Why RAM imaging in ransomware cases is a must

The Ransomware is the scourge of our time. No one is immune from seeing a demand to pay hackers money on the screen of his computer, laptop or mobile phone. Usually, hackers encrypt user files in case these files may be important to the user and he is ready to spend a certain amount of money for deciphering them.

Often, Ransomware uses the following tricks for this:

1. Changes the extension of files to another. It does not allow Windows to open these files in the appropriate program – the viewer or the editor;
2. Changes the first few bytes in the file. In this case, the modified file is perceived by Windows as corrupted and also does not allow the user to view its contents;
3. Encrypts Nowadays, this method is the most common. However, each computer is encrypted with a unique crypto key, which, after the end of the encryption, is transferred to the CC server that belongs to the hackers.

The crypto key is stored for some time on this server. A separate bitcoin wallet is created for each encrypted computer to know who paid the money.

The owner of the encrypted files can redeem the crypto key and receive a program from the hackers which, using this crypto key, decrypts its files. He may not pay for the following reasons, even if the encrypted files are important to the user:

1) The owner of the computer may simply not have the required amount of money.

2) The owner of the computer will not be able to collect the required amount during the period that is set by hackers and until the moment when the crypto key is removed from the command server.

3) The owner of the computer will not be able to figure out how to make payment to the hackers

In addition, there are no guarantees that if the owner of the encrypted files pays money to the hackers, then he will receive a program to decrypt the files. This can happen for the following reasons:

1) Programming errors. Hackers can create a piece of ransomware that will not send a crypto key to the CC server.

2) Programming errors. Hackers can create a piece of ransomware that will not generate a bitcoin purse for each computer and then hackers will simply not know who paid them money. (That’s exactly that happened with computers whose files were encrypted by WannaCry)

3) If the owner of the encrypted files has not paid to the hackers within a certain period, his crypto key can be deleted and cannot be restored.

4) Hackers can simply hide and stop sending paid crypto keys.

5) The police can remove the management server and then the crypto keys stored on it will be inaccessible to the owners of the encrypted computers.

The only thing you can be sure of is that when the computer owner sees a demand to pay money on the monitor screen for the first time , the crypto key is in the computer’s memory. At this point, you should make a RAM memory dump. Experts can extract a crypto key from this dump and decrypt the files.

In this article, you will learn how to create a RAM memory dump using Belkasoft Live RAM Capturer.

Go to the Belkasoft website (https://belkasoft.com/get) and fill out the request form for this tool.

Fig. 1. Request form.

After that, you will receive an email with a link to download Belkasoft Live RAM Capturer. Download it and put it on the flash drive. Connect this flash drive to a computer with encrypted files.

There is a 32-bit (file ‘RamCapture.exe’) and 64-bit (file ‘RamCapture64.exe’) versions of Belkasoft Live RAM Capturer.

Fig. 2. Files of Belkasoft Live RAM Capturer.

Click on the file whose System type is full.

If you accidentally run a file that does not match your system, you will see an error message.

Fig. 3. Error message.

You will see the main window after running Belkasoft Live RAM Capturer.

Fig. 4. The main window of Belkasoft Live RAM Capturer.

Belkasoft Live RAM Capturer will offer to save the created RAM memory dump to a flash drive. Click ‘Capture!’.

If your flash drive has a FAT file system (FAT32) and the amount of RAM is more than 4GB, you will see the message ‘Insufficient disk space for the dump file’.

Fig. 5. The message ‘Insufficient disk space for the dump file’.

This is due to the fact that Windows cannot write a file larger than 4GB in the FAT file system (FAT32). Reformat it in exFAT or NTFS to save RAM memory dump to flash drive. If you do not do this, you can specify a different location than the hard drive of the computer where the RAM memory dump will be stored. As an example, the path ‘C: \ Users \ Igor \ Document’ was used. As shown in Fig. 6., the RAM memory dump was created successfully.

Fig. 6. A message stating that the RAM memory dump was created successfully.

The name of the file that contains the copy of RAM corresponds to the date of its creation.

Fig. 7. A file containing a copy of the computer’s RAM.

Conclusion

In this article, we discussed how to create a RAM memory dump using Belkasoft Live RAM Capturer.

This memory dump can be used to extract a crypto key. This crypto key can be used to decrypt encrypted files.

Authors:

Igor Mikhaylov & Oleg Skulkin