Decrypting: Experiment in Volatile Memory Analysis Applied to Ransomware Defense
Abstract
Ransomware is a type of malicious software that blocks access to a system or its data and demands a ransom payment. Volatile memory analysis allows for the observation of the state of a running system in certain moments of its execution, making it an interesting approach for malware analysis. This work aims to explore volatile memory analysis techniques and tools applied to the defense against crypto-ransomware attacks by presenting a practical experiment. Through volatile memory analysis, one can likely identify cryptographic material in memory, which enables the recovery of encrypted files in some circumstances. The experiment demonstrated the application of cryptographic key identification techniques based on static analysis and the virtual memory structure.References
Abrams, L. (2021). DearCry ransomware attacks Microsoft Exchange with ProxyLogon exploits. BleepingComputer.
Bajpai, P. and Enbody, R. (2020). Memory Forensics Against Ransomware. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1–8.
Bajpai, P., Sood, A. K., and Enbody, R. (2018). A key-management-based taxonomy for ransomware. In 2018 APWG Symposium on Electronic Crime Research (eCrime), pages 1–12. ISSN: 2159-1245.
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications: An International Journal, 102(C):158–178.
Davies, S. R., Macfarlane, R., and Buchanan, W. J. (2020). Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation, 33:300979.
Dworkin, M. J., Barker, E., Nechvatal, J. R., Foti, J., Bassham, L. E., Roback, E., and Jr, J. F. D. (2001). Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST).
Eagle, C. (2008). The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, USA.
Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Appelbaum, J., and Felten, E. W. (2009). Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91–98.
Kaplan, B. (2007). RAM is Key Extracting Disk Encryption Keys From Volatile Memory.
Keshavarzi, M. and Ghaffari, H. (2020). I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortion. Computer Science Review, 36:100233.
Ligh, M. H., Case, A., Levy, J., and Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Loman, M. (2021). DearCry ransomware attacks exploit Exchange server vulnerabilities. Sophos News.
Maartmann-Moe, C., Thorkildsen, S. E., and André Årnes (2009). The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132–S140.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Computing Surveys, 52(5):88:1–88:48.
Oracle (2024). Oracle VM VirtualBox User Manual. Versão 7.0.14.
Oz, H., Aris, A., Levi, A., and Uluagac, A. S. (2022). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys, 54(11s):238:1–238:37.
Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126.
Savage, K., Coogan, P., and Lau, H. (2015). The evolution of ransomware.
Shamir, A. and van Someren, N. (1999). Playing ‘Hide and Seek’ with Stored Keys. In Franklin, M., editor, Financial Cryptography, Lecture Notes in Computer Science, pages 118–124, Berlin, Heidelberg. Springer.
Sikorski, M. and Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press, San Francisco.
Smith, J. and Nair, R. (2005). The architecture of virtual machines. Computer, 38(5):32–38. Conference Name: Computer.
Sophos (2023). The State of Ransomware. Technical report, Sophos.
Vömel, S. (2013). Forensic acquisition and analysis of volatile data in memory. PhD thesis, University of Erlangen-Nuremberg.
Walters, A. and Petroni, N. L. (2007). Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process.
Yosifovich, P., Ionescu, A., Russinovich, M. E., and Solomon, D. A. (2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more. Microsoft Press, 7 edition.
Young, A. and Moti Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. Proceedings 1996 IEEE Symposium on Security and Privacy, pages 129–140.
Bajpai, P. and Enbody, R. (2020). Memory Forensics Against Ransomware. 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1–8.
Bajpai, P., Sood, A. K., and Enbody, R. (2018). A key-management-based taxonomy for ransomware. In 2018 APWG Symposium on Electronic Crime Research (eCrime), pages 1–12. ISSN: 2159-1245.
Cohen, A. and Nissim, N. (2018). Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Systems with Applications: An International Journal, 102(C):158–178.
Davies, S. R., Macfarlane, R., and Buchanan, W. J. (2020). Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation, 33:300979.
Dworkin, M. J., Barker, E., Nechvatal, J. R., Foti, J., Bassham, L. E., Roback, E., and Jr, J. F. D. (2001). Advanced Encryption Standard (AES). National Institute of Standards and Technology (NIST).
Eagle, C. (2008). The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, USA.
Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J. A., Feldman, A. J., Appelbaum, J., and Felten, E. W. (2009). Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91–98.
Kaplan, B. (2007). RAM is Key Extracting Disk Encryption Keys From Volatile Memory.
Keshavarzi, M. and Ghaffari, H. (2020). I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortion. Computer Science Review, 36:100233.
Ligh, M. H., Case, A., Levy, J., and Walters, A. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. Wiley, Indianapolis, IN. OCLC: ocn885319205.
Loman, M. (2021). DearCry ransomware attacks exploit Exchange server vulnerabilities. Sophos News.
Maartmann-Moe, C., Thorkildsen, S. E., and André Årnes (2009). The persistence of memory: Forensic identification and extraction of cryptographic keys. Digital Investigation, 6:S132–S140.
Or-Meir, O., Nissim, N., Elovici, Y., and Rokach, L. (2019). Dynamic Malware Analysis in the Modern Era—A State of the Art Survey. ACM Computing Surveys, 52(5):88:1–88:48.
Oracle (2024). Oracle VM VirtualBox User Manual. Versão 7.0.14.
Oz, H., Aris, A., Levi, A., and Uluagac, A. S. (2022). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys, 54(11s):238:1–238:37.
Rivest, R. L., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21(2):120–126.
Savage, K., Coogan, P., and Lau, H. (2015). The evolution of ransomware.
Shamir, A. and van Someren, N. (1999). Playing ‘Hide and Seek’ with Stored Keys. In Franklin, M., editor, Financial Cryptography, Lecture Notes in Computer Science, pages 118–124, Berlin, Heidelberg. Springer.
Sikorski, M. and Honig, A. (2012). Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press, San Francisco.
Smith, J. and Nair, R. (2005). The architecture of virtual machines. Computer, 38(5):32–38. Conference Name: Computer.
Sophos (2023). The State of Ransomware. Technical report, Sophos.
Vömel, S. (2013). Forensic acquisition and analysis of volatile data in memory. PhD thesis, University of Erlangen-Nuremberg.
Walters, A. and Petroni, N. L. (2007). Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process.
Yosifovich, P., Ionescu, A., Russinovich, M. E., and Solomon, D. A. (2017). Windows Internals, Part 1: System architecture, processes, threads, memory management, and more. Microsoft Press, 7 edition.
Young, A. and Moti Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. Proceedings 1996 IEEE Symposium on Security and Privacy, pages 129–140.
Published
2024-09-16
How to Cite
MAZUR, Ana Heloísa B.; OLIVEIRA, Paulo Roberto de; MARTIMIANO, Luciana Andréia Fondazzi.
Decrypting: Experiment in Volatile Memory Analysis Applied to Ransomware Defense. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 181-196.
DOI: https://doi.org/10.5753/sbseg.2024.241511.
