In the 21st century, there has been rapid advancement in the different computer-aided devices and computers. The internet has enabled us through computers to accomplish tasks accurately and quickly, store vast chunks of data in the cloud, enable human beings to communicate effectively and efficiently, and work remotely, among many other advantages. The way we communicate and access knowledge has changed drastically over the years, enabled by the evolution of the internet. It is essential to continue being informed and updated amid the latest advancements and challenges that have arisen on several occasions within the field of digital forensics. This essay aims to enable and encourage all the students who have enrolled in the digital forensics class to explore and critically analyze ransomware attacks and the significant challenges it presents for all professionals within the field of digital forensics and cybersecurity by negatively impacting investigation techniques and processes. The evolving tactics used by both the defenders and attackers will be explored and analyzed comprehensively to shed light on the implications for professionals within the field of cybersecurity.
Ransomware Attacks
A ransomware attack is malware that can hinder an organization or individual user’s access to files on computer devices they own, either remotely or physically, to demand ransom after encrypting these files (Razaulla et al., 2023). If the ransom is not paid or raised, cybercriminals leak, destroy, or sell the data to another willing buyer. Locker and Crypto ransomware are standard categories, although other types have gained popularity among defenders and attackers.
Locker ransomware ensures victims cannot open systems they own by resetting the pin. Victims can view the screen, but only those with specific instructions about the ransom payment. Locker ransomware can be solved efficiently using an on-demand scanner or by ensuring the computer is in safe mode and then rebooting it. Crypto ransomware is the most common type of ransomware known in the world. Crypto ransomware ensures that essential data, such as videos, documents, and pictures of victims, are encrypted without interfering with other device functions. Data encrypted using techniques such as Rivest-Shamir-Adleman (RSA) and Advanced Encryption Standard (AES) are hard to recover since, if implemented correctly, these techniques are primarily irreversible (Razaulla et al., 2023).
Occasionally, these two types of ransomware, locker, and crypto, tend to be used together to ensure the victim pays the required ransom. The extortion of the victim by the attackers can continue even after paying the ransom since vast amounts of humans drive them. The cybercriminals use psychological tactics and technology to ensure they succeed. For instance, they can share pornographic content on the locked screen in cases where they have used only locker ransomware. Other types of ransomware are known as Leakware and Scareware (Razaulla et al., 2023).
There are six primary stages that ransomware attacks typically follow—infection, staging, distribution, encryption, scanning, and payment. Infection is the stage where the infection process begins after the malware has been installed in the device. In the staging phase, the malware starts communicating with the world after successfully establishing persistence and embedding itself within the system to survive beyond any rebooting procedure. For example, the victims’ data can be uploaded to a recently registered IP address or domain. The distribution phase ensures the spread of malware to specific devices that the criminals have targeted. The standard techniques that attackers use in distributing malware are exploit kits, phishing emails, and malicious websites. Encryption involves malware locating and encrypting the essential files of the victim. Scanning involves the process of malware in the computer device scanning the network and local computer resources in search of essential data to encrypt, including cloud storage accounts such as Dropbox. Payment is the last step, with all the directions for paying the ransom displayed on the victim’s screen (Razaulla et al., 2023).
Challenges Digital Forensic Investigation Face
Tracking and identifying ransomware attackers is challenging due to various factors today. Ransomware attackers continue to use sophisticated techniques such as Salsa and AES, which makes it hard to detect ransomware. The true intent of ransomware developers is usually concealed using sophisticated code obfuscation and packing techniques, making it hard for available anti-malware tools to scan and detect them. Therefore, they can evade cybersecurity experts and law enforcement agencies tracking them. In addition, the current payment technologies, such as P2P and anonymity, are widely used by ransomware criminals to evade authorities since they are untraceable. Developers have a variant known as Ransomware-as-a-Service (RaaS), which enables individuals who lack technical skills to act as technical ransomware criminals (Cen et al., 2024).
Data recovery efforts after ransomware attacks are complicated because of encryption. There are robust cryptographic algorithms used to encrypt data, such as RSA, which, without the decryption key, makes it impossible to recover the data. Furthermore, cybercriminals always complicate recovery efforts through decryption keys, which are not recoverable by employing secure deletion methods. Cybersecurity firms such as Fortinet and Cisco have provided solutions that do not match the antics of cybercriminals. It is essential to use preventive measures against ransomware, such as security software, email security, user education, patch management, regular backup, and endpoint protection since decrypting devices under a ransomware attack is rugged.
The cyber insurance industry has been criticized for failing to develop valid measures against ransomware since they always pay clients instead of dealing with the perpetrators by researching more and improving the security of devices. Ransomware is still lucrative for criminals despite the initiatives by law and government enforcement agencies and military cyber units.
Case Study
Several ransomware attacks have occurred, including the NHS WannaCry Attack, Colonial Pipeline, Nvidia, Shell, and JBS (Razaulla et al., 2023). The ransomware attack on Colonial Pipeline occurred in May 2021. DarkSide hacking group using the RaaS version took advantage of the flaws in the design of Colonial Pipeline Network and attacked using VPN access. The group encrypted important files and copied them for further use. Colonial Pipeline had to pay the ransomware group $5 million to regain control of the company’s systems. On 7th May 2021, Colonial Pipeline had to shut down its operation on the East Coast of the United States, which led to panic buying, gas shortages, and the rise of fuel prices in the region (Greubel et al., 2023).
DarkSide offers customers the version of malware they want on a subscription. Once deployed, the malware encrypts systems using RSA-1024 and Salsa20 encryption protocols, steals data, and deletes volume shadow copies following execution in an encoded PowerShell command. Attackers may have used different ways, such as installing backdoors, password attacks, brute force, and penetrating VPN networks using SQL injection. Attackers were utilizing Mimikatz, dumping and accessing Local Security Authority Subsystem Service (LSASS), and exploiting Zerologon’s vulnerability (Leu et al., 2023).
In conclusion, the ongoing random ransomware attacks on organizations such as Colonial Pipeline, Shell, and Nvidia have negatively impacted investigation processes and techniques. The primary tactics ransomware attacking groups use is the encryption of the victim’s files using malware and then demanding substantial ransom to provide access, like in the case of Colonial Pipeline. Although there are other types of ransomware, the most common ones are Crypto and Locker. Locker is essential, so most ransomware attack groups use it alongside Crypto, which uses advanced encryption methods such as AES and RSA. It is hard for victims to recover files unless they pay the demanded ransom in cases where the ransomware comprises RSA and AES.
Ransomware attack groups typically use sophisticated techniques and devices to evade tracking and detection. These techniques include using payment methods that cannot be traced, encryption, and obfuscation. A ransomware attack is one of most cybercriminal groups’ most lucrative business models. Therefore, preventive measures such as user education and improvement of software security might be bypassed mostly. The case study of Colonial Pipeline highlights the consequences of ransomware attacks, which might be devastating. It is, therefore, essential for all stakeholders to collaborate and develop proactive measures to curb ransomware attacks as technology advances.
REFERENCES
Cen, M., Jiang, F., Qin, X., Jiang, Q., & Doss, R. (2024). Ransomware early detection: A survey. Computer Networks, 239, 110138. https://doi.org/10.1016/j.comnet.2023.110138
Greubel, A., Andres, D., & Hennecke, M. (2023). Analyzing Reporting on Ransomware Incidents: A Case Study. Social Sciences, 12(5), Article 5. https://doi.org/10.3390/socsci12050265
Leu, D., Udroiu, C., Raicu, G., Gârban, H., & Scheau, M. (2023). Analysis of some case studies on cyberattacks and proposed methods for preventing them. Revista Română de Informatică Și Automatică, 33, 119–134. https://doi.org/10.33436/v33i2y202309
Razaulla, S., Fachkha, C., Markarian, C., Gawanmeh, A., Mansoor, W., Fung, B. C. M., & Assi, C. (2023). The Age of Ransomware: A Survey on the Evolution, Taxonomy, and Research Directions. IEEE Access, 11, 40698–40723. https://doi.org/10.1109/ACCESS.2023.3268535
write