This research project is funded by the Ministry of Science, Innovation and Universities of Spain under the call «Proyectos de Generación de Conocimiento» 2023 (reference code PID2023-151467OA-I00). Our project was funded with 178.750,00€, to be carried out from XXX 1, 2024 to XXX 30, 2027.
Project Goals
The main goal of this research project is the design and development of an analysis system that collects data from running processes, obtained through dynamic analysis and memory forensic analysis, and uses it to detect if the process is a crypto-ransomware and any encryption keys. This software system will be made up of different components that will be grouped into a single analysis workflow, which will make it possible to respond to possible security incidents related to crypto-ransomware attacks in the shortest possible time. The entire software system will be designed in a modular way to allow its incremental development. The purpose of working in a modular way is also to build independent tools tailored to specific needs that are applicable to other analysis workflows, and not just in the context of this project. To complete this main goal, the following research subgoals (SG) are formulated:
- SG 1. Identification of behavior patterns related to crypto-ranmsomware. We must be able to identify when a process is behaving like crypto-ransomware. Therefore, we will investigate the behavior of samples from different crypto-ransomware families by applying dynamic program binary analysis (such as tracing and dynamic binary instrumentation, among others) in sandbox environments, following best practices for malware research. This will allow us to characterize the behavior of cryptoransomware thanks to its behavior patterns. Once the research phase is concluded, we will develop a software component to address these issues. Additionally, we will use our collected data to explore machine learning techniques and predictive process mining as a way to predict the future behavior of a process. As a result, a software component will be obtained that is part of the proposed EDR software system.
- SG 2. Identification and extraction of memory artifacts related to encryption keys. We must be able to identify the memory artifacts related to the encryption keys. Therefore, we will investigate which memory artifacts are relevant to different ciphers, how to identify them, how the timing of memory acquisitions affects the number of artifacts successfully retrieved, and how to record all these data. Current research has already proved this is feasible under certain circumstances. Once the research phase is concluded, we will develop a software component to deal with these issues. In addition, we will consider adding this functionality to Volatility 3, the de facto tool in memory forensics. Additionally, we will develop a software component to decrypt the files encrypted by the crypto-ransomware with the extracted encryption keys. As a result, two software components will be obtained that are part of the proposed EDR system.
- SG 3. Effectiveness of EDR systems to help mitigate the impact of crypto-ransomware attacks. We will first investigate the current EDR systems, characterizing them and measuring their effectiveness under different scenarios. Then we will integrate the software components obtained from the previous subgoals and combine them to create an EDR software system that provides real-time detection and monitoring of suspicious activity, as well as the ability to quickly isolate and contain affected processes. Additionally, this software will provide valuable forensic data useful for tracking down attackers and potentially recovering the encrypted data using the above components. We will then