Ransomware is a special type of malware, which infects a system and limits a user’s access to the system and its resources until a ransom is paid. In the past few years, this malware has become popular among cybercriminals and it is regarded as a billion-dollar industry. Cybercriminals launch ransomware attack to extort money. Some of the most recent well-known ransomware include WannaCry, Petya and Bad Rabbit. WannaCry attacked known Windows network vulnerabilities using various exploits, which allowed an intruder to execute arbitrary code on a targeted system by transmitting customized data packets. WannaCry made global headlines after infecting more than 230,000 systems in over 150 countries and causing an estimated $5 billion in damages. Like WannaCry, Petya used Windows vulnerabilities to propagate itself. It impacted large organizations in multiple countries with billions of dollars damage. Another example of rapidly growing ransomware is Bad Rabbit, which appeared shortly after the WannaCry and Petya ransomware families, made headlines. Bad Rabbit targeted Ukraine’s Ministry of Infrastructure and Kiev’s public transport system.
The objective of this research is to use various tools and techniques to hunt ransomware using memory forensics. We create a virtual network environment for ransomware execution and analysis. Through memory analysis we examine the behaviors of various ransomware to examine their activities while they are inside the memory of the infected machine. Based on their behaviors, we propose and implement a framework for detection and prevention of ransomware. The proposed framework monitors the ransomware processes using various Volatility plugins software tool. These plugins examine the ransomware processes and display actions taken by ransomware once they infect the machine. They actions may include encrypting files, renaming themselves to avoid detection by antivirus software, changing file names, etc., Based on these behaviors, we develop the framework for preventing ransomware from spreading and infecting the entire machine. Our proposed framework would complement some of the existing ransomware research in various ways including the environment, the tools, ransomware dataset and the structure.