Title

RANSOMWARE DETECTION AND PREVENTION USING MEMORY FORENSICS

Academic Title

Professor of Computer Science

College

MCCB

Department

Computer Science and Information Systems

Primary Campus

Dahlonega

Title of Award Granted

Presidential Summer 2020 Incentive Award

Name of Institution that Granted the Award

University of North Geogria

Keywords

ransomware, virtual machine, memory forensics, volatility, encryption

Abstract

Ransomware is a special type of malware, which infects a system and limits a user’s access to the system and its resources until a ransom is paid. In the past few years, this malware has become popular among cybercriminals and it is regarded as a billion-dollar industry. Cybercriminals launch ransomware attack to extort money. Some of the most recent well-known ransomware include WannaCry, Petya and Bad Rabbit. WannaCry attacked known Windows network vulnerabilities using various exploits, which allowed an intruder to execute arbitrary code on a targeted system by transmitting customized data packets. WannaCry made global headlines after infecting more than 230,000 systems in over 150 countries and causing an estimated $5 billion in damages. Like WannaCry, Petya used Windows vulnerabilities to propagate itself. It impacted large organizations in multiple countries with billions of dollars damage. Another example of rapidly growing ransomware is Bad Rabbit, which appeared shortly after the WannaCry and Petya ransomware families, made headlines. Bad Rabbit targeted Ukraine’s Ministry of Infrastructure and Kiev’s public transport system.

The objective of this research is to use various tools and techniques to hunt ransomware using memory forensics. We create a virtual network environment for ransomware execution and analysis. Through memory analysis we examine the behaviors of various ransomware to examine their activities while they are inside the memory of the infected machine. Based on their behaviors, we propose and implement a framework for detection and prevention of ransomware. The proposed framework monitors the ransomware processes using various Volatility plugins software tool. These plugins examine the ransomware processes and display actions taken by ransomware once they infect the machine. They actions may include encrypting files, renaming themselves to avoid detection by antivirus software, changing file names, etc., Based on these behaviors, we develop the framework for preventing ransomware from spreading and infecting the entire machine. Our proposed framework would complement some of the existing ransomware research in various ways including the environment, the tools, ransomware dataset and the structure.

Biography

Dr. Ahmad Ghafarian is a full time Professor of Computer Science & Cybersecurity at the University of North Georgia in Dahlonega, GA. His educational credentials include a Postdoctoral Fellowship in Information Security, a Ph.D. & a M.S. in Computer Science, and a B.S. in Mathematics. He is specialized and conduct research in various areas of cybersecurity including but not limited to Malware Analysis, Digital Forensics, Cloud Computing Security, SQL Injection Attack, and Software Security. He has about forty peer reviewed publications to his credit.

Proposal Type

Poster

Additional Presenter Information

  • Professor of Computer Science
  • Mike Cottrell College of Business
  • Department of Computer Science and Information Systems
  • Dahlonega

Presentation Option

yes

Subject Area

Computer Science/GIS

This document is currently not available here.

Share

COinS
 

RANSOMWARE DETECTION AND PREVENTION USING MEMORY FORENSICS

Ransomware is a special type of malware, which infects a system and limits a user’s access to the system and its resources until a ransom is paid. In the past few years, this malware has become popular among cybercriminals and it is regarded as a billion-dollar industry. Cybercriminals launch ransomware attack to extort money. Some of the most recent well-known ransomware include WannaCry, Petya and Bad Rabbit. WannaCry attacked known Windows network vulnerabilities using various exploits, which allowed an intruder to execute arbitrary code on a targeted system by transmitting customized data packets. WannaCry made global headlines after infecting more than 230,000 systems in over 150 countries and causing an estimated $5 billion in damages. Like WannaCry, Petya used Windows vulnerabilities to propagate itself. It impacted large organizations in multiple countries with billions of dollars damage. Another example of rapidly growing ransomware is Bad Rabbit, which appeared shortly after the WannaCry and Petya ransomware families, made headlines. Bad Rabbit targeted Ukraine’s Ministry of Infrastructure and Kiev’s public transport system.

The objective of this research is to use various tools and techniques to hunt ransomware using memory forensics. We create a virtual network environment for ransomware execution and analysis. Through memory analysis we examine the behaviors of various ransomware to examine their activities while they are inside the memory of the infected machine. Based on their behaviors, we propose and implement a framework for detection and prevention of ransomware. The proposed framework monitors the ransomware processes using various Volatility plugins software tool. These plugins examine the ransomware processes and display actions taken by ransomware once they infect the machine. They actions may include encrypting files, renaming themselves to avoid detection by antivirus software, changing file names, etc., Based on these behaviors, we develop the framework for preventing ransomware from spreading and infecting the entire machine. Our proposed framework would complement some of the existing ransomware research in various ways including the environment, the tools, ransomware dataset and the structure.