Volume 7, Issue 11, November – 2022 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Forensic Analysis of Ransomware

Infected Windows Hard Disk: A Case Study
Sangita Biswas Kananbala Jena
Assistant Central Intelligence Officer Gr-1(Documents), Director & Scientist E,
Central Forensic Science Laboratory, Kolkata, India Central Forensic Science Laboratory, Kolkata, India

Abstract:- Data in digital form is considered one of the I. INTRODUCTION

most valuable assets. Digital data may pertain to
financial transactions, trade secrets and national security Malware (short for “malicious software”) refers to any
matters. The threat of data theft and inaccessibility of intrusive software developed by cybercriminals typically
important resources has always existed. Therefore, delivered over a network, that infects, explores, steals data,
various protections were used since earlier days of confidential or otherwise and use such information for profit
computation. The protection may be physically locking or damage of computers and computer systems[1]. Malware
the computer room or different options available for comes in numerous variants; there are various methods to
encryption and password protection, thus restricting infect computer systems. Examples of common malware[1]
number of users beyond designated persons. In recent include viruses, worms, Trojan viruses, spyware, adware,
past the emphasis has been growing on connecting digital ransomware and fileless malware. Recent malware attacks
asset to various networks and internet resources for have exfiltrated data in mass amounts.
updates and quick operational requirements. Releasing
certain resources for public use is unavoidable for Ransomware is generally a part of phishing scam. By
smooth functioning of business. Emails, downloads, clicking a disguised link, the user downloads the ransomware
remote access has become a way of life. Thus, in current and the attacker proceeds to encrypt specific information that
scenario no protection can be called full proof and can only be opened by a mathematical key they know. When
attackers find one or more vulnerabilities in system. One the attacker receives payment, the data is promised to be
of the most preferable methods of such cyber attack is to unlocked. Whereas some ransomware e.g., WannaCry[2]
hold owner of digital assets as hostage using ransomware. ransomware is particularly dangerous cryptoworm because it
This intrusive software can quickly make changes to the propagates through a worm by exploiting vulnerabilities in
system and restrict user access so that owner of the the Windows operating system and it can spread
system is unable to access the data. Warnings may be automatically without victims participation. In May 2017,
flashed on the system to demand money in exchange of this cryptoworm demanded a ransom payment in bitcoin to
renewed access. Ransomware have recently claimed a decrypt the files. However, even after paying, only a handful
place of prominence in computer security. of victims received decryption keys.

Reasonable amount of literature exists on incidence Out of different types of malwares this report
response to malware attack, dynamic analysis of emphasizes on the Digital Forensic Investigation of
malware and indicators of compromise of malware. ‘wannacry’ ransomware infected Windows operating system
However, how one can perform such malware analysis in using various open-source and licensed forensic tools and
a forensic laboratory is not well described. In the present techniques. In this report authors discussed about forensic
paper the authors describe forensic artifacts discovered analysis of ransomware in a static manner so that analysts do
on examination of a hard disk infected with ‘wannacry’ not have to access the files in the infected disk but ICP’s
ransomware following static digital forensic analysis (Indicators of Compromise) can be revealed by using both
method. During forensic examination it has been open-source forensic tools and licensed forensic tools.
observed that artifacts recovered are not an exact match
with artifacts described in available literature. II. BRIEF CASE HISTORY
Moreover, some additional artifacts could be found
during forensic examination. During this examination An independent business unit which supplies Telecom
authors tried to establish a guideline in general to and Network Services complained they are unable to access
examine cases involving malware, so that, security of the their important files and unable to run some programs critical
laboratory should not be compromised and loss of to their business. The investigation agency seized the hard
valuable resources can be prevented during forensic disk of particular computer and submitted for Digital
examination. Forensic examination.

Keywords:- Ransomware, Wannacry, Cryptoworm,

Indicators of Compromise.

IJISRT22NOV147 www.ijisrt.com 206

Volume 7, Issue 11, November – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
It was suspected that this is sabotage due to some
malicious software installed by an insider. However, no clues
or keyword were forwarded from investigation side regarding
type of malicious software or what kind of indications was
seen during the attack.

III. MALWARE ANALYSIS

Finding traces of malicious activity in a computer seized

from scene of crime remains challenging as most of the
studies are based on RAM Dumps and other live traces when
incident is still happening.
Fig 1:- FALCON Imager used for preparing bit stream
Sandboxing software generally proves how activities image of infected hard disk
are done after execution of software in controlled
environment. However, the leftover effects of the same on a  Analysis of Collected Digital Evidence:
specific system can be better proved on forensic analysis Bit stream image of the hard disk was loaded in licensed
when live traces are almost non-existent. Therefore, some of ENCASE software (ver. 8). Files in accordance with the date
the well-publicized ICP may not be present or may be present of complaint were previewed (fig.2).
in a changed form. Moreover, additional ICP’s may arise
from the fact that malicious software has been modified at
different times to evade newer version of antimalware.

Two basic techniques may be used for forensic

analysis[3]:
 Static Analysis: In this method forensic analysis of
malware binary is done without actually executing or
downloading the files. This is a process of determining the Fig 2:- Files present in the hard disk with ‘wnry’ extension
origin of malicious files and by understanding the around the date of complaint.
behavior of malware by analyzing the extracted
indicators.  Techniques Used:
 Dynamic Analysis: In this method malware detection and  Timeline Analysis:
analysis is done in a controlled environment[4] so that it After filtering all the files around date of complaint
doesn’t affect other systems. This process uses behavior- numerous files with extensions ‘wncry’ were found. This
based approach to determine the functionality of the ‘wncry’ extension followed another text in the filename
malware by actually executing the malware in a which appeared as another extension recognisable by
controlled and isolated environment. commonly used applications in Windows operating system
such as ‘jpg’, ‘xlsx’, ‘txt’, ‘doc’ etc. (fig.3). Change of
This report is based on static analysis method of extension appeared to be immediate cause of files not
malware detection and analysis. opening using their familiar extension. However, the files
could not be opened by changing extension to original one.
IV. METHODOLOGY

 Software and Hardware Used:

Falcon Imager, Encase Version 8, Internet Evidence
Finder Version 6, Regripper Software and Workstation.

 Collection of Digital Evidence:

Bit stream image of the hard disk is prepared using
Falcon hardware Imager (fig.1) in E01 format. The image
was duly verified by matching the acquisition MD5 hash Fig 3:- Files with commonly recognisable extensions ‘jpg’,
value. ‘pdf’, ‘xlsx’ etc. followed by ‘wncry’ extension modified on
17.05.2017

 Analysis by Extensions:
All the extension starting from ‘wnry’ was enlisted. It is
found that extensions ‘wnry’, ‘wncry’, ‘wncryt’ are available
around the suspected timeline.

IJISRT22NOV147 www.ijisrt.com 207

Volume 7, Issue 11, November – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Some files with ‘exe’ extension were also found with  Few bmp files namely ‘@[email protected]’ with
name ‘[email protected]’ and was executed several warning message could be found (fig.5).
times between 17.05.2017 to 20.05.2017 fig.4.

Fig 4:- Execution of ‘[email protected]’ within

suspected timeline.

 Litreature Review:
On the basis of above observations, we followed some
literature and articles which indicated a ransomware called
‘wannacry’ is available and attack on various system were
worldwide reported during the same timeline[5]. Indicators
of compromise were also reported in various attacks.

 Registry Forensics: Fig 5:- Warning message for files being encrypted
NTUSER.DAT is a file that is available in Windows
operating system and it stores the information of the user  Files ‘@[email protected]’ found which contains
account settings and customizations. Each user has their own instruction to decrypt files on paying ransom (fig.6).
NTUSER.DAT[6] file in their user’s profile in hidden form
in the path ‘C:\Users\Username’. This file ensures that any
changes made in user account are saved. This DAT file was
extracted from the E01 image loaded in Encase and analysed
using Regripper (open-source) forensic registry analysis
software.

V. OBSERVATIONS

 Files named ‘b.wnry’, ‘c.wnry’, ‘r.wnry’, ‘s.wnry’, Fig 6:- Files containing instruction for paying ransom
‘t.wnry’, ‘u.wnry’, ‘f.wnry’, ‘taskdl.exe’, ‘taskse.exe’ and
‘tasksche.exe’ could be found which are also available in  Registry analysis indicates ‘WanaCrypt0r’ is among the
literatures[7, 8]. software key with last write time ‘2017-05-17 09:38:55’
 Hash values of the files may differ from one instance to (fig.7). The traces of execution of
other as observed from literature. In this case also some ‘@[email protected]’ were also found in several
of the hash values were different and others matched with occasions in registry hive which certainly establish
some of the reported cases. execution of malicious file to infect the operating system.
 The hash values of b.wnry, s.wnry, could be verified as
malicious by virustotal[9], however, other hash values
could not be verified as malicious. Details of MD5 hash
values as found in this case are provided in the following
table:

Files MD5 HASH VALUES found in case

b.wnry c17170262312f3be7027bc2ca825bf0c
c.wnry b07a3e01839b404dbe662c485141b0b2
r.wnry 225081d5de690310a3c7211e2fd96dac
s.wnry ad4c9de7c8c40813f200ba1c2fa33083 Fig 7:- Registry analysis confirms presence of software key
t.wnry 1bab8430e6f4e77e37f2e98a9f5fa5e5 ‘WanaCrypt0r’
u.wnry d6483ec79f21a1d18b21fec56bfd0000
f.wnry 4c994cef144c85fe1a0abd77f065e430  Internet cookies around same timeline included url
‘heheelibom.com’ and ‘brobgser.com’. These urls
taskdl.exe e0077f9ee92e888868a9d2298e1c6a4f
reported as malicious when checked on ‘virustotal’
taskse.exe 662b2256d873d03d4a4324878f4b6c6c website. However, malware detection facility in the ‘IEF
tasksche.exe edf044c89c50c514f2fcfc12db355327 6’ does not report ‘wannacry’ malware.
Table 1:- Details of MD5 Hash Values as Found in Case

IJISRT22NOV147 www.ijisrt.com 208

Volume 7, Issue 11, November – 2022 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
VI. RESULTS AND DISCUSSIONS [8]. Team, C.T.U.R. WCry Ransomware Analysis.
https://www.secureworks.com/research/wcry-
 During forensic examination it is observed that malwares ransomware-analysis.
can be present in any media brought in for analysis [9]. YusirwanS, S., Y. Prayudi, and I. Riadi,
unknown to the laboratory. Extracting data from the Implementation of malware analysis using static and
devices and opening files during analysis being routine dynamic analysis method. International Journal of
process in forensic examination can affect examination Computer Applications, 2015. 117(6): p. 11-15.
workstation and malicious software can spread to other
connected resources in the process. Therefore, forensic
laboratories should follow some guidelines to prevent
malwares from affecting laboratory resources.

Guidelines to be followed during forensic examination:

 Keep a copy of local machine for reinstallation if required
 Nothing (i.e., any files or folders) to be extracted and
saved in local machine.
 Use tools/ options within the tools which do not copy
anything as a part of report.
 Do not archive under any condition which can
contaminate.
 Use well understood tools/ options within tools to ensure
no remnants.
 The workstation used for analysis should not be in a
networked environment,
 No USB devices should be used to transfer data.

 Though past experience of researchers found in literatures

is great resource, malicious software always change
strategy. Therefore, the codes may be changed and
modified uniquely within system which is infected.
Certain changes beyond available literature are possible.
All such variations should be documented for quick
detection of the variants.

REFERENCES

[1]. Lutkevich, B. malware.

https://www.techtarget.com/searchsecurity/definition/
malware.
[2]. Alex Berry, J.H., Randi Eitzman. WannaCry Malware
Profile.
https://www.mandiant.com/resources/blog/wannacry-
malware-profile.
[3]. Khillar, S. Difference Between Static Malware Analysis
and Dynamic Malware Analysis.
2022.http://www.differencebetween.net/technology/di
fference-between-static-malware-analysis-and-
dynamic-malware-analysis/
[4]. Diana Rathod, D.P.S., DIGITAL FORENSIC
ANALYSIS OF RANSOMWARE INFECTED
WINDOWS SYSTEM. JETIR, 2019. 6(5).
[5]. McDonald, G., et al., Ransomware: Analysing the
Impact on Windows Active Directory Domain Services.
Sensors, 2022. 22(3): p. 953.
[6]. Lo, V., Windows shellbag forensics in depth. SANS
Institute. Retrieved from, 2014.
[7]. Erika Noerenberg, A.C., Nathanial Quist. A Technical
Analysis of WannaCry Ransomware.
https://logrhythm.com/blog/a-technical-analysis-of-
wannacry-ransomware/.

IJISRT22NOV147 www.ijisrt.com 209