Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Ransomware: Analysis and Evaluation of Live Forensic Techniques and the Impact on Linux based IoT Systems

Salko Korac, Leandros Maglaras, Naghmeh Moradpoor, Bill Buchanan, Berk Canberk

TL;DR

How currently employed forensic techniques can be applied to Linux ransomware is researched and the maturity as well as the impact on the system is evaluated to discuss and assess implications on the IoT industry at an early stage of development.

Abstract

Ransomware has been predominantly a threat to Windows systems. But, Linux systems became interesting for cybercriminals and this trend is expected to continue. This endangers IoT ecosystems, whereas many IoT systems are based on Linux (e.g. cloud infrastructure and gateways). This paper researches how currently employed forensic techniques can be applied to Linux ransomware and evaluates the maturity as well as the impact on the system. While Windows-based ransomware predominantly uses RSA and AES for key management, a variety of approaches was identified for Linux. Cybercriminals appear to be deliberately moving away from RSA and AES to make Live forensic investigations more difficult. Linux ransomware is developed for a predefined goal and does not exploit the full potential of damage. It appears in an early stage and is expected to reach a similar potential to Windows-based malware. The results generated provided an excellent basic understanding to discuss and assess implications on the IoT industry at an early stage of development.

Ransomware: Analysis and Evaluation of Live Forensic Techniques and the Impact on Linux based IoT Systems

TL;DR

How currently employed forensic techniques can be applied to Linux ransomware is researched and the maturity as well as the impact on the system is evaluated to discuss and assess implications on the IoT industry at an early stage of development.

Abstract

Ransomware has been predominantly a threat to Windows systems. But, Linux systems became interesting for cybercriminals and this trend is expected to continue. This endangers IoT ecosystems, whereas many IoT systems are based on Linux (e.g. cloud infrastructure and gateways). This paper researches how currently employed forensic techniques can be applied to Linux ransomware and evaluates the maturity as well as the impact on the system. While Windows-based ransomware predominantly uses RSA and AES for key management, a variety of approaches was identified for Linux. Cybercriminals appear to be deliberately moving away from RSA and AES to make Live forensic investigations more difficult. Linux ransomware is developed for a predefined goal and does not exploit the full potential of damage. It appears in an early stage and is expected to reach a similar potential to Windows-based malware. The results generated provided an excellent basic understanding to discuss and assess implications on the IoT industry at an early stage of development.
Paper Structure (17 sections, 5 figures, 7 tables)

This paper contains 17 sections, 5 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Relevance for Linux systems.
  3. Attack chain.
  4. The emotional aspect during a ransomware attack
  5. Experiments design
  6. Environment design
  7. Implementation
  8. Results and comparative analysis
  9. Is the key in memory
  10. How long is the key present
  11. Does the key decrypt the files
  12. Does the sample spread throughout the network.
  13. What is the impact of the encryption
  14. Impact for IoT systems
  15. IoT threat overview
  16. ...and 2 more sections

Figures (5)

  • Figure 1: Attack chain with conscious decision about further use
  • Figure 2: Response chain from victim's view
  • Figure 3: Playbook for experiment execution
  • Figure 4: Environment design, including test environment
  • Figure 5: Ransom Message of Cl0p Linux ransomware