Ransomware attackers of the University Maastricht have been tracked by analyzing hundreds of thousands of traces. Thanks to a huge number of digital traces, forensic investigators were able to precisely analyze the attack of the cybercriminals that were behind the ransomware attack of Maastricht University. Who, what, where and when become very clear thanks to all those traces with the help of data science. Such digital evidence is becoming increasingly important in court cases and for developing defensive measures.
In the forensic investigation into the recent cyber-attack at Maastricht University (UM), hundreds of thousands of digital traces were searched in various log files of networks and Windows computers (see the report from Fox-IT with explanatory notes from UM). Forensic investigators were on site on December 24th and started their investigation. Using old logs, they found that the first phishing e-mail was opened on October 15th with a link to an Excel document containing a macro that retrieves malware from an external address and then executes it.
More phishing e-mails were received on October 16th and that day the attacker was active for the first time. From October 17-24, the attacker manages to obtain local administrator rights on multiple servers. On November 21st, the attacker manages to obtain domain administrator rights. Indirect forensic evidence is found from which it can be deduced that the attacker presumably obtained the password from this account by analyzing the memory of a server on which legitimate domain administrators have been logged on
From that moment on, the attacker maps the entire network and makes preparations. The ransomware attack starts on December 23rd. So far the digital traces are mainly found in log files of the network and of Windows events. Forensic investigators still find relatively fresh traces of the ransomware rollout. This often involves searching for traces of files and programs that are no longer present in the system. If not too old, such traces can be found in a variety of Windows cache files.
Using data science to validate scenarios
With the continued growth of IoT and ICT networks, more data is becoming available that can serve as digital traces. The search for the right digital trace therefore requires the use of data science and data visualization to test or refine scenarios. Sometimes, if the crime has literally happened invisibly in cyberspace, experts have to draw up a scenario based solely on digital traces. The knowledge they gain in this process is particularly valuable for subsequently protecting organizations that receive tens of thousands of alerts per second, such as UM, in real time.
In this case, digital forensic investigations have made it clear how cyber criminals have taken part of the UM data hostage. The digital traces do not only show information about the source (who), but also which activities (what), where (location) and when (time) were carried out. This allows the complete attack scenario to be reconstructed. In that respect, digital traces differ from physical traces where it is more difficult to provide evidence at activity level.
Being the source of a trail is not a crime, but the actions that accompanied it may be. As a result, questions about those acts (at activity level) are more relevant to the court's considerations than questions about the source (at source level). That is why digital traces from smartphones and computers nowadays also play an important role in court rulings on non-digital crimes. Examples (in The Netherlands) are the murder of Koen Everink and the murder on the Bûterwei.
More examples, explanations and discussions about the meaning of digital evidence will be discussed on the 11th E-Discovery symposium on March 17th 2020 at University of Leiden Applied Sciences. Attending the symposium is free of charge but registration is required. Program information and registration page can be found on the website.
For a Dutch version of this post see: blog