Forensic Investigation of Ransomware Activities—Part 2

Abstract

Ransomware is a particularly predatory form of Cybercrime which feeds on a person’s sentimental value for personal data such as family photos, videos and sometimes a lifetime’s collection of data. In general, a banking Trojan causes a temporary monetary loss, Ransomware however, has the potential to have irreversible, catastrophic loss of data for the victim. Ransomware has grown exponentially since 2015, and it is this staggering growth that poses a problem for future detection. Signature-based detection alone cannot cope with the number of signatures that will continue to be created. Distribution of databases becomes a greater task with the growth of signatures. Anomaly-based detection is another option to consider as it looks at behaviour traits rather than signatures alone. However, many traits found in malware are just as easily found in legitimate software. This fact leads to the possibility of false positives which in turn leads to a lack of confidence from the user. This chapter proposes an approach that uses a hybrid detection system of both signature based detection and anomaly based detection. Analysis was carried out on the crypto-worm variant known as zCrypt, with the goal of analysing attack vectors to counter them effectively. The main aim of this work is to maximize detection rates, minimise false-positives, and protect the best defence against Ransomware—online backups.