Difference between revisions of "Ransomware Forensics"

Introduction: Ransomware Digital Forensics and Incident Response

Ransomware forensics is part of ransomware Digital Forensics and Incident Response (DFIR), which focuses on the identification, investigation, and remediation of ransomware attacks. DFIR entails collecting and analyzing digital evidence of a ransomware attack to recognize the scope of the incident, keep the attack under control, and recover from it. Ransomware DFIR includes a number of tools and techniques, such as forensic imaging, malware analysis, network analysis, and log analysis. The overall aim is to help minimizing the damage caused by ransomware incidents and prevent them from happening (again).

DFIR consists of the two very distinct areas digital forensics and incident response.

Incident Response

Incident response of a ransomware attack involves the following six distinctive phases:

1. Preparation
   • Take precautions for a possible attack
   • Draw up an incident recovery plan
   • Design a strategy for data backup and restoration
   • Prepare a list of contacts (internal/external), including police, and insurance
2. Identification - threat indicators of a ransomware attack
   • Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...)
   • Burst of file update logs
   • Anti virus alerts
   • Connections to suspicious IPs
   • High CPU usage on the infected computer (due to encryption going on)
   • Ransom message being displayed
3. Containment
   • Request anti virus checks
   • Isolate possibly infected machines
   • Disconnect machines from the network to thwart data exfiltration
4. Eradication
   • Reformat hard drive, and reimage the machines
   • Installation of all operating system patches
5. Recovery
   • Validation of restored system and verify that it is back to a normal state
   • Installation of anti virus software, perform a full scan after updating the anti virus signatures
   • Restore user files with the most recent clean backup of the system
6. Lessons learned documentation
   • How was the ransomware attack initially detected?
   • Prepare a timeline of important events of the incident
   • Which actions were taken (primarily focussing on containment, eradication, recovery)
   • What went right, what went wrong?
   • Sum up the incident cost

Digital Forensics

Ransomware forensics means securing artifacts after an attack occurred to achieve the following:

• Find out what was destroyed, what did the attack do to the system, how far did it spread in the system
• Identify attackers
• Secure evidence for a court case
• Prevent another attack

Ransomware forensics does this by:

• Identifying the kind of ransomware
  • Opportunistic ransomware: normally does not give the attacker interactive access to your network
  • Ransomware worms: can spread quickly through networks
  • Targeted ransomware: deployed manually as part of a traditional intrusion
• Identifying the ransomware executable
  • Timeline analysis: looks for the creation of executables around the time the first encrypted files appear, or around the time of the initial compromise
  • Anti-Virus signatures and Yara rules
• Identifying the initial compromise
  • Drive-by compromise: identification of exploits in temporary internet files, employing Yara rules and Anti-Virus signatures; review of the internet history
  • Exploits of publicly accessible applications: review web-server logs, application logs (depending upon the application), look for web-shells, and other indicators of post-compromise
  • Spear-fishing attachment: analyse Outlook web archives (.pst files), and the attachments themselves; for webmail review Outlook temporary archive, Temporary Internet Files; extract URLs from messages, and check whether they are malicious
• Checking for lateral movement
  • Review event logs

Ransomware Memory Forensics - Analysis of Ransomware Infected Memory Dump with Volatility

This section describes the investigation of volatile memory of a machine that might have become the target of a ransomware attack.

VMware memory dump and challenge are from Blue Teams Lab Online ^[1]. The investigation is done with Volatility on a Kali Linux VM ^[2].

First download memory dump to Kali Linux machine and unzip, ‘infected.vmem’ file is needed. Then start the memory forensics investigation with Volatility.

• Find out the OS of the infected machine with imageinfo:

vol.py -f infected.vmem imageinfo

Use the OS finding (e.g. Win7SP1x86) as --profile.

• Find the suspicious process with psscan:

vol.py -f infected.vmem --profile=Win7SP1x86 psscan

• Find the initial malicious executable that created this process with pstree, which gives a hierarchical list of the processes:

vol.py -f infected.vmem --profile=Win7SP1x86 pstree

• Find the process used to delete files by filtering the psscan output for the suspicious PID:

vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep <PID>

• Find path where the malicious file was first executed with cmdline filtered for the filename of the malicious file, this gives the command line:

vol.py -f infected.vmem --profile=Win7SP1x86 cmdline | grep <filename.exe>

• Find the filename for the file with the ransomware public key, it has a .eky extension.
  • First make a memory dump of the malicious parent process with memdump:

vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p <PID>  --dump-dir /home/user/directory

• • Then scan this memory dump with string for a file with .eky:

strings /home/user/directory/<pid>.dmp | grep .eky

References

• University of Maryland, Department of Information Technology. 2023. Incident Response Steps: Potential Ransomware Infection
• cloudyforensics.medium.com. 2018. Ransomware Incident Response and Forensics
• Dixon, S. 2021. BTLO: Memory Analysis — Ransomware
• infosecwriteups.com. 2021. Memory Analysis — Ransomware (BlueTeamLabs)
• Child, D. 2021. BTLO Challenge - Memory Analysis - Ransomware. Identifying Ransomware from a memory dump