Blockpass ID Lab, School of Computing, Edinburgh Napier University, Edinburgh EH10 5DT, UK.
Sensors (Basel). 2022 Jan 26;22(3):953. doi: 10.3390/s22030953.
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services.
勒索软件在过去十年中已成为一种越来越流行的恶意软件,并且由于其高利润而继续流行。由于作为运营费用的一部分,组织和企业更有可能屈服于赎金要求,以抵消停机造成的损失,因此它们已成为勒索软件的主要目标。尽管勒索软件对组织构成了威胁,但几乎没有信息概述勒索软件如何影响 Windows Server 环境,特别是其专有的域服务,如 Active Directory。因此,我们旨在提高使用这些环境的组织和公司的网络安全态势感知能力。使用三种勒索软件变体进行了动态分析,以揭示加密勒索软件如何影响特定于 Windows Server 的服务和进程。我们的工作概述了对 WannaCry、TeslaCrypt 和 Jigsaw 进行的实际调查,并针对几个域服务对其进行了测试。研究结果表明,这三个变体都没有停止进程,并且明确地没有触及所有域服务。但是,尽管这些服务仍在运行,但由于勒索软件加密了与这些服务相关的文件,它们变得特别功能失调。
