Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation

TL;DR

This paper evaluates live forensic techniques to identify encryption keys in ransomware-infected systems, demonstrating successful key recovery and file decryption across multiple ransomware variants, aiding forensic analysis and mitigation.

Contribution

It introduces a practical methodology for live memory analysis to recover encryption keys during ransomware attacks, enhancing forensic capabilities.

Findings

Encryption keys were successfully identified in all tested ransomware samples.

Recovered keys enabled decryption of encrypted files.

Timelines effectively visualized ransomware behavior and key management.

Abstract

Memory was captured from a system infected by ransomware and its contents was examined using live forensic tools, with the intent of identifying the symmetric encryption keys being used. NotPetya, Bad Rabbit and Phobos hybrid ransomware samples were tested during the investigation. If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created by combining data from multiple sources to illustrate the ransomware's behaviour as well as showing when the encryption keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases, the investigation was able to confirm that it was possible to identify the encryption keys used. A description of how these found keys were then used to successfully decrypt files that had been encrypted during the execution of the ransomware is also given. The resulting generated timelines provided a excellent way to visualise the behaviour of the ransomware and the encryption key management practices it employed, and from a forensic investigation and possible mitigation point of view, when the encryption keys are in memory.