. S. Charan, S. K. Shukla, A comprehensive api call anal-
ysis for detecting windows-based ransomware, in: 2022 IEEE Interna-
tional Conference on Cyber Security and Resilience (CSR), IEEE, 2022,
pp. 337–344.
[43] F. Mercaldo, A framework for supporting ransomware detection and pre-
vention based on hybrid analysis, Journal of Computer Virology and
Hacking Techniques 17 (3) (2021) 221–227.
[44] J. A. Herrera-Silva, M. Hernández-Álvarez, Dynamic feature dataset for
ransomware detection using machine learning algorithms, Sensors 23 (3)
(2023) 1053.
[45] T. McIntosh, T. Liu, T. Susnjak, H. Alavizadeh, A. Ng, R. Nowrozy,
P. Watters, Harnessing gpt-4 for generation of cybersecurity grc poli-
cies: A focus on ransomware attack mitigation, Computers & Security
134 (2023) 103424.
[46] D. Zhou, K. Wang, J. Gu, X. Peng, D. Lian, Y. Zhang, Y. You, J. Feng,
Dataset quantization, in: Proceedings of the IEEE/CVF International
Conference on Computer Vision, 2023, pp. 17205–17216.
[47] A. Rakshit, S. Mehta, A. Dasgupta, A novel pipeline for improving opti-
cal character recognition through post-processing using natural language
processing, in: 2023 IEEE Guwahati Subsection Conference (GCON),
IEEE, 2023, pp. 01–06.
[48] G. Rejithkumar, P. R. Anish, S. Ghaisas, Automated identification of de-
ontic modalities in software engineering contracts: A domain adaptation-
based generative approach, in: 2023 IEEE 31st International Require-
ments Engineering Conference Workshops (REW), IEEE, 2023, pp. 72–
75.
[49] H. Fang, Z. Yang, Y. Wei, X. Zang, C. Ban, Z. Feng, Z. He, Y. Li, H. Sun,
Alignment and generation adapter for efficient video-text understanding,
in: Proceedings of the IEEE/CVF International Conference on Computer
Vision, 2023, pp. 2791–2797.
[50] S. Jha, S. K. Jha, P. Lincoln, N. D. Bastian, A. Velasquez, S. Neema,
Dehallucinating large language models using formal methods guided it-
erative prompting, in: 2023 IEEE International Conference on Assured
Autonomy (ICAA), IEEE, 2023, pp. 149–152.
[51] T. R. McIntosh, T. Liu, T. Susnjak, P. Watters, A. Ng, M. N. Halgamuge,
A culturally sensitive test to evaluate nuanced gpt hallucination, IEEE
Transactions on Artificial Intelligence 1 (01) (2023) 1–13.
[52] Z. Ziyu, C. Qiguang, M. Longxuan, L. Mingda, H. Yi, Q. Yushan,
B. Haopeng, Z. Weinan, T. Liu, Through the lens of core competency:
Survey on evaluation of large language models, in: Proceedings of the
22nd Chinese National Conference on Computational Linguistics (Vol-
ume 2: Frontier Forum), 2023, pp. 88–109.
[53] Y. Chen, Q. Fu, Y. Yuan, Z. Wen, G. Fan, D. Liu, D. Zhang, Z. Li,
Y. Xiao, Hallucination detection: Robustly discerning reliable answers
in large language models, in: Proceedings of the 32nd ACM International
Conference on Information and Knowledge Management, 2023, pp. 245–
255.
[54] A. Alqahtani, F. T. Sheldon, A survey of crypto ransomware attack detec-
tion methodologies: an evolving outlook, Sensors 22 (5) (2022) 1837.