Abstract
Ransomware has become an increasingly popular type of malware across the past decade and continues to rise in popularity due to its high profitability. Organisations and enterprises have become prime targets for ransomware as they are more likely to succumb to ransom demands as part of operating expenses to counter the cost incurred from downtime. Despite the prevalence of ransomware as a threat towards organisations, there is very little information outlining how ransomware affects Windows Server environments, and particularly its proprietary domain services such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations and corporations that utilise these environments. Dynamic analysis was performed using three ransomware variants to uncover how crypto-ransomware affects Windows Server-specific services and processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and Jigsaw were acquired and tested against several domain services. The findings showed that none of the three variants stopped the processes and decidedly left all domain services untouched. However, although the services remained operational, they became uniquely dysfunctional as ransomware encrypted the files pertaining to those services.
Highlights
There is no questioning that information technology (IT) and computing play an integral part in the day-to-day operations of enterprises and organisations in modern society
Process Monitor was used to verify the results obtained from the manual testing method to examine the processing activity that occurred throughout the ransomware infection
We extensively present the impact of the ransomware variants on the logon services, network file share, Information Services (IIS), Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and the group policy
Summary
There is no questioning that information technology (IT) and computing play an integral part in the day-to-day operations of enterprises and organisations in modern society. IT systems have immeasurably increased productivity in the modern workplace, and as a result, a dependency upon this has been created, so much so that “IT services are becoming a critical infrastructure, much like roads, electricity, tap water, and financial services” [1]. When IT systems stop functioning in business environments, companies can lose a large amount of money through non-utilised staff wages, missed opportunities, and reputational harm, with the average cost of downtime totalling $141,000 [2]. The profitability of ransomware relies upon the willingness to pay the ransom, and when the cost of downtime is 23 times greater than the average ransom demand of USD 5900, it is no surprise that the ransomware industry continues to grow [2]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
