Simon Davies S.Davies@napier.ac.uk
Research Student
Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation
Davies, Simon
Authors
Abstract
Ransomware continues to grow in both scale, cost, complexity and impact since its initial discovery nearly 30 years ago. Security practitioners are engaged in a continual "arms race" with the ransomware developers attempting to defend their digital infrastructure against such attacks. Recent manifestations of ransomware have started to employ a hybrid combination of symmetric and asymmetric encryption to encode user’s files. This report describes an investigation to determine if the techniques currently employed in the field of digital forensics could be leveraged to discover the encryption keys used by these types of malicious software.
A safe, isolated virtual environment was created and ransomware samples were executed within it. Memory was captured from the infected system and its contents was examined using three different live forensic tools in an attempt to identify the symmetric encryption keys being used by the ransomware. NotPetya, BadRabbit and Phobos ransomware samples were were tested during the investigation on two different operating systems. The samples were chosen as they were recent, high profile attacks generating significant ransom payments and causing serious disruption to many organisations.
If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created to show when the keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases the investigation was able to confirm that it was possible to discover the encryption keys used and these found keys successfully decrypted files that had been encrypted by the ransomware samples.
No research was found that conducted cryptographic key examination specifically on ransomware using live forensic techniques, however research was found that investigated other types of cryptographic programs. The results of this investigation matched similar findings from these related research fields, as the keys used by the cryptographic programs were successfully recovered and used to decrypt the files.
The ransomware time lining also highlighted different key management processes used by these ransomware programs, where some tended to leave the key in memory for the whole execution while others practiced more dynamic key management
Citation
Davies, S. (2020). Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation. (Dissertation). Edinburgh Napier University. Retrieved from http://researchrepository.napier.ac.uk/Output/2875361
| Thesis Type | Dissertation |
|---|---|
| Deposit Date | May 31, 2022 |
| Publicly Available Date | Jun 3, 2022 |
| Public URL | http://researchrepository.napier.ac.uk/Output/2875361 |
| Award Date | Jan 12, 2020 |
Files
Evaluation Of Live Forensic Techniques In Ransomware Attack Mitigation
(12.3 Mb)
PDF
You might also like
Comparison Of Common Mathematical Techniques Used In The Calculation Of File Entropy
(2022)
Conference Proceeding
Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification
(2022)
Journal Article
Review of Current Ransomware Detection Techniques
(2022)
Conference Proceeding
Exploring the Need For an Updated Mixed File Research Data Set
(2022)
Conference Proceeding
Downloadable Citations
About Edinburgh Napier Research Repository
Administrator e-mail: repository@napier.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search