Ransomware: Analysis and Evaluation of Live Forensic Techniques and the Impact on Linux based IoT Systems

TL;DR

This paper examines how forensic techniques can be applied to Linux ransomware affecting IoT systems, highlighting evolving tactics by cybercriminals and potential impacts on Linux-based IoT infrastructure.

Contribution

It provides an analysis of current forensic methods for Linux ransomware and assesses their effectiveness and the evolving nature of Linux malware targeting IoT systems.

Findings

Linux ransomware is moving away from RSA and AES encryption.

Early-stage Linux ransomware has limited damage potential but is evolving.

The study offers insights into forensic challenges and implications for IoT security.

Abstract

Ransomware has been predominantly a threat to Windows systems. But, Linux systems became interesting for cybercriminals and this trend is expected to continue. This endangers IoT ecosystems, whereas many IoT systems are based on Linux (e.g. cloud infrastructure and gateways). This paper researches how currently employed forensic techniques can be applied to Linux ransomware and evaluates the maturity as well as the impact on the system. While Windows-based ransomware predominantly uses RSA and AES for key management, a variety of approaches was identified for Linux. Cybercriminals appear to be deliberately moving away from RSA and AES to make Live forensic investigations more difficult. Linux ransomware is developed for a predefined goal and does not exploit the full potential of damage. It appears in an early stage and is expected to reach a similar potential to Windows-based malware. The results generated provided an excellent basic understanding to discuss and assess implications on the IoT industry at an early stage of development.