Content area
Full Text
Abstract: Given the prevailing spate of ransomware-based cyber-attacks, security researchers, particularly digital forensic researchers, are faced with the development of mitigation strategies towards the prevention of ransomware exploits. The generic Anti-virus approach to ransomware detection and prevention utilizes signature-based detection methods as opposed to behaviour-based detection methods. Signature-based detection methods often induce high error rates due to the adaptive techniques employed by exploits as well as the limitations of detecting novel patterns. Similarly, existing methods of recovery without ransom payment involves the identification of loopholes or flaws within the ransomware itself which is ineffective. This inefficiency can be attributed to the inherent weakness to address the time-sensitivity, complexity and the relative dynamic characteristics of mechanisms used in ransomware exploits. As a step towards identifying the emergence of ransomware attacks, and consequently prevent/recover from a ransomware attack, this study developed and evaluated a context-aware ransomware mitigation mechanism. The mechanism integrates diverse ransomware triggers through which ransomware instantiation can be identified. The elicitation method used in the trigger include entropy change, registry analysis, application programming interface activity, and the loading of dynamic link libraries. Using a series of experimental processes, the proposed mechanism was evaluated, and a higher detection rate was obtained. The result supports the underlying theoretical assumption of the study, which further provides a fundamental source for the development of a robust method of ransomware prevention. Furthermore, the result from this study can be integrated into a digital forensic readiness process for ransomware investigation. Such a process can be developed for pre-incident data acquisition and ransomware post-incident recovery.
Keywords: ransomware investigation, ransomware exploit identification, ransomware identification methods, entropy analysis, context-aware
1.Introduction
Malicious software (malware) constitutes one major research challenge to security and digital forensic researchers, as well as practitioners, with diverse variants. With over three decades of existence (Savage et al. 2011) and yearly exponential growth, malware poses a continuous existential nightmare to researchers and practitioners alike. (Abraham & Chengalur-Smith 2010). A variant of malware, known as ransomware, can spread rapidly over a network thus rendering the system inaccessible and the end-user helpless. Ransomware uses strong encryption to encrypt files on a system whilst withholding the decryption keys of these files for a ransom. Such ransom is usually demanded in untraceable currency, cryptocurrency being...