A Behavioral Analysis of Ransomware in Active Directory: A Case Study of BlackMatter, Conti, LockBit, and Midnight

Files

Behavioural_Analysis_of_Malware_in_Active_Directory3.pdf (255.19 KB)

Links to Files

https://ieeexplore.ieee.org/abstract/document/11012104

Permanent Link

https://doi.org/10.1109/ISDFS65363.2025.11012104
 http://hdl.handle.net/11603/39241

Collections

UMBC Faculty Collection
UMBC Computer Science and Electrical Engineering Department
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0000-0002-3268-6743
 https://orcid.org/0000-0001-9494-7139

Date

2025-06-02

Type of Work

conference papers and proceedings
postprints
Text

Department

Program

Citation of Original Publication

Prajna Bhandary and Charles Nicholas, “A Behavioral Analysis of Ransomware in Active Directory: A Case Study of BlackMatter, Conti, LockBit, and Midnight,” 2025 13th International Symposium on Digital Forensics and Security (ISDFS), April 2025, 1–6, https://doi.org/10.1109/ISDFS65363.2025.11012104.

Rights

© 2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Subjects

Cybersecurity
Active Directory
Detection Rules
Feature extraction
Analytical models
Digital Forensics
Machine learning
Ransomware
Digital forensics
Machine Learning
Encryption
Windows Event Logs
Proxmox
Computer security

Abstract

Ransomware continues to be a pervasive cyber-security threat, particularly in enterprise environments that leverage Active Directory (AD) for centralized management. This study focuses on analyzing ransomware behavior by ex-amining Windows Event Logs generated during attacks from four prominent ransomware families: “BlackMatter,” “Conti,” “LockBit,” and “Midnight” The “Midnight” samples included in this study were labeled as such in the dataset [1]–[3]. Although not a commonly recognized ransomware family in public reports, they demonstrate typical ransomware behaviors, including encryption and system compromise. We conducted experiments on 20 ransomware samples (5 per family) within a controlled Proxmox-based virtual AD environment to simulate realistic enterprise conditions. Our analysis applies n-gram sequence modeling and behavioral feature extraction to uncover distinctive event patterns and attack paths. The findings reveal consistent, family-specific behavioral sequences, such as repetitive service control and credential validation events, that are indicative of ransomware activity. In addition to offering insight into the operational methods of ransomware, we lay the groundwork for automated behavior-based detection mechanisms suited for enterprise AD environments.