Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform

The proliferation of digital technologies and the ubiquitous nature of data connectivity has dramatically increased the landscape of cyberattacks over the past decade. Ransomware attacks have become a global incidence and the most destructive cyber menace. As a popular example of cryptovirology, ransomware attacks typically encrypt files on a target computer and threaten to publish or permanently prevent access to the victim's data unless a ransom is paid. In general, ransom demands are often made in cryptocurrency to obscure transactions and maintain anonymity. Nonetheless, paying the ransom does not guarantee data recovery; and therefore, there is a strong need to develop alternative data recovery strategies. To build and implement proper data recovery procedures, it is necessary to analyze ransomware and identify its characteristics. In this paper, we first provide a review of ransomware types and common data recovery methods. Then, we propose a novel ransomware detection and data recovery framework to effectively retrieve data from infected files. Specifically, we investigate the notorious WannaCry malware and analyze its execution on a Windows virtual machine. We conduct digital forensics using the Autopsy tool to recover WannaCry-infected data and demonstrate the practicality of the proposed framework. Our framework can be applied to develop effective data recovery methods for WannaCry and other ransomware variants with similar behavior.