Skip to main content

Research Repository

Advanced Search

Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation

Davies, Simon



Ransomware continues to grow in both scale, cost, complexity and impact since its initial discovery nearly 30 years ago. Security practitioners are engaged in a continual "arms race" with the ransomware developers attempting to defend their digital infrastructure against such attacks. Recent manifestations of ransomware have started to employ a hybrid combination of symmetric and asymmetric encryption to encode user’s files. This report describes an investigation to determine if the techniques currently employed in the field of digital forensics could be leveraged to discover the encryption keys used by these types of malicious software.

A safe, isolated virtual environment was created and ransomware samples were executed within it. Memory was captured from the infected system and its contents was examined using three different live forensic tools in an attempt to identify the symmetric encryption keys being used by the ransomware. NotPetya, BadRabbit and Phobos ransomware samples were were tested during the investigation on two different operating systems. The samples were chosen as they were recent, high profile attacks generating significant ransom payments and causing serious disruption to many organisations.

If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created to show when the keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases the investigation was able to confirm that it was possible to discover the encryption keys used and these found keys successfully decrypted files that had been encrypted by the ransomware samples.

No research was found that conducted cryptographic key examination specifically on ransomware using live forensic techniques, however research was found that investigated other types of cryptographic programs. The results of this investigation matched similar findings from these related research fields, as the keys used by the cryptographic programs were successfully recovered and used to decrypt the files.

The ransomware time lining also highlighted different key management processes used by these ransomware programs, where some tended to leave the key in memory for the whole execution while others practiced more dynamic key management

Thesis Type Dissertation
Deposit Date May 31, 2022
Publicly Available Date Jun 3, 2022
Public URL
Award Date Jan 12, 2020


Evaluation Of Live Forensic Techniques In Ransomware Attack Mitigation (12.3 Mb)

You might also like

Downloadable Citations