The rise of ransomware: Forensic analysis for windows based ransomware attacks

Kara I., AYDOS M.

EXPERT SYSTEMS WITH APPLICATIONS, vol.190, 2022 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 190
  • Publication Date: 2022
  • Doi Number: 10.1016/j.eswa.2021.116198
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus, Academic Search Premier, PASCAL, Aerospace Database, Applied Science & Technology Source, Communication Abstracts, Compendex, Computer & Applied Sciences, INSPEC, Metadex, Public Affairs Index, Civil Engineering Abstracts
  • Keywords: Cybersecurity, Digital forensic, Malware attacks, Ransomware detection, Onion ransomware, Analysis techniques, SOFTWARE-DEFINED NETWORKING, DYNAMIC-ANALYSIS, MALWARE, MITIGATION, TAXONOMY, MODEL
  • Hacettepe University Affiliated: Yes


While information technologies grow and propagate worldwide, malwares have modified and risen their efficiency towards information system. Recently, the attackers have started to use ransom software (ransomware) as an effective method of cyberattack because of their profitability. Ransomware infiltrate victim systems in various ways, usually encrypt files in the system, and demand a ransom to allow user access to the encrypted files again. Although security mechanisms such as firewalls, anti-virus programs, and automated analysis programs have been developed to combat this threat, these mechanisms have little success and fail to protect the valuable assets stored in local or cloud storage resources. In this study, an effective detection and analysis method against ransomware was proposed, and the proposed method was discussed in detail with a case study. As a result of the study, potential information about the attacker were found to be accessible through characteristic behavior analysis of the onion ransomware, which was analyzed in accordance with the proposed method. This paper also presents an insight to the ransomware threat and provides a basic review of the methods and techniques used in the detection and analysis of ransomware attacks.