{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:27:15Z","timestamp":1774448835969,"version":"3.50.1"},"reference-count":27,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2021,11,8]],"date-time":"2021-11-08T00:00:00Z","timestamp":1636329600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"During recent years, many papers have been published on ransomware, but to the best of our knowledge, no previous academic studies have been conducted on ransom note files. In this paper, we present the results of a depth study on filenames and the content of ransom files. We propose a prototype to identify the ransom files. Then we explore how the filenames and the content of these files can minimize the risk of ransomware encryption of some specified ransomware or increase the effectiveness of some ransomware detection tools. To achieve these objectives, two approaches are discussed in this paper. The first uses Latent Semantic Analysis (LSA) to check similarities between the contents of files. The second uses some Machine Learning models to classify the filenames into two classes\u2014ransom filenames and benign filenames.<\/jats:p>","DOI":"10.3390\/computers10110145","type":"journal-article","created":{"date-parts":[[2021,11,8]],"date-time":"2021-11-08T08:05:16Z","timestamp":1636358716000},"page":"145","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["In-Depth Analysis of Ransom Note Files"],"prefix":"10.3390","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3182-3275","authenticated-orcid":false,"given":"Yassine","family":"Lemmou","sequence":"first","affiliation":[{"name":"Faculty of Sciences, Mohammed V University in Rabat, LabMIASI, BP 1014 RP, Rabat 10000, Morocco"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4751-3941","authenticated-orcid":false,"given":"Jean-Louis","family":"Lanet","sequence":"additional","affiliation":[{"name":"INRIA, LHS-PEC, 35042 Rennes, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1716-3204","authenticated-orcid":false,"given":"El Mamoun","family":"Souidi","sequence":"additional","affiliation":[{"name":"Faculty of Sciences, Mohammed V University in Rabat, LabMIASI, BP 1014 RP, Rabat 10000, Morocco"}]}],"member":"1968","published-online":{"date-parts":[[2021,11,8]]},"reference":[{"key":"ref_1","unstructured":"Mager, M. (2021, September 15). Stop and Step Away from the Data: Rapid Anomaly Detection via Ransom Note File Classification. Endgame. Available online: https:\/\/www.elastic.co\/fr\/blog\/stop-and-step-away-data-rapid-anomaly-detection-ransom-note-file-classification."},{"key":"ref_2","unstructured":"Nieuwenhuizen, D. (2021, September 15). A Behavioural-Based Approach to Ransomware Detection. MWR Labs Whitepaper. Available online: https:\/\/labs.f-secure.com\/assets\/resourceFiles\/mwri-behavioural-ransomware-detection-2017-04-5.pdf."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Scaife, N., Carter, H., Traynor, P., and Butler, K.R.B. (2016, January 27\u201330). CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. Proceedings of the 36th IEEE International Conference on Distributed Computing Systems, ICDCS 2016, Nara, Japan.","DOI":"10.1109\/ICDCS.2016.46"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Lemmou, Y., and Souidi, E. (2017). An Overview on Spora Ransomware. Security in Computing and Communications, Springer.","DOI":"10.1007\/978-981-10-6898-0_22"},{"key":"ref_5","unstructured":"Perekalin, A. (2021, September 15). WannaCry: Are You Safe? Kaspersky. Available online: https:\/\/www.kaspersky.com\/blog\/wannacry-ransomware\/16518\/."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Lemmou, Y., and Souidi, E.M. (2017, January 19\u201320). PrincessLocker analysis. Proceedings of the 2017 International Conference on Cyber Security And Protection of Digital Services (Cyber Security), London, UK.","DOI":"10.1109\/CyberSecPODS.2017.8074854"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1007\/s11416-008-0092-2","article-title":"Comparative analysis of various ransomware virii","volume":"6","author":"Gazet","year":"2010","journal-title":"J. Comput. Virol."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Caivano, D., Canfora, G., Cocomazzi, A., Pirozzi, A., and Visaggio, C.A. (2017, January 21\u201323). Ransomware at X-Rays. Proceedings of the 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Exeter, UK.","DOI":"10.1109\/iThings-GreenCom-CPSCom-SmartData.2017.58"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1049\/ise2.12004","article-title":"A behavioural in-depth analysis of ransomware infection","volume":"15","author":"Lemmou","year":"2021","journal-title":"IET Inf. Secur."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Kharraz, A., Robertson, W.K., Balzarotti, D., Bilge, L., and Kirda, E. (2015, January 9\u201310). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks. Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment\u201412th International Conference, DIMVA 2015, Milan, Italy.","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Continella, A., Guagnelli, A., Zingaro, G., Pasquale, G.D., Barenghi, A., Zanero, S., and Maggi, F. (2016, January 5\u20139). ShieldFS: A self-healing, ransomware-aware filesystem. Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA.","DOI":"10.1145\/2991079.2991110"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Palisse, A., Durand, A., Le Bouder, H., Le Guernic, C., and Lanet, J.L. (2017, January 8\u201310). Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure. Proceedings of the NordSec2017: 22nd Nordic Conference on Secure IT Systems, LNCS, Tartu, Estonia.","DOI":"10.1007\/978-3-319-70290-2_12"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Lee, J., Lee, J., and Hong, J. (2017, January 20\u201323). How to Make Efficient Decoy Files for Ransomware Detection?. Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS\u201917, Krakow, Poland.","DOI":"10.1145\/3129676.3129713"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Palisse, A., Bouder, H.L., Lanet, J., Guernic, C.L., and Legay, A. (2016, January 5\u20137). Ransomware and the Legacy Crypto API. Proceedings of the Risks and Security of Internet and Systems\u201411th International Conference, CRiSIS 2016, Roscoff, France.","DOI":"10.1007\/978-3-319-54876-0_2"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Kolodenker, E., Koch, W., Stringhini, G., and Egele, M. (2017, January 2\u20136). PayBreak: Defense Against Cryptographic Ransomware. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates.","DOI":"10.1145\/3052973.3053035"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"8699","DOI":"10.1007\/s12652-020-02630-7","article-title":"Detecting ransomware attacks using intelligent algorithms: Recent development and next direction from deep learning and big data perspectives","volume":"12","author":"Bello","year":"2021","journal-title":"J. Ambient. Intell. Humaniz. Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"122532","DOI":"10.1109\/ACCESS.2021.3109260","article-title":"Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling","volume":"9","author":"Poudyal","year":"2021","journal-title":"IEEE Access"},{"key":"ref_18","first-page":"102646","article-title":"Evaluation metric for crypto-ransomware detection using machine learning","volume":"55","author":"Kok","year":"2020","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"119710","DOI":"10.1109\/ACCESS.2020.3003785","article-title":"A Digital DNA Sequencing Engine for Ransomware Detection Using Machine Learning","volume":"8","author":"Khan","year":"2020","journal-title":"IEEE Access"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Ketzaki, E., Toupas, P., Giannoutakis, K.M., Drosou, A., and Tzovaras, D. (2020, January 16\u201318). A Behaviour based Ransomware Detection using Neural Network Models. Proceedings of the 2020 10th International Conference on Advanced Computer Information Technologies (ACIT), Deggendorf, Germany.","DOI":"10.1109\/ACIT49673.2020.9208974"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Moussaileb, R., Bouget, B., Palisse, A., Le Bouder, H., Cuppens, N., and Lanet, J.L. (2018, January 27\u201330). Ransomware\u2019s Early Mitigation Mechanisms. Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES, Hamburg, Germany.","DOI":"10.1145\/3230833.3234691"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"101684","DOI":"10.1016\/j.cose.2019.101684","article-title":"Deanonymizing Tor hidden service users through Bitcoin transactions analysis","volume":"89","author":"Jawaheri","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Anandarajan, M., Hill, C., and Nolan, T. (2018). Practical Text Analytics: Maximizing the Value of Text Data, Springer. [1st ed.].","DOI":"10.1007\/978-3-319-95663-3"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1109\/TC.2011.223","article-title":"An Approach to Source-Code Plagiarism Detection and Investigation Using Latent Semantic Analysis","volume":"61","author":"Cosma","year":"2012","journal-title":"IEEE Trans. Comput."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"321","DOI":"10.1613\/jair.953","article-title":"SMOTE: Synthetic Minority Over-sampling Technique","volume":"16","author":"Chawla","year":"2002","journal-title":"J. Artif. Intell. Res."},{"key":"ref_26","unstructured":"(2021, September 15). Open American National Corpus: MASC. Available online: http:\/\/www.anc.org\/data\/masc\/downloads\/data-download\/."},{"key":"ref_27","unstructured":"Schler, J., Koppel, M., Argamon, S.E., and Pennebaker, J.W. (2006). Effects of Age and Gender on Blogging. AAAI Spring Symposium: Computational Approaches to Analyzing Weblogs, American Association for Artificial Intelligence."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/10\/11\/145\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:27:35Z","timestamp":1760167655000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/10\/11\/145"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,8]]},"references-count":27,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2021,11]]}},"alternative-id":["computers10110145"],"URL":"https:\/\/doi.org\/10.3390\/computers10110145","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,8]]}}}