Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SAFARI: a Scalable Air-gapped Framework for Automated Ransomware Investigation

Tommaso Compagnucci, Franco Callegati, Saverio Giallorenzo, Andrea Melis, Simone Melloni, Alessandro Vannini

TL;DR

SAFARI addresses the need for safe, scalable ransomware research by providing an open-source, air-gapped framework that automates experiments on isolated VMs using Infrastructure-as-Code and OS-agnostic Task Automation. The authors implement a prototype with Terraform, Ansible, and Proxmox, and integrate Filechecker and Profiler tools to generate pristine/post-attack reports and hierarchical statistics. They demonstrate the approach through two case studies: profiling five major ransomware strains to reveal encryption patterns, and benchmarking Ranflood against three strains to assess mitigation effectiveness. The results illustrate distinct attacker strategies (e.g., AppData targeting, replica-based copying) and show that copy-based flooding can mitigate data loss, validating SAFARI's value for research and defense development. The work promises democratized access for small labs and educators and points to future expansions to broader malware families and hybrid on-prem/cloud deployments.

Abstract

Ransomware poses a significant threat to individuals and organisations, compelling tools to investigate its behaviour and the effectiveness of mitigations. To answer this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI's design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI's capabilities by building a proof-of-concept implementation and using it to run two case studies. The first analyses five renowned ransomware strains (including WannaCry and LockBit) to identify their encryption patterns and file targeting strategies. The second evaluates Ranflood, a contrast tool which we use against three dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI's potential to advance ransomware research and defence development.

SAFARI: a Scalable Air-gapped Framework for Automated Ransomware Investigation

TL;DR

SAFARI addresses the need for safe, scalable ransomware research by providing an open-source, air-gapped framework that automates experiments on isolated VMs using Infrastructure-as-Code and OS-agnostic Task Automation. The authors implement a prototype with Terraform, Ansible, and Proxmox, and integrate Filechecker and Profiler tools to generate pristine/post-attack reports and hierarchical statistics. They demonstrate the approach through two case studies: profiling five major ransomware strains to reveal encryption patterns, and benchmarking Ranflood against three strains to assess mitigation effectiveness. The results illustrate distinct attacker strategies (e.g., AppData targeting, replica-based copying) and show that copy-based flooding can mitigate data loss, validating SAFARI's value for research and defense development. The work promises democratized access for small labs and educators and points to future expansions to broader malware families and hybrid on-prem/cloud deployments.

Abstract

Ransomware poses a significant threat to individuals and organisations, compelling tools to investigate its behaviour and the effectiveness of mitigations. To answer this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI's design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI's capabilities by building a proof-of-concept implementation and using it to run two case studies. The first analyses five renowned ransomware strains (including WannaCry and LockBit) to identify their encryption patterns and file targeting strategies. The second evaluates Ranflood, a contrast tool which we use against three dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI's potential to advance ransomware research and defence development.

Paper Structure

This paper contains 11 sections, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. SAFARI
  3. Implementing a SAFARI Prototype
  4. Software Architecture
  5. Filechecker and Profiler as IT
  6. Case Studies
  7. SAFARI's Prototype Deployment Infrastructure
  8. Case Study: Ransomware Profiling
  9. Ransomware Mitigation Profiling
  10. Related work
  11. Conclusion

Figures (6)

  • Figure 1: SAFARI's prototype architecture and functionalities.
  • Figure 2: Schema of the Hierarchical Profile.
  • Figure 3: SAFARI's Prototype Deployment Infrastructure.
  • Figure 4: Visualisation of the user's file profiles.
  • Figure 5: Attack profiles of Vipasana/Ryuk, WannaCry, LockBit, and Phobos.
  • ...and 1 more figures