Penerapan Metode SANS Pada Studi Kasus Serangan Ransomware Eksploitasi FOLLINA (CVE-2022-30190)
DOI:
https://doi.org/10.14421/csecurity.2026.9.1.5491Abstract
Serangan siber modern pada era ini semakin kompleks, seringkali eksploitasi serangannya menggabungkan berbagai vektor untuk menembus pertahanan. Penelitian ini bertujuan untuk menganalisis secara mendalam sebuah studi kasus forensik digital terhadap serangan ransomware yang memanfaatkan kerentanan Follina (CVE-2022-30190). Metode yang diterapkan adalah Siklus Respons Insiden dari SANS Institute, sebuah pendekatan kualitatif yang membedah insiden dengan enam fase: Preparation, Identification, Containment, Eradication, Recovery, dan Lessons Learned. Hasil investigasi berhasil merekonstruksi seluruh rantai serangan yang dilakukan oleh kelompok BlackPython Team, dimulai dari melakukan pengintaian, infiltrasi melalui spear-phishing, eksekusi kode jarak jauh via eksploitasi Follina, hingga pemasangan backdoor dan eksekusi akhir ransomware. Analisis artefak digital dari sistem dan jaringan mengungkap setiap Taktik, Teknik, dan Prosedur (TTPs) yang digunakan pelaku. Kesimpulannya, penerapan metode SANS terbukti efektif untuk mengurai serangan multi-vektor yang canggih dan memberikan kerangka kerja yang komprehensif. Investigasi ini tidak hanya mengidentifikasi modus operandi pelaku tetapi juga menghasilkan rekomendasi mitigasi strategis untuk memperkuat postur keamanan siber berdasarkan setiap fase respons insiden.
Kata kunci: Forensik Digital, Respons Insiden, SANS, Ransomware, CVE-2022-30190
----------------------------------------------------------------------
Application Of The SANS Method In A Case Study Of A Ransomware Attack Exploiting FOLLINA (CVE-2022-30190)
Modern cyberattacks are increasingly complex, often combining multiple attack vectors to penetrate defenses. This research aims to conduct an in-depth digital forensic analysis of a ransomware attack exploiting the Follina vulnerability (CVE-2022-30190). The method applied is the SANS Institute's Incident Response Cycle, a qualitative approach that analyzes incidents into six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The investigation successfully reconstructed the entire attack chain carried out by the BlackPython Team, starting from reconnaissance, infiltration via spear-phishing, remote code execution via the Follina exploit, to backdoor installation and final ransomware execution. Analysis of digital artifacts from the system and network revealed every Tactic, Technique, and Procedure (TTP) used by the perpetrator. In conclusion, the application of the SANS method proved effective in unraveling sophisticated multi-vector attacks and provided a comprehensive framework. This investigation not only identified the perpetrator's modus operandi but also generated strategic mitigation recommendations to strengthen cybersecurity posture based on each phase of the incident response.
Keywords: Digital Forensics, Incident Response, SANS, Ransomware, CVE-2022-30190
References
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Khairin
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
You are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Under the following terms:
- Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
- ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
