Recovering from Memory the Encryption Keys Used by Ransomware Targeting Windows and Linux Systems

Ransomware is a type of malware that prevents access to the files on the device, usually by encrypting them with a key only known to the attacker, until the victim pays a ransom. Due to its popularity and profitability, it is now possible to find ready-to-use source code repositories of ransomware online. Although many of them are created for educational purposes, it attracts the interest of all kinds of bad actors. The aim of this paper is to help recover from a ransomware attack using forensic analysis techniques. Specifically, two tools were developed that allow rapid recovery of the encryption keys used by the ransomware from a memory dump, regardless of the operating system infected. These two tools can be useful against other similar ransomware (whether they are open source or not), as many of them use the same libraries to perform file encryption and key management.

keywords: Ransomware, Live forensics, Malware analysis, Cryptography