Issue

Vol. 6, No. 2, May 2021

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Network Forensics Against Ryuk Ransomware Using Trigger, Acquire, Analysis, Report, and Action (TAARA) Method

https://doi.org/10.22219/kinetik.v6i2.1225
Ridho Surya Kusuma
Universitas Ahmad Dahlan
Rusydi Umar
Universitas Ahmad Dahlan
Imam Riadi
Universitas Ahmad Dahlan

Corresponding Author(s) : Ridho Surya Kusuma

ridho2007048010@webmail.uad.ac.id

Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, Vol. 6, No. 2, May 2021

Abstract

This study aims to reconstruct an attack event and analyze the source of viral infection based on network traffic logs so that the information obtained can be used for a new reference in the security system. Recent attacks on computer network systems cannot be easily detected, as cybercrime has used a variant of the Ryuk Ransomware virus to penetrate security systems, encrypt drives, and computer network resources. This virus is very destructive and has an effective design with a file size of about 200,487 Bytes so it does not look suspicious. The research steps are done through Trigger, Acquire, Analysis, Report, and Action (TAARA). The forensic tools used to obtain log data are Wireshark, NetworkMiner, and TCPDUMP. Based on the results of forensic data obtained include a timestamp, source of the attack, IP address, MAC address, hash signature sha256, internet protocol, and the process of infection. Based on the data obtained in this study has been by the expected objectives.

Keywords

Ryuk Ransomware TAARA Log Network Traffic Hash Signature
Surya Kusuma, R., Umar, R. ., & Riadi, I. . (2021). Network Forensics Against Ryuk Ransomware Using Trigger, Acquire, Analysis, Report, and Action (TAARA) Method. Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, 6(2). https://doi.org/10.22219/kinetik.v6i2.1225
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX
References
  1. N. Naik, P. Jenkins, N. Savage, and L. Yang, "Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing, and YARA Rules," IEEE Int. Conf. Fuzzy Syst. , vol. 2019-June, pp. 1–6, 2019. https://doi.org/10.1109/FUZZ-IEEE.2019.8858803
  2. S. Il Bae, G. Bin Lee, and E. G. Im, "Ransomware detection using machine learning algorithms," Concurr. Comput. , no. December 2018, pp. 1–11, 2019. https://doi.org/10.1002/cpe.5422
  3. C. Coveware, "Key Trends 75% of all attack Ransomware 80% of attack exfiltrate data Ransomware Exfiltration Average Size of Organization Ransomware Exfiltration Techniques," no. December 2020, pp. 2020–2021, 2021.
  4. "Cyberaanvallen gericht op zorgorganisaties zijn sinds november 2020 met 45% gestegen / Cybercrime | Cybercrimeinfo.nl | De bibliotheek voor de bestrijding van digitale criminaliteit."
  5. CISA, "Ransomware Activity Targeting the Healthcare and Public Health Sector Alert (AA20-302A)," Cisa, pp. 13, 2020.
  6. E. Berrueta, D. Morato, E. Magana, and M. Izal, "A Survey on Detection Techniques for Cryptographic Ransomware," IEEE Access, vol. 7, pp. 144925–144944, 2019. https://doi.org/10.1109/ACCESS.2019.2945839
  7. I. Kara and M. Aydos, "Static and Dynamic Analysis of Third Generation Cerber Ransomware," Int. Congr. Big Data, Deep Learn. Fight. Cyber Terror. IBIGDELFT 2018 - Proc., pp. 12–17, 2019. https://doi.org/10.1109/IBIGDELFT.2018.8625353
  8. T. Xia, Y. Sun, S. Zhu, Z. Rasheed, and K. Hassan-Shafique, "A network-assisted approach for ransomware detection," arXiv,2020.
  9. T.M. Liu, D. Y. Kao, and Y. Y. Chen, "Loocipher ransomware detection using lightweight packet characteristics," Procedia Comput. Sci. , vol. 176, pp. 1677–1683, 2020. https://doi.org/10.1016/j.procs.2020.09.192
  10. I. Riadi, S. Sunardi, and M. E. Rauli, "Identification of WhatsApp Digital Evidence on Proprietary Operating Systems Using Live Forensics," J. Tech. Electro, vol. 10, no. 1, pp. 18–22, 2018. https://doi.org/10.15294/jte.v10i1.14070
  11. A. Adamov, A. Carlsson, and T. Surmacz, "An analysis of lockergoga ransomware," 2019 IEEE East-West Dec. Test Symp. EWDTS 2019, pp. 1–5, 2019. https://doi.org/10.1109/EWDTS.2019.8884472
  12. S. Saxena and H. K. Soni, "Strategies for ransomware removal and prevention," Proc. 4th IEEE Int. Conf. Adv. Electr. Electron. Information, Commun. Bio-Informatics, AEEICB 2018, pp. 2018–2021, 2018. https://doi.org/10.1109/AEEICB.2018.8480941
  13. S. Sheen and A. Yadav, "Ransomware detection by mining API call usage," 2018 Int. Conf. Adv. Comput. Commun. Informatics, ICACCI 2018, pp. 983–987, 2018. https://doi.org/10.1109/ICACCI.2018.8554938
  14. R. Agrawal, J. W. Stokes, K. Selvaraj, and M. Marinescu, "University of California, Santa Cruz, Santa Cruz, CA 95064 USA Microsoft Corp., One Microsoft Way, Redmond, WA 98052 USA," pp. 3222–3226, 2019.
  15. M. A. Ayub, A. Continella, and A. Siraj, "An I/O Request Packet (IRP) Driven Effective Ransomware Detection Scheme using Artificial Neural Network," Proc. - 2020 IEEE 21st Int. Conf. Inf. Reuse Integr. Data Sci. IRI 2020, pp. 319–324, 2020. https://doi.org/10.1109/IRI49571.2020.00053
  16. A. Kurniawan and I. Riadi, "Detection and Analysis of Cerber Ransomware Using Network Forensics Behavior-Based," Int. J. Netw. Secur. , vol. 20, no. 5, pp. 1–8, 2018. https://doi.org/10.6633/IJNS.201809_20(5).04
  17. M. Zulfadhilah, I. Riadi, and Y. Prayudi, "Log Classification using K-Means Clustering for Identify Internet User Behaviors," Int. A. Comput. Appl., vol. 154, no. 3, pp. 34–39, 2016. https://doi.org/10.5120/ijca2016912076
  18. S. Datt, Learning Network Forensics, vol. 1, no. 1. Birmingham - Mumbai, 2016.
  19. M. Alim, I. Riadi, and Y. Prayudi, "Live Forensics Method for Analysis Denial of Service (DOS) Attack on Routerboard," Int. A. Comput. Appl. , vol. 180, no. 35, pp. 23–30, 2018. https://doi.org/10.5120/ijca2018916879
  20. I. Riadi, R. Umar, and F. D. Aini, "Analysis of Anomaly Detection Traffic Comparison With Naive Bayes Method And Support Vector Machine (SVM)," Ilk. J. Ilm. , vol. 11, no. 1, pp. 17–24, 2019. https://doi.org/10.33096/ilkom.v11i1.361.17-24
  21. A. Kurniawan and Y. Prayudi, "Live Forensics Techniques On Zeus Malware Activities To Support Forensics Malware Investigation," HADFEX (Hacking Digit. Forensics Expo. , no. August 2015, pp. 1–5, 2014.
  22. G. O. Ganfure, C. F. Wu, Y. H. Chang, and W. K. Shih, "DeepGuard: Deep Generative User-behavior Analytics for Ransomware Detection," Proc. - 2020 IEEE Int. Conf. Intell. Secur. Informatics, ISI 2020, 2020. https://doi.org/10.1109/ISI49825.2020.9280508
  23. D.C. Prakoso, I. Riadi, and Y. Prayudi, "Detection of Metasploit Attacks Using RAM Forensic on Proprietary Operating Systems," Kinet. Technol game. Inf. Syst. Comput. Network, Comput. Electron. Control, vol. 4, pp. 155–160, 2020. https://doi.org/10.22219/kinetik.v5i2.1037
  24. R. Umar, A. Yudhana, and M. Nur Faiz, "Performance Analysis of Live Forensics Methods For Investigating Random Access Memory In Proprietary Systems," Pros. Konf. Nas. 4th Asos. Progr. Postsarj. Teacher. Muhammadiyah High, pp. 207–211, 2016.
  25. S. R. Davies, R. Macfarlane, and W. J. Buchanan, "Evaluation of live forensic techniques in ransomware attack mitigation," Forensic Sci. Int. Digits. Investig., vol. 33, p. 300979, 2020. https://doi.org/10.1016/j.fsidi.2020.300979
  26. T. Rochmadi, I. Riadi, and Y. Prayudi, "Live Forensics for Anti-Forensics Analysis on Private Portable Web Browser," Int. A. Comput. Appl. , vol. 164, no. 8, pp. 31–37, 2017. https://doi.org/10.5120/ijca2017913717
  27. M. Hikmatyar, Y. Prayudi, and I. Riadi, "Network Forensics Framework Development using Interactive Planning Approach," Int. A. Comput. Appl., vol. 161, no. 10, pp. 41–48, 2017. https://doi.org/10.5120/ijca2017913352
  28. S. Sibi Chakkaravarthy, D. Sangeetha, M. V. Cruz, V. Vaidehi, and B. Raman, "Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks," IEEE Access, vol. 8, pp. 169944–169956, 2020. https://doi.org/10.1109/ACCESS.2020.3023764
  29. A. O. Almashhadani, M. Kaiiali, S. Sezer, and P. O'Kane, "A Multi-Classifier Network-Based Crypto-Ransomware Detection System: A Case Study of Locky Ransomware," IEEE Access, vol. 7, no. c, pp. 47053–47067, 2019. https://doi.org/10.1109/ACCESS.2019.2907485
  30. M. K.A., Learning Malware Analysis. Birmingham - Mumbai: Packt Publishing Ltd., 2018.
  31. J. Wynn et al., "Threat Assessment & Remediation Analysis (TARA)," MITRE Tech. Rep., no. October, pp. 60, 2011.
  32. Y.Purwanto and I. Riadi, "Implementation of Multimedia as a Learning Medium (Case Study: Subnetting Material On IPv4)," JSTIE (Jurnal Sarj. Tech. Inform me. , vol. 1, no. 1, pp. 201–208, 2013. http://dx.doi.org/10.12928/jstie.v1i1.2531
  33. P. Kim, The Hacker Playbook 3. United States: Secure Planet, 2018.
  34. L. Usman, Y. Prayudi, and I. Riadi, "Ransomware analysis based on the surface, runtime and static code method," J. Theor. Appl. Inf. Technol. , vol. 95, no. 11, pp. 2426–2433, 2017.
  35. M. S. Ahmad, I. Riadi, and Y. Prayudi, "Live Forensic Investigation From the User Side To Analyze Man in the Middle Attack Based Evil Twin Attack," Ilk. J. Ilm. , vol. 9, no. 1, pp. 1–8, 2017. https://doi.org/10.33096/ilkom.v9i1.103.1-8
  36. S. Baek, Y. Jung, A. Mohaisen, S. Lee, and D. Nyang, "SSD-assisted Ransomware Detection and Data Recovery Techniques," IEEE Trans. Comput. , vol. X, no. X, pp. 1–1, 2020. https://doi.org/10.1109/TC.2020.3011214
Read More
Author biographies is not available.
Download this PDF file
PDF
Statistic
Read Counter : 453 Download : 791

Downloads

Download data is not yet available.