Forensic Investigation of Ransomware Activities—Part 1

Abstract

Techniques employed by malware authors evolve and become more advanced each day in an effort to bypass defences and evade detection. From 2013 to the present, a type of malware known as ransomware has increased exponentially in popularity with cyber criminals. Ransomware encrypts files on a victim’s filesystem and subsequently demands a ransom payment to release the files. The exponential growth of ransomware poses a serious and real threat to end-users and organisations worldwide. The exponential growth also poses serious challenges to the security industry, such as the need to analyse and study the large volume of emerging ransomware families. A problem exists in that new ransomware families may use previously unseen techniques to evade detection and detonate successfully. A second problem exists for security analysts when it comes to analysing the ever increasing volume of emerging ransomware families. Malware analysis generally falls into one of two categories: static and dynamic analysis. Dynamic analysis is effective at classifying malware, however it’s ineffective at discovering newly developed techniques or functionality. On the contrary static analysis is effective at discovering newly developed techniques and functionality, however it requires significantly more time to complete than dynamic analysis. The information gathered from static analysis is essential to enable organisations better defend against these new attacks. The information obtained from this research can be used to help defend against future threats using similar techniques and highlight the effectiveness of manual analysis to discover new and advanced techniques.