Evolving threats a hybridised malware analysis of ransomware behaviour - Daniel Dahl

Nice. >> Happy. >> Yeah, yours. >> All right. Thank you for the introduction and thank you everyone for coming to my talk about my bachelor project titled evolving threats, a hybridized malware analysis of ransomware behavior. So, you've already done my introduction for me, but yeah, I'm a former electrician. I've uh always had an interest for it. So I decided to study digital forensics here at Norop University College and during my studies I've worked at net security where I've been lucky enough to continue after my studies. So through both my coursework and hands-on experience I've developed strong interest in malware analysis which became the focus of my thesis specifically looking at ransomware behavior. So just a little background on

ransomware evolution. Ransomware has quickly become one of the most destructive and costly form of cyber attacks. While it accounts for only about 10% of global cyber incidents, it makes up nearly half of all incident response cases. A clear sign of its disproportionate impact. Ransomware is no longer just a simple file encrypting malware. It has evolved into a professionalized criminal ecosystem with today's attacks being more organized, aggressive, and strategically executed. Models like ransomware as a service allow low-skilled actors to launch attacks by using ready-made ransom ransomware provided by developers in exchange for a share of the profits. Tactics like double extortion increase the pressure on victims by threatening to leak stolen data in addition to encrypting it. At the same time,

attackers are shifting toward bigger targets with bigger payoffs, a tactic known as big game hunting. going after big high value targets like hospitals or large companies that are more likely to pay up quickly to avoid major disruptions. So while the number of ransomware attacks may be declining, the damage per incident is climbing fast. So it's no surprise that global damages are projected to hit 57 billion in 2025 despite ransomware accounting for just a small slice of the total cyber incidents. Yet a lot of teams still rely on traditional malware analysis using static or dynamic methods on their own. But the truth is ransomware often affects multiple aspects of the system including the file system, memory and

network communications. So relying on isolated detection techniques can miss the bigger picture. To address this gap, my project adopted a hybridized malware analysis framework combining static dynamic network and forensic analysis. The goal was to get a more realistic picture of how ransomware behaves in real world attacks and how we can improve detection, analysis, and response. The process starts with static analysis, examining the malware without actually running it. This helps reveal key characteristics like file fingerprints, embedded strings, imported functions, and signs of obuscation. These insights are useful not only for early detection and signature creation, but also inferring the malware's possible behavior before it executes.

Next comes dynamic analysis where we actually run the sample in a controlled environment. This lets us see how it behaves in real time from process creation and memory activity to evasion techniques designed to avoid detection. Then we move into network analysis watching the traffic for signs of command and control activity or data expiltration which is especially important with the rise of double extortion. Finally, we conduct forensic analysis examining the system post infection to uncover evidence of malicious activity such as unauthorized changes to the file system or registry, deployment of persistence mechanisms or the presence of malware artifacts left behind. Taken together, these techniques give us a holistic view of malware from how it's built to how it behaves, communicates,

and leaves its mark, helping us understand both its immediate impact and its longer term goals. That comprehensive understanding is what shaped the research goals for my project. So using this framework, my research focused on analyzing samples from two ransomware families targeting Windows operating systems structured around four subobjectives. Use static analysis to identify what the malware is capable of and how it may try to avoid detection. Watch how it behaves in real time by running it in a controlled environment. Dig into the forensic and network evidence to understand the system impact and any communication with the outside. and finally map all the findings to the MIT attack framework to provide a structured overview of the tactics and

techniques used by the samples together. These objectives aimed at giving a deeper understanding of how ransomware behaves going beyond just surface level indicators. But there was one key limitation to my project. The analysis relied entirely on free online tools and sandbox environments rather than local virtual machines or bare metal setups. That's important because some ransomware are designed to detect and evade sandbox and virtualized environments. Meaning certain behaviors may not appear unless the system conditions closely mimic that of a real endpoint. With that in mind, the next step was to design a methodology that could support this kind of layered multi-technique analysis. So building my methodology, the goal was to extract as much insight as possible

from the ransomware samples as said using only free available online tools and samples while staying aligned with a hybridized analysis framework. So it started with sample acquisition followed by a quick triage using virus total and manalyzer to check the samples integrity and authenticity. After that I ran a static analysis of each sample before executing them across multiple online sandboxes. that gave him the basis for conducting dynamic forensic and network analysis. Finally, all the findings were correlated and mapped to the mitted attack framework to build a structured picture of each ransomware samples attack life cycle. While virus total and man analyzer no virus total was mostly used for static analysis, it does offer some dynamic insights just

like some of the sandboxes included static details. These overlaps were helpful for cross-checking results between each step. So despite the whole process relying on solely on relying on online tools, it still allowed for a layered and well-rounded behavioral analysis.

So my research focused on samples from two active families, Medusa and Ransom. These were chosen based on their recent activity in Norway tracked through sources like ransomware.live and because of their contrasting approaches. Medusa is known for aggressive and often destructive behavior while ransom tends to focus on stealth and persistence. That contrast made them ideal for a comparative analysis. So over to the findings and to make sense of the static analysis findings I've broken them into categories starting with file metadata and structure. At its core we're looking at a 32bit PE file that's several but several sections show medium entropy levels which are suggestive of obiscation or packing due to increased data randomness. Interestingly, it also

includes a PTV path likely left over from the developer build environment. File hashing and fingerprinting also verified the sample's integrity and authenticity. Medusa makes use of several APIs from the kernel 32 library which handles core system functions. Some of these functions are attributed to anti-analysis and evasion. Medusa is well known to well known uses well-known techniques like debugger detection and dynamic import resolution to conceal its true behavior from static analysis. It also uses system profiling APIs to collect hardware and environment details likely to customize its execution or avoid sandboxes and virtual machines. It imports functions related multi to multi-threading, heat management, and memory protect protection changes, all of which may support unpacking or runtime injection into memory.

This also imports functions that enable it to read and write files, scan available drives, and modify file attributes, behaviors that while while very common are essential for locating and encrypting target data. Finally, it imports cryptographic APIs to support a hybrid encryption scheme which aligns which aligns with its known ransomware functionality. Altogether, these features point at a ransomware payload that's not just capable and evasive, but also designed to potentially complicate static analysis and reverse engineering. Static analysis of ransom hub reveals an equally capable though more stealth oriented ransom restraint. Structure structurally it's a 32bit PE file like Medusa but with a few red flags. It includes an unusuals tab section and shows showed medium entropy levels both

suggestive of packing or offiscation. Its compile time stamp is set to the Unix epoch default suggestive of deliberate tempering. Interestingly, the PE header contains non-zero symbol table pointer even though no symbols remain. This might be left over from packing or a deliberate attempt to mislead analysts or disrupt forensic tools. Like Medusa, Ransom makes extensive use of functions from the kernel 32 library where it stands out is in its evasion logic. It uses functions like close handle and vectorred exception handlers common techniques that intercept exceptions and can disrupt or confuse debuggers. It also resolves APIs at runtime and pro profiles the system for example checking CPU affinity or modifying error handling attempts behaviors often linked to

sandbox evasion or and anti-analysis. Additionally, it introduces possible execution delays using set weightable timer to outlast automated sandboxes before executing. It adjusts its process priority and mimic system resources through handle duplication. These behaviors likely support stealth and help avoid automated analysis environments. From a control perspective, it supports thread creation, context manipulation, and dynamic memory allocation techniques often used for code injection, inmemory staging, or evading detection by avoiding the file system. Like Medusa, ransom can write uh read, write, and close files, and it calls system level functions to gather environment details. Again, very common, but essential behaviors for locating and encrypting data. Overall, ransom appears to be designed with stealth in mind, focusing more on evasion, anti-analysis, and controlled

execution. Due to time constraints for this presentation, the dynamic network and forensic results have been consolidated into a single overview based on sandbox findings. begins with lowbin abuse with the malware leveraging built-in Windows tools like net to disable security services then escalated to using task kill with debug privileges to terminate processes and delete shadow copies using vsss admin. Medusa also seemingly attempted to tamper with native security infrastructure interacting with Windows Defender drives, driver components, and monitoring related register keys likely to aid in detecting or evading built-in security tools. On the anti-analysis front, it performed environment checks via PowerShell, likely probing for sandbox indicators using Windows APIs. It also queried the system local using get local info likely

to exclude systems from the CIS region uh which is consistent with known behavior. Finally, after execution, it issued a selfdeion command possibly to clean up after itself. So based on related work, I was expecting some form of network activity related to command and control or data exfiltration. But yeah, there was Medusa is known to use remote access tools for command and control. So it's likely performed through hands on keyboard operation or the sample simply failed to engage due to sandbox detection, inactive infrastructure or missing configuration. Still despite its anti-analysis efforts, the sample dynamically resolved crypto export key encrypted files with adopt Medusa extension and dropped its ransom notes across multiple directory directories on the system.

Interestingly, the ransom note claimed that data had been stolen as well as encrypted even though there was no network activity to support that claim. It is it is likely just leveraging its reputation for double extortion to pressure the victim whether or not any data was actually excfiltrated. Moving on to the ransom sample, its sandbox behavior was noticeably different from Medusa. The first thing that stood out was the memory allocation and payload staging. Upon execution, the sample allocated a large 500 megabyte memory block of memory with both read and write permissions. That kind of allocation typically suggests unpacking or in-memory payload staging commonly used to avoid leaving traces on the file system. Alongside that, ransom used

anti-analysis techniques. It suppress error messages using system flags likely to avoid pop-ups or crash dialogues that might alert the user. It called APIs commonly used to probe its execution environment and queried the registry for code identifiers and network configuration. It also checked local and language settings supporting earlier claims that ransom like Medusa avoid systems in the CIS region in addition to specific countries like China, North Korea, and Cuba. But here's where things got interesting. After this profiling stage, the process terminated itself using exit process. So there there was no encryption, no ransom notes and no clear payload activity. One of the sandboxes even assigned it a benign rating of three out of 10. But this being a rans nonransomware sample,

I of course knew this was the case. So I started digging into older sandbox submissions and luckily one of them saw the sample launch several Chrome processes using the adjust token privileges API probably to escalate privileges or prepare for process injection. These processes reached out to a paste bin URL and interestingly that same URL show later showed up in traffic to several adtech domains. This behavior suggests it might have been hiding malicious traffic inside what looked like normal browser activity. This traffic could have been used to deliver additional payload, pull down configuration settings, or just check in on the infected system while blending in with everyday web activity. Altogether, it points to a staged browserbased execution model, which as

far as I've seen hasn't been covered in other writeups. Still, there was no sign of encryption or file system changes in the sandboxes, likely due to sandbox evasion, unsatisfied execution triggers or inactive network infrastructure.

The last of my research goal was to map observed behaviors to the mid attack framework to understand how Medusa ransom hub operate across the full attack life cycle. These mappings combine what I could observe in sandbox environments with data from prior research and threat intelligence. That was nec necessary because neither sample executed fully likely due to anti-analysis features designed to evade automated tools. So I had to take a hybrid approach combining what I could directly observe with known behaviors known behaviors from real world reporting. These mappings formed the foundation for incident response playbooks which served as the artifacts of my project. The playbooks were developed to guide offenders and responders through detecting containing eradicating and

recovering from such infections. So, here's a close-up visual representation of the Medusa mapping. Tactics are shown in purple followed by techniques in yellow and sub techchniques in orange detailing how each stage of the attack is carried out from general methods down to specific behaviors. The flow follows the typical attack life cycle life cycle moving from initial access through execution persistence privilege escalation and defensation then onto discovery lateral movement exfiltration command and control and impacts. Developing the emit attack mappings and the incident response playbooks made one thing clear. The hybridized analysis approach can offer offer a much more complete view of how ransomware behaves. But in this case, it was limited by the use of online malware analysis sandboxes

which couldn't capture more advanced or evasive behaviors. Tools like online malware analysis sandboxes are great starting points, especially for quick triage since they require minimal setup. But their limitations become obvious when dealing with heavily evasive malware designed to evade analysis environments or wait for real user interaction. That's why deeper analysis using local virtual machines or bare metal systems or uh telemetry from real incidents is so important. It provides the kind of behavioral insight that sandboxes alone just can't deliver. This highlights the need to bridge the gap between controlled research environments and real world data. Only then can we fully understand and defend against today's more sophisticated ransomware attacks. Thank you.

>> Thank you. Uh, and he gets the digital necromancer. >> Very nice.