Edinburgh Napier University

  Ransomware is a form of malicious software that blocks user access to data by encrypting files. A user is then required to pay the attacker a sum of money to receive the encryption artefacts and start recovering the data. MEMCRYPT has developed new techniques for detecting live malware activity and identifying the cryptographic keys, along with the related artefacts used during the attack. This allows for the detection of suspect encryption processes and interact before ransomware can affect a system. MEMCRYPT finds the artefacts in system memory, and within the first steps of a user's file being encrypted, these artefacts are available for the user to decrypt.
These methods in dealing with ransomware can also be applied more generally in detecting active malware and preventing the exfiltration of confidential data. This proof of concept aims to build an incident response triage system for ransomware, and which builds evidence around a ransomware attack, and where encrypted data samples are used to build up a picture of the encryption methods used. This can be used as a rapidly created sandbox area for real-time analysis, or can be used within law enforcement investigations, and where a large-scale system can be scanned for cryptographic evidence, with a fast matching system towards extracting key the key features required for investigations.