Keywords
Hash Signature
Log
Infection
Virus
How to Cite
Abstract
Ransomware viruses have become a dangerous threat increasing rapidly in recent years. One of the variants is Conti ransomware that can spread infection and encrypt data simultaneously. Attacks become a severe threat and damage the system, namely by encrypting data on the victim's computer, spreading it to other computers on the same computer network, and demanding a ransom. The working principle of this Ransomware acts by utilizing Registry Query, which covers all forms of behavior in accessing, deleting, creating, manipulating data, and communicating with C2 (Command and Control) servers. This study analyzes the Conti virus attack through a network forensic process based on network behavior logs. The research process consists of three stages, the first stage is simulating attacks on the host computer, the second stage is carrying network forensics by using live forensics methods, and the third stage is analysing malware by using statistical and dynamic analysis. The results of this study provide forensic data and virus behavior when running on RAM and computer networks so that the data obtained makes it possible to identify ransomware traffic on the network and deal with zero-day, especially ransomware threats. It is possible to do so because the analysis is an initial step in generating virus signatures based on network indicators.
References
G. O. Ganfure, C. F. Wu, Y. H. Chang, and W. K. Shih, "DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection," Proc. - 2020 IEEE Int. Conf. Intell. Secur. Informatics, ISI 2020, 2020, DOI: 10.1109/ISI49825.2020.9280508.
S. Sibi Chakkaravarthy, D. Sangeetha, M. V. Cruz, V. Vaidehi, and B. Raman, "Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks," IEEE Access, vol. 8, pp. 169944–169956, 2020, DOI: 10.1109/access.2020.3023764.
S. Il Bae, G. Bin Lee, and E. G. Im, "Ransomware detection using machine learning algorithms," Concurr. Comput. , no. December 2018, pp. 1–11, 2019, DOI: 10.1002/cpe.5422.
Filip Truta, "City of Cartersville Admits Paying Ryuk Ransomware Operators $380,000 - Security Boulevard," www.securityboulevard.com, 2020. https://securityboulevard.com/2020/03/city-of-cartersville-admits-paying-ryuk-ransomware-operators-380000/ (accessed January 20, 2021).
Filip Truta, "University of California San Francisco Pays $1 Million to Ransomware Operators after June 1 Attack - Security Boulevard," www.securityboulevard.com, 2020. https://securityboulevard.com/2020/06/university-of-california-san-francisco-pays-1-million-to-ransomware-operators-after-june-1-attack/ (accessed January 20, 2021).
T. M. Liu, D. Y. Kao, and Y. Y. Chen, "Loocipher ransomware detection using lightweight packet characteristics," Procedia Comput. Sci., vol. 176, pp. 1677–1683, 2020, DOI: 10.1016/j.procs.2020.09.192.
A. Kurniawan and I. Riadi, "Detection and Analysis Cerber Ransomware Using Network Forensics behaviour-based," Int. J. Netw. Secur., vol. 20, no. 5, pp. 1–8, 2018, DOI: 10.6633/IJNS.201809_20(5).04.
A. H. Mohammad, "Ransomware Evolution, Growth and Recommendation for Detection," Mod. Appl. Sci., vol. 14, no. 3, p. 68, 2020, DOI: 10.5539/mas.v14n3p68.
L. Usman, Y. Prayudi, and I. Riadi, "Ransomware analysis based on the surface, runtime and static code method," J. Theor. Appl. Inf. Technol., vol. 95, no. 11, pp. 2426–2433, 2017.
Ferdiansyah, “Analisis Aktivitas Dan Pola Jaringan Terhadap Eternal Blue Dan Wannacry Ransomware,” JUSIFO (Jurnal Sist. Informasi), vol. 2, no. 1, pp. 44–59, 2018, [Online]. Available: http://eprints.binadarma.ac.id/3873/1/Ferdiansyah-Analisis Aktivitas dan Pola Jaringan Terhadap Eternal Blue dan Wannacry Ransomware.pdf.
C. Manzano, C. Meneses, and P. Leger, "An Empirical Comparison of Supervised Algorithms for Ransomware Identification on Network Traffic," Proc. - Int. Conf. Chil. Comput. Sci. Soc. SCCC, vol. 2020-Novem, 2020, DOI: 10.1109/SCCC51225.2020.9281283.
T. P. Setia, A. P. Aldya, and N. Widiyasono, “Reverse Engineering untuk Analisis Malware Remote Access Trojan,” J. Edukasi dan Penelit. Inform., vol. 5, no. 1, p. 40, 2019, doi: 10.26418/jp.v5i1.28214.
R. Umar, I. Riadi, and R. S. Kusuma, "Network Forensics Against Ryuk Ransomware Using Trigger, Acquire, Analysis, Report, and Action ( TARA ) Methods," pp. 197–204, 2021.
A. Arabo, R. Dijoux, T. Poulain, and G. Chevalier, "Detecting ransomware using process behaviour analysis," Procedia Comput. Sci., vol. 168, no. 2019, pp. 289–296, 2020, DOI: 10.1016/j.procs.2020.02.249.
E. Berrueta, D. Morato, E. Magana, and M. Izal, "A Survey on Detection Techniques for Cryptographic Ransomware," IEEE Access, vol. 7, pp. 144925–144944, 2019, DOI: 10.1109/ACCESS.2019.2945839.
N. Hildayanti, "Forensics Analysis of Router On Computer Networks Using Live Forensics Method," Int. J. Cyber-Security Digit. Forensics, vol. 8, no. 1, pp. 74–81, 2019, DOI: 10.17781/p002559.
D. C. Prakoso, I. Riadi, and Y. Prayudi, "Detection of Metasploit Attacks Using RAM Forensic on Proprietary Operating Systems," Kinet. Game Technol. Inf. Syst. Comput. Network, Comput. Electron. Control, vol. 4, pp. 155–160, 2020, DOI: 10.22219/Kinetik.v5i2.1037.
M. Alim, I. Riadi, and Y. Prayudi, "Live Forensics Method for Analysis Denial of Service (DOS) Attack on Routerboard," Int. J. Comput. Appl., vol. 180, no. 35, pp. 23–30, 2018, DOI: 10.5120/ijca2018916879.
M. Hikmatyar, Y. Prayudi, and I. Riadi, "Network Forensics Framework Development using Interactive Planning Approach," Int. J. Comput. Appl., vol. 161, no. 10, pp. 41–48, 2017, DOI: 10.5120/ijca2017913352.
S. R. Davies, R. Macfarlane, and W. J. Buchanan, "Evaluation of live forensic techniques in ransomware attack mitigation," Forensic Sci. Int. Digit. Investig., vol. 33, p. 300979, 2020, DOI: 10.1016/j.fsidi.2020.300979.
A. Liu, H. Fu, Y. Hong, J. Liu, and Y. Li, "LiveForen: Ensuring Live Forensic Integrity in the Cloud," IEEE Trans. Inf. Forensics Secur., vol. 14, no. 10, pp. 2749–2764, 2019, DOI: 10.1109/TIFS.2019.2898841.
R. Umar, A. Yudhana, and M. Nur Faiz, "Experimental Analysis of Web Browser Sessions Using Live Forensics Method," Int. J. Electr. Comput. Eng., vol. 8, no. 5, p. 2951, 2018, DOI: 10.11591/ijece.v8i5.pp2951-2958.
M. KA, Learning Malware Analysis. Birmingham - Mumbai: Packt Publishing Ltd., 2018.
R. Agrawal, J. W. Stokes, K. Selvaraj, and M. Marinescu, "University of California, Santa Cruz, Santa Cruz, CA 95064 USA Microsoft Corp ., One Microsoft Way, Redmond, WA 98052 USA," pp. 3222–3226, 2019.
S. Sheen and A. Yadav, "Ransomware detection by mining API call usage," 2018 Int. Conf. Adv. Comput. Commun. Informatics, ICACCI 2018, pp. 983–987, 2018, doi: 10.1109/ICACCI.2018.8554938.
S. Baek, Y. Jung, A. Mohaisen, S. Lee, and D. Nyang, "SSD-assisted Ransomware Detection and Data Recovery Techniques," IEEE Trans. Comput., vol. X, no. X, pp. 1–1, 2020, DOI: 10.1109/tc.2020.3011214.
M. Ahmed and H. Saeed, "Malware in Computer Systems : Problems and Solutions," vol. 9, no. 1, pp. 1–8, 2020, DOI: 10.14421/ijid.2020.09101.
T. Xia, Y. Sun, S. Zhu, Z. Rasheed, and K. Shafique, "Toward A network-assisted Approach for Effective Ransomware Detection," arXiv, Aug. 2020, [Online]. Available: http://arxiv.org/abs/2008.12428.
F. G. Hikmatyar, "for Handling Cybercrime Cases," vol. 7, no. 2, pp. 64–67, 2018.
A. O. Almashhadani, M. Kaiiali, S. Sezer, and P. O'Kane, "A Multi-Classifier Network-Based Crypto-Ransomware Detection System: A Case Study of Locky Ransomware," IEEE Access, vol. 7, no. c, pp. 47053–47067, 2019, DOI: 10.1109/ACCESS.2019.2907485.
S. H. Kok, A. Abdullah, and N. Z. Jhanjhi, "Early detection of crypto-ransomware using pre-encryption detection algorithm," J. King Saud Univ. - Comput. Inf. Sci., no. xxxx, 2020, doi: 10.1016/j.jksuci.2020.06.012.
A. Adamov, A. Carlsson, and T. Surmacz, "An analysis of lockergoga ransomware," 2019 IEEE East-West Des. Test Symp. EWDTS 2019, pp. 1–5, 2019, DOI: 10.1109/EWDTS.2019.8884472.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.