RTrap: Trapping and Containing Ransomware With Machine Learning

Gaddisa Olani Ganfure*, Chun Feng Wu, Yuan Hao Chang*, Wei Kuan Shih

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


With advances in social engineering tricks and other technical shortcomings, ransomware attacks have become a severe cybercrime affecting organizations of all shapes and sizes. Although the security teams are making plenty of ransomware detection tools, the ransomware incident report shows they are ineffective in detecting emerging ransomware attacks. This work presents 'RTrap,' a systematic framework to detect and contain ransomware efficiently and effectively via machine learning-generated deceptive files. Using a data-driven decoy file selection and generation strategy, RTrap plants deceptive decoy files across the directory to lure the ransomware to access it. RTrap also introduced a lightweight decoy watcher to monitor generated decoy files in real time. As the timing of the ransomware attack is not known to the victim in advance, and the ransomware encryption process is speedy, the proposed decoy-watcher executes an automatic/automated response after the detection promptly. The experiment shows that RTrap can detect ransomware with an average 18 file loss per 10311 legitimate user files.

Original languageEnglish
Pages (from-to)1433-1448
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
StatePublished - 2023


  • Deception-based detection
  • adaptive decoy files
  • affinity propagation
  • machine learning
  • ransomware detection


Dive into the research topics of 'RTrap: Trapping and Containing Ransomware With Machine Learning'. Together they form a unique fingerprint.

Cite this