Ransomware forensics

Abstract

Internet has folded the world since its inception in the 90’s. No one has ever imagined that it will gain such popularity. It is evident from statistics that IPv4 has been surpassed and 32 bit IP will not accommodate users in the coming decade. Internet has benefited the man kind in all leading sectors and maintaining the connectivity. People tend to spend more time on internet. 21st century is the golden age of the data and international bodies are working to secure the users and their data. But on the other side the negative actors are also playing their part. As a consequence, different types of cyber weapons have been developed and deployed by the blackhats. Attackers prefer to exploit users rather than exploiting the technology. For this purpose the powerful attack techniques like Social Engineering is used. One of them is the digital extortion i.e. to target user assets and then demands something in order to release them. Ransomware has adopted the same methodology. 2016 has seen the dramatic increase in the ransomware population, attacks and proliferation. The most viral one was based on Eternal Blue exploit i.e. WannaCry and Petya. In this research the in depth analysis of these two samples have been done in all respects. This manuscript focuses on the static and dynamic analysis to dig out the possible artifacts that it leaves in the Memory, Disk and Registry upon execution. During our static analysis we came across several hurdles i.e. the encrypted/packed executable. The unpacked executable contain much more information i.e the command and control addresses, URL’s, list of signatures, list of functions and API’s and some other activities intended by the user. In short the static analysis can benefit the malware researcher in order to extract the required information. Static analysis extracts the information that is enough to design detection signature. During the static detection we were unable to extract the secret keys used for encryption from the executable file. In dynamic analysis we were able to look inside the memory and trace dependencies. The dynamic analysis give rigorous findings in comparison to static analysis. In addition the dynamic analysis gives information about the TOR URL’s, command and control servers, host IP’s via which it connects, the Registry changes to allow access to the executable to accomplish the desired tasks. The most important/crucial finding of our research is that the ransomware utilizes the legitimate libraries for encryption and decryption. Therefore it make it difficult to mark these libraries malicious and no one can block them. Keeping in view the important findings described above, one cannot blacklist the windows internal API’s and legitimate libraries/functions. On the other side we desire to work on the backup methodology in order to recover from these types of attacks. For this purpose we have proposed and implemented a framework to cater the ransomware attacks on Master Boot Record (MBR). The solution has been verified and the integrity of the system remains intact.