Evaluation of live forensic techniques in ransomware attack mitigation

Davies, Simon; Macfarlane, Richard; Buchanan, William J.

doi:10.1016/j.fsidi.2020.300979

Cited by 26 publications

(38 citation statements)

References 17 publications

(61 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…A ransomware is more menacing than malware, as it not only damages the system and results in loss of control from the system but also demands compensation in return. Therefore, there is a need to have the proper distinction of ransomware from other malware (Aurangzeb et al, 2017;Kok et al, 2019;Zhang et al, 2019) to save billions of dollars in financial losses (Davies, Macfarlane & Buchanan, 2020).…”

Section: Introductionmentioning

confidence: 99%

On the classification of Microsoft-Windows ransomware using hardware profile

Aurangzeb

Rais

Aleem

et al. 2021

PeerJ Computer Science

View full text Add to dashboard Cite

Due to the expeditious inclination of online services usage, the incidents of ransomware proliferation being reported are on the rise. Ransomware is a more hazardous threat than other malware as the victim of ransomware cannot regain access to the hijacked device until some form of compensation is paid. In the literature, several dynamic analysis techniques have been employed for the detection of malware including ransomware; however, to the best of our knowledge, hardware execution profile for ransomware analysis has not been investigated for this purpose, as of today. In this study, we show that the true execution picture obtained via a hardware execution profile is beneficial to identify the obfuscated ransomware too. We evaluate the features obtained from hardware performance counters to classify malicious applications into ransomware and non-ransomware categories using several machine learning algorithms such as Random Forest, Decision Tree, Gradient Boosting, and Extreme Gradient Boosting. The employed data set comprises 80 ransomware and 80 non-ransomware applications, which are collected using the VirusShare platform. The results revealed that extracted hardware features play a substantial part in the identification and detection of ransomware with F-measure score of 0.97 achieved by Random Forest and Extreme Gradient Boosting.

show abstract

Section: Introductionmentioning

confidence: 99%

On the classification of Microsoft-Windows ransomware using hardware profile

Aurangzeb

Rais

Aleem

et al. 2021

PeerJ Computer Science

View full text Add to dashboard Cite

show abstract

“…This study uses a live forensics method as a first step to identify the behavior of a virus that attacks one of the host computers in a computer network [20], [21]. The stages of the live forensic method in this study are as shown in Figure 1.…”

Section: Methodsmentioning

confidence: 99%

Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method

Umar

Riadi

Kusuma

2021

IJID

View full text Add to dashboard Cite

Ransomware viruses have become a dangerous threat increasing rapidly in recent years. One of the variants is Conti ransomware that can spread infection and encrypt data simultaneously. Attacks become a severe threat and damage the system, namely by encrypting data on the victim's computer, spreading it to other computers on the same computer network, and demanding a ransom. The working principle of this Ransomware acts by utilizing Registry Query, which covers all forms of behavior in accessing, deleting, creating, manipulating data, and communicating with C2 (Command and Control) servers. This study analyzes the Conti virus attack through a network forensic process based on network behavior logs. The research process consists of three stages, the first stage is simulating attacks on the host computer, the second stage is carrying network forensics by using live forensics methods, and the third stage is analysing malware by using statistical and dynamic analysis. The results of this study provide forensic data and virus behavior when running on RAM and computer networks so that the data obtained makes it possible to identify ransomware traffic on the network and deal with zero-day, especially ransomware threats. It is possible to do so because the analysis is an initial step in generating virus signatures based on network indicators.

show abstract

“…The process of creating a virtual environment using VirtualBox and GNS3 software to perform valid and realistic ransomware experiments. In this virtual environment, already available viruses, data, files, infected computers and clean computers [25], making it possible to carry out mitigation to prevent the spread of viruses from cleaning computers. The environmental structure design in this study is as shown in Figure 1.…”

Section: Cloud Network Environmentmentioning

confidence: 99%

Mitigating Sodinokibi Ransomware Attack on Cloud Network Using Software-Defined Networking (SDN)

Umar¹,

Riadi²,

Kusuma³

2021

IJSSE

View full text Add to dashboard Cite

Sodinokibi Ransomware virus becomes a severe threat by targeting data encryption on a server, and this virus infection continues to spread to encrypt data on other computers. This study aims to mitigate by experiment with building a prevention system through computer network management. The mitigation process is carried out through static, dynamic, and Software-Defined Networking (SDN) analysis to prevent the impact of attacks through programmatic network management. SDN consists of two main components in its implementation, the Ryu controller and Open Virtual Switch (OVS). Result testing mitigation system on infected networks by crippling TCP internet protocol access can reduce virus spread by 17.13% and suppress Sodinokibi traffic logs by up to 73.97%. Based on the percentage data, SDN-based mitigation in this study is per the objectives to make it possible to mitigate Ransomware attacks on computer network traffic.

show abstract

Evaluation of live forensic techniques in ransomware attack mitigation

Cited by 26 publications

References 17 publications

On the classification of Microsoft-Windows ransomware using hardware profile

On the classification of Microsoft-Windows ransomware using hardware profile

Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method

Mitigating Sodinokibi Ransomware Attack on Cloud Network Using Software-Defined Networking (SDN)

Contact Info

Product

Resources

About