Open AccessAnalysis of Conti Ransomware Attack on Computer Network with Live Forensic Method
Author(s) -
Rusydi Umar,
Imam Riadi,
Ridho Surya Kusuma
Publication year - 2021
Publication title -
ijid (international journal on informatics for development)/international journal on informatics for development
Language(s) - English
Resource type - Journals
eISSN - 2549-7448
pISSN - 2252-7834
DOI - 10.14421/ijid.2021.2423
Subject(s) - ransomware , computer science , computer security , malware , computer forensics , encryption , process (computing) , network forensics , ransom , digital forensics , operating system , political science , law
Ransomware viruses have become a dangerous threat increasing rapidly in recent years. One of the variants is Conti ransomware that can spread infection and encrypt data simultaneously. Attacks become a severe threat and damage the system, namely by encrypting data on the victim's computer, spreading it to other computers on the same computer network, and demanding a ransom. The working principle of this Ransomware acts by utilizing Registry Query, which covers all forms of behavior in accessing, deleting, creating, manipulating data, and communicating with C2 (Command and Control) servers. This study analyzes the Conti virus attack through a network forensic process based on network behavior logs. The research process consists of three stages, the first stage is simulating attacks on the host computer, the second stage is carrying network forensics by using live forensics methods, and the third stage is analysing malware by using statistical and dynamic analysis. The results of this study provide forensic data and virus behavior when running on RAM and computer networks so that the data obtained makes it possible to identify ransomware traffic on the network and deal with zero-day, especially ransomware threats. It is possible to do so because the analysis is an initial step in generating virus signatures based on network indicators.