A Behavioral Analysis of Ransomware in Active Directory: A Case Study of BlackMatter, Conti, LockBit, and Midnight

Simple item page
dc.contributor.authorBhandary, Prajna
dc.contributor.authorNicholas, Charles
dc.date.accessioned2025-07-09T17:54:57Z
dc.date.issued2025-06-02
dc.description2025 13th International Symposium on Digital Forensics and Security (ISDFS), 24-25 April 2025, Boston, MA, USA
dc.description.abstractRansomware continues to be a pervasive cyber-security threat, particularly in enterprise environments that leverage Active Directory (AD) for centralized management. This study focuses on analyzing ransomware behavior by ex-amining Windows Event Logs generated during attacks from four prominent ransomware families: “BlackMatter,” “Conti,” “LockBit,” and “Midnight” The “Midnight” samples included in this study were labeled as such in the dataset [1]–[3]. Although not a commonly recognized ransomware family in public reports, they demonstrate typical ransomware behaviors, including encryption and system compromise. We conducted experiments on 20 ransomware samples (5 per family) within a controlled Proxmox-based virtual AD environment to simulate realistic enterprise conditions. Our analysis applies n-gram sequence modeling and behavioral feature extraction to uncover distinctive event patterns and attack paths. The findings reveal consistent, family-specific behavioral sequences, such as repetitive service control and credential validation events, that are indicative of ransomware activity. In addition to offering insight into the operational methods of ransomware, we lay the groundwork for automated behavior-based detection mechanisms suited for enterprise AD environments.
dc.description.urihttps://ieeexplore.ieee.org/abstract/document/11012104
dc.format.extent6 pages
dc.genreconference papers and proceedings
dc.genrepostprints
dc.identifierdoi:10.13016/m2d6gm-vnkv
dc.identifier.citationPrajna Bhandary and Charles Nicholas, “A Behavioral Analysis of Ransomware in Active Directory: A Case Study of BlackMatter, Conti, LockBit, and Midnight,” 2025 13th International Symposium on Digital Forensics and Security (ISDFS), April 2025, 1–6, https://doi.org/10.1109/ISDFS65363.2025.11012104.
dc.identifier.urihttps://doi.org/10.1109/ISDFS65363.2025.11012104
dc.identifier.urihttp://hdl.handle.net/11603/39241
dc.language.isoen_US
dc.publisherIEEE
dc.relation.isAvailableAtThe University of Maryland, Baltimore County (UMBC)
dc.relation.ispartofUMBC Faculty Collection
dc.relation.ispartofUMBC Computer Science and Electrical Engineering Department
dc.relation.ispartofUMBC Student Collection
dc.rights© 2025 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
dc.subjectCybersecurity
dc.subjectActive Directory
dc.subjectDetection Rules
dc.subjectFeature extraction
dc.subjectAnalytical models
dc.subjectDigital Forensics
dc.subjectMachine learning
dc.subjectRansomware
dc.subjectDigital forensics
dc.subjectMachine Learning
dc.subjectEncryption
dc.subjectWindows Event Logs
dc.subjectProxmox
dc.subjectComputer security
dc.titleA Behavioral Analysis of Ransomware in Active Directory: A Case Study of BlackMatter, Conti, LockBit, and Midnight
dc.typeText
dcterms.creatorhttps://orcid.org/0000-0002-3268-6743
dcterms.creatorhttps://orcid.org/0000-0001-9494-7139

Files

Original bundle

Now showing 1 - 1 of 1
Thumbnail Image
Name:
Behavioural_Analysis_of_Malware_in_Active_Directory3.pdf
Size:
255.19 KB
Format:
Adobe Portable Document Format
Download

Collections

UMBC Faculty Collection
UMBC Computer Science and Electrical Engineering Department
UMBC Student Collection