Analisis Forensik Ransomware Pada Sistem Berbasis Linux dengan Pendekatan Perbandingan Disk

Revandho Vianuara Dirgantoro; Ahmad Luthfi

doi:10.47065/tin.v6i6.8341

Revandho Vianuara Dirgantoro * Universitas Islam Indonesia, Yogyakarta, Indonesia
Ahmad Luthfi Universitas Islam Indonesia, Yogyakarta, Indonesia

(*) Corresponding Author

DOI: https://doi.org/10.47065/tin.v6i6.8341

Keywords: Monti Ransomware; Digital Forensics; Linux; In-Place Encryption; Sleuthkit; Artefacts; TOR; RaaS

Abstract

This study aims to analyze the impact of Monti ransomware infection on Linux operating systems through a digital forensic approach based on artefacts and metadata. The investigation was conducted in an isolated laboratory environment using physical hardware, employing RAM acquisition and disk imaging methods on two system states: before and after infection. The ransomware execution was triggered by the monti.elf binary located in the temporary /tmp direktori, initiating encryption of operational files within the /Documents direktori. The analysis utilized Sleuthkit tools, focusing on file system structures, inode metadata, timestamps, and artefact distribution. Findings indicate that Monti employs an in-place encryption technique, replacing file contents without altering inode or block location. Key artefacts identified include encrypted files (.puuuk, .monti), ransom notes (readme.txt), execution logs (result.txt), and the ransomware binary (monti.elf). All artefacts share identical timestamps, suggesting automated execution within a single session. Validation was performed through comparative analysis of clean and infected systems, entropy measurements, and examination of TOR-based communication structures embedded in the ransom notes. These findings confirm that Monti operates as part of a Ransomware-as-a-Service (RaaS) ecosystem, with a structured and efficient infection pattern. This research contributes to the mapping of Monti ransomware artefacts and the development of forensic investigation methodologies tailored for Linux environments.

Downloads

Download data is not yet available.

References

Alenezi, M. N., Alabdulrazzaq, H., Alshaher, A. A., & Alkharang, M. M. (2020). Evolution of Malware Threats and Techniques: A Review. In International Journal of Communication Networks and Information Security (IJCNIS (Vol. 12, Issue 3).

Arfeen, A., Asim Khan, M., Zafar, O., & Ahsan, U. (2022). Process based volatile memory forensics for ransomware detection. Concurrency and Computation: Practice and Experience, 34(4). https://doi.org/10.1002/cpe.6672

Carrillo-Mondéjar, J., Martínez, J. L., & Suarez-Tangil, G. (2020). Characterizing Linux-based Malware: Findings and Recent Trends. Future Generation Computer Systems, 110, 267–281. https://bitbucket.org/Dankitan/

Bill, T. (2023, April 23). Chinese hackers use new Linux malware variants for espionage. https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-linux-malware-variants-for-espionage/

Davies, S. R., Macfarlane, R., & Buchanan, W. J. (2020). Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Science International: Digital Investigation, 33, 300979. https://doi.org/10.1016/j.fsidi.2020.300979

De Vicente Mohino, J. J., Higuera, J. B., Higuera, J. R. B., Montalvo, J. A. S., Rubio, M. S., & Herraiz, J. J. M. (2021). MMALE A Methodology for Malware Analysis in Linux Environments. Computers, Materials and Continua, 67(2), 1447–1469. https://doi.org/10.32604/cmc.2021.014596

Esteves, T., Pereira, B., Oliveira, R. P., Marco, J., & Paulo, J. (2023). CRIBA: A Tool for Comprehensive Analysis of Cryptographic Ransomware’s I/O Behavior. Proceedings of the IEEE Symposium on Reliable Distributed Systems, 46–58. https://doi.org/10.1109/SRDS60354.2023.00015

Ferdous, J., Islam, R., Mahboubi, A., & Islam, M. Z. (2023). A Review of State-of-the-Art Malware Attack Trends and Defense Mechanisms. IEEE Access, 11, 121118–121141. https://doi.org/10.1109/ACCESS.2023.3328351

Global Threat Report. (2022).

Hristev, R., Veselinova, M., & Kolev, K. (2022). Ransomware Target: Linux. Recover Linux Data Arrays after Ransomware Attack. Technology, Engineering & Mathematics (EPSTEM), 19. www.isres.org

IBM Security. (23 C.E.). IBM Security X-Force Threat Intelligence Index 2023.

Imamverdiyev, Y., & Baghirov, E. (2024). Evasion Techniques In Malware Detection: Challenges And Countermeasures. Problems of Information Technology, 15(2), 9–15. https://doi.org/10.25045/jpit.v15.i2.02

Joseph, P., & Norman, J. (2020). Systematic Memory Forensic Analysis of Ransomware using Digital Forensic Tools. International Journal of Natural Computing Research, 9(2), 61–81. https://doi.org/10.4018/ijncr.2020040105

Kara, I., & Aydos, M. (2022). The rise of ransomware: Forensic analysis for windows based ransomware attacks. Expert Systems with Applications, 190. https://doi.org/10.1016/j.eswa.2021.116198

Karafili, E., Wang, L., & Lupu, E. C. (2020). An Argumentation-Based Reasoner to Assist Digital Investigation and Attribution of Cyber-Attacks. Forensic Science International: Digital Investigation, 32. https://doi.org/10.1016/j.fsidi.2020.300925

Kim, G., Kim, S., Kang, S., & Kim, J. (2022). A method for decrypting data infected with Hive ransomware. Journal of Information Security and Applications, 71, 103387. https://doi.org/10.1016/j.jisa.2022.103387

Korac, S., Maglaras, L., Moradpoor, N., Buchanan, B., & Canberk, B. (2024). Ransomware: Analysis and Evaluation of Live Forensic Techniques and the Impact on Linux based IoT Systems. http://arxiv.org/abs/2403.17571

Koutsokostas, V., & Patsakis, C. (2021). Python and Malware: Developing Stealth and Evasive Malware Without Obfuscation. http://arxiv.org/abs/2105.00565

Kumar, K. A., Raman, A., Gupta, C., & Pillai, R. R. (2020). The recent trends in malware evolution, detection and analysis for android devices. Journal of Engineering Science and Technology Review, 13(4). https://doi.org/10.25103/jestr.134.25

Li, S., Li, R., Yang, S., & Diao, W. (2024). Android’s Cat-And-Mouse Game: Understanding Evasion Techniques against Dynamic Analysis. Proceedings - International Symposium on Software Reliability Engineering, ISSRE, 192–203. https://doi.org/10.1109/ISSRE62328.2024.00028

Monti Ransomware Strikes Again: Omni Fiber LLC Falls Victim to Cyberattack - UNDERCODE NEWS. (2025, January). https://undercodenews.com/monti-ransomware-strikes-again-omni-fiber-llc-falls-victim-to-cyberattack/

Nayak, S. C., Tiwari, V., & Samanthula, B. K. (2023). Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform. 2023 IEEE 13th Annual Computing and Communication Workshop and Conference, CCWC 2023, 605–611. https://doi.org/10.1109/CCWC57344.2023.10099169

Jonathan, G. (2023, September). New Zealand university operating despite cyberattack | The Record from Recorded Future News. https://therecord.media/auckland-university-operating-cyberattack

Ravie, L. (2023, April 19). Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies. https://thehackernews.com/2023/04/pakistani-hackers-use-linux-malware.html

Umar, R., Riadi, I., & Kusuma, R. S. (2021). Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method. IJID (International Journal on Informatics for Development), 10(1), 53–61. https://doi.org/10.14421/ijid.2021.2423

Vehabovic, A., Ghani, N., Bou-Harb, E., Crichigno, J., & Yayimli, A. (2022). Ransomware Detection and Classification Strategies. 2022 IEEE International Black Sea Conference on Communications and Networking, BlackSeaCom 2022, 316–324. https://doi.org/10.1109/BlackSeaCom54372.2022.9858296

Wong, M. Y., Landen, M., Li, F., Monrose, F., & Ahamad, M. (2024). Comparing Malware Evasion Theory with Practice: Results from Interviews with Expert Analysts. https://www.usenix.org/conference/soups2024/presentation/yong-wong

IBM Security. (2022). X-Force Threat Intelligence Index 2022 Full Report.

Yadav, R., Warang, V., & Kaur, J. (2024). Understanding and Mitigating Ransomware Threats: A Comprehensive Analysis at Guru Nanak Institute of Management Studies. In International Journal of Scientific Research & Engineering Trends, 10(5).

Bila bermanfaat silahkan share artikel ini

Berikan Komentar Anda terhadap artikel Analisis Forensik Ransomware Pada Sistem Berbasis Linux dengan Pendekatan Perbandingan Disk