Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation
This research provides a potential post-infection mitigation strategy for victims of ransomware by demonstrating the ability to recover encryption keys from memory, which could lead to file decryption.
This paper investigated the feasibility of extracting symmetric encryption keys from memory during live ransomware attacks (NotPetya, Bad Rabbit, Phobos) using live forensic tools. The study successfully identified encryption keys in all tested cases and used them to decrypt files encrypted by the ransomware.
Memory was captured from a system infected by ransomware and its contents was examined using live forensic tools, with the intent of identifying the symmetric encryption keys being used. NotPetya, Bad Rabbit and Phobos hybrid ransomware samples were tested during the investigation. If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created by combining data from multiple sources to illustrate the ransomware's behaviour as well as showing when the encryption keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases, the investigation was able to confirm that it was possible to identify the encryption keys used. A description of how these found keys were then used to successfully decrypt files that had been encrypted during the execution of the ransomware is also given. The resulting generated timelines provided a excellent way to visualise the behaviour of the ransomware and the encryption key management practices it employed, and from a forensic investigation and possible mitigation point of view, when the encryption keys are in memory.