An Experimental Analysis of Cryptographic Techniques Used in Ransomware and Their Impact on Digital Forensic Investigation | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article An Experimental Analysis of Cryptographic Techniques Used in Ransomware and Their Impact on Digital Forensic Investigation Usman, Mamta Bansal This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-9304413/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Ransomware attacks have become one of the most major cybersecurity threats globally, causing serious financial and operational damage to organizations and individuals that cause significant data breaches and financial loss. Modern ransomware commonly uses hybrid cryptographic techniques that combine symmetric (e.g. AES) and asymmetric (e.g. RSA) encryption algorithms to protect victim files and prevent unauthorized recovery. This study presents an experimental analysis of cryptographic techniques used in ransomware and evaluate their impact on digital forensic investigations. In this research, a hybrid encryption model based on the Advanced Encryption Standard (AES) and the Rivest–Shamir–Adleman (RSA) algorithm was implemented to simulate the encryption mechanism used in today’s ransomware attack that. The experiment was conducted on multiple file types including documents (.docx), images (.jpg, and .png), audio (.mp3), video (.mp4), and spreadsheet (.csv, .xlsx) files. Key metrics that was used in this work include file entropy and encryption time were analyzed to examines the behavior and performance of the encryption process of each file. The results show that file entropy went up a lot after encryption, getting close to the theoretical maximum value. This means that the encrypted data is very random. Also, the encryption process was finished quickly for most files, which shows how well the hybrid encryption method works. These results show how hard it is for digital forensic investigators to look at files that have been encrypted by ransomware. The experiment shows that hybrid encryption is both very secure and very fast, which is why it is so popular in modern ransomware attacks. The results also show that entropy analysis can help find encrypted files during forensic investigations. Ransomware Cryptographic Advance Encryption Standard (AES) Rivest–Shamir–Adleman (RSA) Digital forensic Figures Figure 1 Figure 2 Figure 3 Figure 4 Introduction 1.1. Background of the study Ransomware attack has grown to be a significant online threat over the past several decades. The AIDS Trojan, which was developed in the late 1980s, is part of the historical development of ransomware attack. Despite being less advanced than later evolution, it was the earliest known instance of ransomware. Examining the development of basic encryption malware reveals a number of important turning points, including the 2013 release of CryptoLocker [ 1 ]. Significant economic losses occur globally as a result of a phenomena in which a criminal uses encryption to hold crucial data hostage until the victim pays a ransom. Sensitive data can be accessed and encrypted by ransomware intruders, but the trend also introduces a new vulnerability [ 2 ]. Ransomware, a special type of malware, is designed to encrypt data on a system and then demand ransom payments in exchange to regain control of the system [ 3 ]. That is, a victim’s device is deceptively infected with ransomware to demand money and threaten to publish the victim’s data or make the data unavailable permanently. The files cannot and should not be recovered without paying the ransom since new generation ransomware uses advanced encryption. Additionally, it uses the Ransomware-as-a-Service (RaaS) paradigm, which makes ransomware available to everyone because it is easy to use and doesn't require a lot of hacking knowledge. The rise of cryptocurrencies like Bitcoin, which allow attackers to accomplish their goals through anonymous ransom payments, has made the situation worse [ 1 ]. As ransomware progress, attackers started encrypting files of a victim device using stronger encryption methods like AES and RSA which are the modern method of ransomware. This change greatly increased the pressure to yield with the attackers' demands by making it practically hard for victims to decrypt their data without paying the ransom. Later on the invention of modern ransomware incorporated the use of a hybrid encryption system that comprises both asymmetric and symmetric encryption [ 1 ], [ 4 ]. 1.2 Problem Statement The increasing use of hybrid cryptographic techniques in ransomware attacks presents critical challenges for digital forensic investigations whereby investigators find it difficult to analyze and recover data or file from the ransomware attacker. Modern ransomware uses asymmetric encryption (like RSA) to secure the encryption keys and symmetric encryption (like AES) to encrypt victim files, making data recovery extremely challenging without access to the secret key. Although hybrid encryption is always used in ransomware, little experimental research has shown how it changes or alter file entropy, encryption performance, and forensic detectability. 1.3 Research Aim and Objectives This research aims to simulate hybrid encryption techniques and analyze their forensic implications through controlled experimentation. The main objectives of this works are; implement hybrid encryption (AES + RSA) on selected sample files to simulate ransomware behavior, measure and analyze file entropy, encryption time, and file size changes before and after encryption, evaluate the forensic detectability of hybrid-encrypted files using entropy and file metadata and lastly, provide insights on the challenges hybrid encryption poses to digital forensic investigations. 1.4 Research Questions How does hybrid encryption (AES + RSA) used in ransomware affect the entropy of victim files? How does using hybrid encryption affect the size and performance of encrypted files depending on what type of file is involved? How easily can hybrid encryption be detected by forensic means such as metadata inspection and entropy analysis? What barriers might exist for forensic investigators wishing to recover files that have been encrypted with hybrid encryption (e.g. ransomware)? 1.5 Research Contribution The findings of this research project are generally summarized as follows: The authors of this report have implemented a Hybrid Encryption Model (AES + RSA) and simulated it against the encrypting behaviors of ransomware that is currently being used in the current cybercrime landscape. This research evaluated through experimental testing how Hybrid Encryption will impact various file types (e.g. documents, images, audio, video, and structured data) regarding the manner in which they become encrypted by applying Hybrid Encryption techniques. The study evaluates the forensic implications of ransomware encryption by measuring entropy variation, encryption time, and file size changes before and after encryption. The work provides practical insights that may assist digital forensic investigators in detecting ransomware-encrypted files using entropy and metadata analysis. Literature Review 2.1 Overview of Ransomware Ransomware is a type of cyberattack that encrypts the victim's data and prevents access unless the victim pays the attacker a ransom. Ransomware sneaks onto a victim's device to demand money and threaten to publish the victim's data or render it permanently unusable[ 3 ]. In this attack, hackers infiltrate security vulnerability in information systems to infect the victim’s devices and secretly encrypt the data. The frequency and complexity of ransomware assaults are still evolving. Attackers use advanced technology, psychological manipulation methods (social engineering), and system flaws to carry out their attacks [ 5 ]. According to [ 6 ], refers ransomware as a form of malicious code or malware that infects a computer and spreads rapidly to encrypt the data or to lock the machine. Users are unable to access their data due to this infection, and the attackers require payment from the victim to unencrypt and make their files available. Ransomware is currently attacking organizations and individuals globally, and the payment is frequently sought in Bitcoin or other untraceable cash. Ransomware's primary goal is to use malware to maximize revenue. It prevents victims from making payments by locking the system or encrypting the data, and occasionally it threatens to reveal private information to the public if payment is not made. Although they employ different types of payloads, all ransomware families exhibit very identical behaviors[ 6 ]. There are different types of ransomware attack including crypto-ransomware, and Master Boot Record (MBR) Ransomware, locker ransomware. According to [ 4 ], define crypto-ransomware as a process where by an intruder encrypts user files and asks for a payment to provide the decryption key. Encryption keys and the assault coordination are chosen by a command-and-control server. CryptoWall, CryptoLocker, TeslaCrypt, and CTB Locker are some well-known examples of Crypto ransomware[ 3 ]. Locker ransomware actually looks for files with certain extensions that perform basic functionalities on the compromised system and encrypts them. Upon locking (or encrypting) these data files using AES encryption, it will display a popup message with the ransom demand and details on infections. Specifically, the message includes information about the file system corruption, along with the payment details and a demand for 0.1 BTC in ransom. Although Locker ransomware typically targets non-critical system files, it still causes significant disruption to business operations[ 3 ], [ 4 ]. MBR ransomware came into existence in 2010, This type of ransomware replaces the original MBR with its own code and then locks the user from accessing its services. It never encrypts file and displays the ransom message at computer boot-up time [ 6 ]. The above diagram which is Fig. 1 indicates the ransomware families and how they implement each step starting from 1 to 5. The detection techniques take advantage of known ransomware behavior during one or more of the above-mentioned steps. Infection stage is carried out following the same procedures as any malware. The infector vectors are Spam, corrupted web pages, vulnerability (loopholes in a system), phishing. Contact C&C server comprises the actions a ransomware performs which require Internet access and are previous to the data encryption phase. It contacts a C&C server or a cluster of servers. A C&C server is an Internet host or set of hosts that manage malware actions, distribute command and collect information from victims. Step 3 which is Encryption keys management is type of encryption algorithm used by a ransomware and the key management strategy determine the presence of the decryption key in a user’s machine. Data encryption is the main task in a ransomware lifecycle is encrypting the content of user files, rendering them unusable unless the user pays a ransom to obtain the decryption key. The last stage is extortion the malware asks for payment of a ransom. The most frequent technique is the creation of text files, HTML documents, or image files inside the directories where the files were encrypted. In these files the hacker informs the user as to what has occurred and what the user must do to recover one’s files. Some strains of ransomware use system calls to change the computer desktop background or lock access to the computer and show only the ransom information [ 4 ]. 2.2 Evolution of Ransomware The AIDS Trojan PC in the Cyborg release or came into existences in the year of 1989 is credited with creating ransomware. During the World Health Organization's AIDS conference, 20,000 floppy discs labelled "AIDS Information—Introductory Diskettes" were used to transmit this ransomware by Dr. Joseph Popp, a biologist with training from Harvard. The virus was put into hidden mode after installing the compromised disc in the sense that I can’t no easily to detect, and it stayed hidden in the system for ninety reboots before encrypting the filenames on a computer hard drive. In order to release the decryption key, the attacker will the asked user to send $ 189 to a PO box located in Panama. The AIDS Trojan presented the basic idea of ransomware: it transmitted the data in encrypted form and then requested that the owner of the data pay a ransom to have his data freed. Despite being very simple by today's standards, it was swiftly neutralized. In mid-2000, ransomware reappeared with even more sophisticated techniques and increased levels of stealth. During this time, professionally crafted strategies and operations replaced simple, unprofessional techniques. Gpcode came in in 2004 through the point-of-sale purchase model, it locked the file with RSA encryption instead used of AES encryption. The used of RSA made it more difficult for users to decrypt the locked file after encrypted [ 7 ]. In 2006 Archivius was further demonstrates as ransomware where files were encrypted using the strongest RSA-1024 encryption model. It accomplished this by using the "phishing" technique, which involves spicing up emails to look authentic. Later ransomware assaults used a similar technique. Later on, Advent of Cryptographic Ransomware was released at the late of 2000s to Early 2010s including CryptoLocker and CryptoWall. One could characterise CryptoLocker (2013) as the "Second Generation" of ransomware. It used AES-256 and RSA-2048 encryption to encrypt information and demanded a ransom in Bitcoin while making money off of the technology that allowed the currency to remain anonymous [ 7 ]. Phishing emails with attachments containing the encryption Trojan were the main method used to spread CryptoLocker. Millions of people's devices were impacted over the course of several months, generating hundreds of millions of dollars in ransom payment. After CryptoLocker, CryptoWall is another significant ransomware threat that was published in 2014. In order to get around the security software, it integrated some disguise and protection with decoding features, but it used the same encryption algorithms and distribution channels. Therefore, the CryptoWall ransomware demonstrated positive outcomes in its operations, further demonstrating that ransomware is a lucrative enterprise for criminals [ 1 ]. Ransomware-as-a-service (RaaS) emerged in the mid-2010s, making it easier for a larger community to control ransomware creation, distribution, and targeting. Tox (2015) was among the first providers of ransomware as a service (RaaS), which enables anyone to start distributing ransomware by just registering with them. The Tox developers stated that the payment method was encrypted, but they also received a portion of the ransom, making both the hacking attempts and the business of developing these platforms profitable for all. Another popular RaaS was Cerber (2016), which was set up with strong encryption and regular upgrades that were typically sent via emails, phishing scams, and exploit kits. As a result, Cerber became a model of the RaaS model, sustaining the hackers' expanding assault cycle. In May 12, 2017 Wannacry or Wcry ransomware came into existence whereby the attacker compromised more than 300,000 computers in more than 150 countries. This attack impacted a number of organizations, including those in the manufacturing, oil and gas, government, healthcare, and communications sectors. Preventing WannaCry infestation is extremely difficult due to its wormlike dissemination characteristics [ 3 ], [ 8 ]. Double extortion and targeted attacks came later 2010s to Early 2020s, One of the new organizations, Maze ransomware, has been using double extortion since 2019. In addition to encrypting data, Maze took confidential information and demanded a payment to keep it secret. The likelihood of paying to address the lack of data and the possibility of data breaches is increased by these extra demands [ 1 ]. 2.3 Cryptography in Cybersecurity Cryptography-based methods, which employ encryption to provide confidentiality, integrity, authentication, and nonrepudiation, are widely used in computing. As a result, their use in preventing or restricting access to information and safeguarding personal information is not new. However, the use of cryptographic approaches in digital forensics is still relatively new, with few studies concentrating on various digital forensics areas [ 9 ]. Encryption can be defined as a process of changing data or information from plaintext(readable) into ciphertext(unreadable). In another word, randomize data or information to prevent others from reading it [ 10 ]. Cryptographic techniques are divided into two different types namely: symmetric encryption and asymmetric encryption. Symmetric encryption is a process of using the same key for both locking data and unlocking it. The Advanced Encryption Standard (AES) is one of the most popular symmetric encryption methods due to its strength and speed of operation, and it is used frequently to protect sensitive data by quickly encrypting large amounts of information [ 9 ]. Public or asymmetric encryption employs two separate keys for encrypting or decrypting the information: The encrypting key is known as the public key and the decrypting key is known as the private key. In contrast, asymmetric encryption, also known as public-key cryptography, uses two different keys: a public key for encryption and a private key for decryption. The Rivest–Shamir–Adleman (RSA) algorithm is one of the most widely used asymmetric cryptographic [ 10 ]. 2.4 Hybrid Encryption in Ransomware Modern ransomware has advanced significantly in terms of the cryptographic techniques that is used to encrypt victim data in today’s world. Early form of ransomware often relied on weak encryption methods or locally stored keys that is either primary or public keys, which made it possible for security researchers and forensic experts to recover encrypted files. However, in order to increase security of the system and prevent unwanted decryption, modern ransomware variants or types are now employ hybrid encryption approaches, which combine symmetric and asymmetric cryptographic algorithms [ 11 ]. Hybrid encryption is a cryptographic approach that merge or combines the benefits of symmetric and asymmetric encryption methods. This method uses a symmetric encryption algorithm like the Advanced Encryption Standard (AES) to encrypt the victim's files because it is fast and efficient when working with a lot of data with just one key for both encrypting and decrypting. After the files are encrypted, the symmetric encryption key is then encrypted using an asymmetric algorithm such as Rivest–Shamir–Adleman (RSA). The intruder either stores or sends the encrypted symmetric key, while the attacker keeps the private key needed to decrypt it [ 12 ]. This method gives ransomware attackers a number of benefits. First, symmetric encryption lets the malware encrypt files quickly without slowing down the system too much. Second, asymmetric encryption makes it hard to get the symmetric encryption key back without the attacker's private key. Because of this, victims can't decrypt their files unless they get the decryption key from the attacker, which usually means paying a ransom. CryptoLocker, Locky, and WannaCry are three of the most well-known ransomwares that use hybrid encryption methods to protect encrypted files and stop forensic recovery [ 13 ]. Ransomware developers can make a very secure encryption system that is hard to break with regular forensic methods by using AES to encrypt files and RSA to protect keys. 2.5 Forensic Challenges of Ransomware Ransomware attacks mainly generate or create significant challenges for digital forensic investigations. One of the key difficulties comes from the use of strong cryptographic algorithms to encrypt victim files that is to make it unreadable for the user. Modern ransomware often uses a mix of algorithms like AES and RSA to encrypt files. This makes it very hard to get back encrypted data without the decryption key [ 14 ]. Another problem is that ransomware can encrypt a lot of files in a short amount of time, which makes it less likely that the attack will be found early. In many cases, ransomware may also delete backup copies or system recovery options to prevent victims from restoring their data. In addition, attackers also often use cryptocurrencies and anonymization techniques to hide their identities, which makes it harder for investigators to find out who did the attack. These things make ransomware a big problem for digital forensic investigators [ 15 ]. 2.6 Summary of Literature The literature reviewed in this research work actually highlights the increasing threat of ransomware and the important role of cryptographic techniques in modern attacks. Earlier ransomware depends or relied on weaker approached, but recent ones are now using strong encryption algorithms such as AES and RSA to secure victim files. Many modern ransomware variants implement hybrid encryption, which combines symmetric and asymmetric cryptography to achieve both efficiency and strong security in a system. The reviewed studies also indicate that these advanced encryption techniques create serious challenges for digital forensic investigations in the world. Once files are encrypted using hybrid encryption, recovering them without access to the decryption key becomes highly difficult. Although several studies have examined ransomware behavior and cryptographic mechanisms, limited experimental research has focused on analyzing the impact of hybrid encryption on file entropy and encryption performance. As a result of such an evaluation, the researchers have collected relevant data through empirical means which may assist them in establishing clear lines of cooperation between the use of Hybrid Encryption and the successful completion of forensic investigations. Numerous studies have appeared regarding the evolution of Ransomware and Cryptographic Methods being employed by today’s advanced Malware. However, several studies have employed theoretical models or case studies to illustrate their findings. The authors of this study have employed experimentation to implement a Hybrid AES-RSA Encryption Model, and have used experimental data taken from actual samples to provide practical examples of the impact of present-day Cryptographic Techniques on the ability of Digital Forensic Analysts to detect and analyze Ransomware-encrypted data. Methodology 3.1 Research Design This study adopts an experimental research design to analyze the influence of hybrid cryptographic techniques used in ransomware on digital forensic investigation. A controlled ransomware simulation was developed to encrypt different file types using a combination of symmetric AES and asymmetric encryption RSA techniques. The experiment actually focuses on measuring changes in file characteristics such as entropy and encryption time before and after encryption. 3.2 System Overview The system developed in this research simulates ransomware behavior by encrypting files within a designated folder. The system uses a hybrid encryption strategy, where Advanced Encryption Standard (AES) is used for file encryption which is the symmetric encryption, and Rivest Shamir Adleman (RSA) is used to encrypt the AES key that is the asymmetric encryption. The encrypted files and associated cryptographic keys are stored for further forensic analysis. Furthermore, the system records essential metrics such as entropy and encryption time for each processed file. 3.3 Dataset The variety or diversity of file types ensures that the experiment illustrates the outcome of encryption across different data structures and formats. Table 1 Distribution of sample file types used for ransomware encryption simulation File Type File Extension Number of Files Purpose in Experiment Image .jpg, .png 6 Represent common multimedia image files Document .pdf 5 Represent widely used document files Spreadsheet .xlsx 4 Represent structured data files Text Data .csv 3 Represent data storage and dataset files Word Document .docx 5 Represent office document files Presentation .pptx 5 Represent presentation files Audio .mp3 5 Represent multimedia audio files Video .mp4 5 Represent large multimedia files Text File .txt 4 Represent simple text-based The dataset used in this study consists of 33 sample files of different formats to simulate real-world user data or information, furthermore the dataset are from my system. These include: • Image files (.jpg) • Image file(.jpeg) • Audio files (.mp3) • Video files (.mp4) • Document files (.docx) • Presentation files (.pptx) • Text files (.txt) • Excel file (.xlsx) data The experiment used multiple types of file formats to simulate realistic user data that may exist on a victim’s system which is named as “TestFile” in the work. These files types include documents (.docx, .pdf, .txt), multimedia files (.mp3, .mp4), spreadsheets and structured (.csv, .xlsx) data files. Using different file formats helps examines how hybrid encryption affects various data structures during ransomware attacks. 3.4 Implementation of Hybrid Encryption Python programing language and the PyCryptodome cryptographic library which is also located in python were used to make the hybrid encryption system. AES encryption was used to encrypt the files of the victim, and RSA encryption was used to protect the AES key. During the encryption process, the original files located in the victim folder were read by the program and encrypted using AES. Instead of substituting the original files, the system then generated new encrypted files with the extension . encrypted for each and every files. Moreover, the AES encryption key was encrypted using RSA and stored separately as a . key file. This method which is illustrated in Fig. 2 allows the preservation or keeps the original dataset while generating encrypted outputs for analysis. The encryption process also recorded important metrics such as entropy values of before and after encryption together with encryption time, which were stored in a CSV file which is named as “result.csv” for further analysis. Table 2 Experimental parameters used for implementing the hybrid ransomware encryption simulation Parameter Description Value / Tool Used Programming Language Language used to implement the ransomware simulation Python Cryptographic Library Library used to implement encryption algorithms PyCryptodome Symmetric Encryption Algorithm Algorithm used to encrypt file data AES (Advanced Encryption Standard) AES Key Length Size of the symmetric encryption key 128-bit Asymmetric Encryption Algorithm Algorithm used to encrypt the AES key RSA RSA Key Length Size of the asymmetric encryption key 2048-bit Encryption Mode Mode used for AES encryption AES EAX Mode Dataset Location Folder containing sample files for the experiment TestFiles Number of Sample Files Total number of files used in the experiment 40 + Files Output Files Files generated after encryption Encrypted files and .key files Result Storage Format used to store experimental results CSV File Evaluation Metrics Metrics used for analysis Entropy, Encryption Time Table 2 above actually summarizes the key parameters and tools used in the implementation of the ransomware simulation. The experiment was developed using Python programming using PyCryptodome library to implement hybrid encryption (RSA and AES algorithms). The configuration ensures secure encryption while permitting the measurement of important forensic variable such as entropy of encryption (before and after) and encryption time. 3.4.1 Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) is a symmetric encryption algorithm which is widely used for securing digital data or information. In AES, the same secret key is used for both encryption and decryption processes[ 16 ]. The encryption process can be mathematically represented as[ 17 ] in Eq. ( 1 ): $$\:\:\:\:\:\:C=AES(K,P)$$ 1 where, C is Ciphertext of encrypted data P is Plaintext of original file K is Secret encryption key This process or procedure uses the AES symmetric key to change the original plaintext data into ciphertext that is unreadable format. Because of its excellent resilience to cryptographic attacks and high efficiency, AES is widely used. 3.4.2 Rivest–Shamir–Adleman (RSA) Key Encryption RSA is an asymmetric cryptographic algorithm is a type of cryptographic algorithm that uses a pair of keys consisting of a public key and a private key. In modern ransomware systems, RSA is commonly used to encrypt the symmetric key generated by AES[ 11 ]. The RSA formular [ 17 ] is shown in Eq. (2): where, C is the Encrypted message M is original message or data e is public key exponent n is RSA modulus RSA ensures that the AES encryption key remains protected, since only the corresponding private key can decrypt it. 3.4.3 Entropy Analysis In these experiment Shannon Entropy is used to calculate the entropy of each file before and after encryption[ 18 ]. Shannon Entropy refers to a specific measure of randomness, additionally it used to express the information content. This value basically indicates how predictable a given byte in the file is based on bytes that came before it [ 19 ] [ 20 ]. Eight bits of entropy per byte, which indicates total randomness, is the highest amount of entropy that can exist per byte. The generally accepted formula for Shannon entropy (H)[ 19 ] is express in Eq. (3): \(\:H\left(X\right)=\:-\) Σ p(xi) log2 p(xi) (3) where H(X) is Entropy (measure in bits) p(Xi) is the Probability of occurrence of byte value xi log₂ = Logarithm base 2 Higher entropy values indicate a greater level of randomness, which is characteristic of encrypted data. 3.5 Experimental Procedure The experiment was carried out step by step. First, all the sample files were placed inside a folder named “TestFile” The encryption program was then executed to process each file in that folder. Before encryption, the entropy of each file was calculated. After that, the file was encrypted using the hybrid encryption method. Once encryption was completed, the entropy was calculated again. The time taken to encrypt each file was also recorded. All the results were saved into a CSV file for further analysis. 3.6 Evaluation Metrics The following metrics were used to evaluate the impact of encryption: Entropy : Entropy is used to measure the randomness of file data. Higher entropy indicates or implies stronger encryption and increased difficulty for forensic analysis or investigation[ 19 ]. Encryption Time : This actually measure the time take to encrypt each file in the folder or in a system and it also used to indicate system performance[ 19 ]. File Type Analysis : File type analysis or comparison is used to observed how different file formats behave under encryption[ 11 ]. These metrics are useful in understanding both the effectiveness or stronger of the encryption techniques and their impact on digital forensic investigations. Results and Analysis 4.1 Experimental Results The experiment or work was conducted using a 42 dataset of files consisting of different file types including multimedia (.mp3, .mp4, .png, .jgp), documents (.docx, .txt, .pdf), and structured data (.csv, .xlsx) file. Each file was encrypted using the hybrid cryptographic (AES + RSA) model implemented in this research. The entropy values of the files were measured before and after encryption, and the encryption time was recorded. The results actually show a significant increase in entropy after encryption. The average entropy value increased from 7.31 before encryption to 7.93 after the files is been encrypted. Many encrypted files reached entropy values close to 8, which indicates a high level of randomness typical of encrypted data. 4.2 Entropy Analysis This experiment's entropy analysis highlights that the hybrid encryption method successfully changed structured files into extremely random ciphertext. The minimum entropy observed before encryption was 3.30, while the maximum entropy after encryption reached 8.00. This reveals that the encryption algorithm successfully removed detectable patterns from the original data. Digital forensic investigators regularly use high entropy values, which are always linked with the encrypted files, as a sign of possible ransomware procedure. The entropy values that were produce from the result outcome of the sample files before and after encryption are illustrated in Fig. 3 . The outcomes indicates that the entropy values of all files significantly increased after the encryption process of each file. In most cases, the entropy approached the theoretical maximum value of 8, indicating that the hybrid encryption method produced highly randomized ciphertext (encrypted message). 4.3 Encryption Performance Analysis The encryption of files in the group “TestFile” was observed in terms of time elapsed to encrypt each file. The results specifically shows that the average encryption time was approximately 0.047 seconds per file. Most files were encrypted within a second, indicating that the hybrid encryption approach provides efficient performance. RSA is only used to encrypt the AES key, which reduce computational overhead, while the use of AES for file encryption in this work ensures high-speed processing. Figure 4 above illustrates the encryption time recorded for each sample file during the hybrid encryption process. The outcome actually indicate that the encryption operation was completed within a very specific short period time for all file types including document, multimedia, and etc. In fact, it demonstrating the efficiency of the implemented hybrid encryption scheme or method. Although slight variations in encryption time can be observed among the files, these differences are mainly influenced by factors such as file size and data structure. The findings shows that how successful AES works for encrypting file of different type, which provides fast encryption performance within a short period of time, while RSA is used to secure the encryption key without significantly increasing computational overhead. Generally, the results confirm that the hybrid encryption approach is capable of encrypting multiple file types efficiently while maintaining strong cryptographic protection. 4.4 Summary of Experimental Results Table 3 Summary of Encryption Impact on Sample Files Parameter Before Encryption After Encryption Observation Average File Entropy 7.32 7.94 Significant increase in entropy indicating strong encryption randomness File Structure Structured and readable Highly randomized Encryption makes files unreadable without the key Encryption Time Not applicable 0.047 seconds (average) Hybrid encryption performs very fast The summary results presented in Table X show that encryption significantly increased the entropy of the files from an average value of approximately 7.32 to about 7.94 after encryption. A number of factors suggest that files have become highly random, which is consistent with the creative application of the majority of available cryptographic techniques. This demonstrates that the hybrid encryption method is capable of processing encrypted files very quickly and can encrypt each file in just over 0.047 seconds on average. Therefore, it can be concluded that the AES - RSA hybrid encryption approach successfully simulates what modern ransomware uses for its encrypted files. 4.5 File Type Encryption Behaviour Table 4 Encryption Behaviour Across Different File Types File Type Example Extensions Number of Files Average Entropy Before Encryption Average Entropy After Encryption Observation Document Files .docx, .txt, .pdf 10 Low to moderate Very high (~ 7.9–8.0) Files became completely unreadable after encryption Image Files .jpg, .jpeg 5 Moderate Very high (~ 7.9–8.0) Image structure lost due to encryption Audio Files .mp3 3 High Very high (~ 7.9–8.0) Encrypted audio cannot be played Video Files .mp4 5 High Very high (~ 7.9–8.0) Video data fully randomized Data Files .csv, .xlsx 4 Moderate Very high (~ 7.9–8.0) Structured data converted into random encrypted format The results presented in Table X show that hybrid encryption had a similar effect across all file categories used in the experiment. Prior to encryption, the contents of many files reflected a relative level of structure resulting in low entropy values. After encryption, however, the entropy values had increased to nearly maximum levels of randomness, signifying that the encryption process had successfully converted the original file contents to highly randomized ciphertext. As a consequence, accessing and reading the data files would not be possible without the proper key with which to decrypt the data. 4.6 Discussion of Findings The results of the experiment indicate that different file types composed of multiple file types demonstrate similar behaviors when employing hybrid cryptographic techniques through the AES - RSA hybrid model. The result indicates a clear transform in the entropy of the files (before and after) the encryption process. The most obvious result of the experiment is that the entropy values went up after encryption. Before encryption, the amount of entropy in a file changed based on what type it was. Some files, like spreadsheets and papers, had lower entropy values because they had clear and organized data. After encryption, though, the entropy values of almost all files got closer to the maximum entropy value which is 8. This change shows that the encryption process turned the original files into very random data. Files that have been encrypted often indicates a lot of unpredictability, which means that the hybrid encryption architecture is working as it should which means is working appropriately. Another important thing to note is how well the encryption process works. The recorded encryption time shows that most files were encrypted in a very short amount of time. This result shows how well AES works for encrypting files. AES is fast, which makes it a good choice for encrypting a lot of data. In this study's hybrid encryption model, RSA was only used to encrypt the AES key, not the whole file. This design cuts down on the amount of work that needs to be done by computers and makes the encryption process more efficient as a whole. The results also show that even though the files were originally different in type and structure, the encrypted versions of these files seem to have the same amount of entropy. This means that the encryption process takes away most of the patterns that can be seen in the data, making it hard to tell what the file's original structure was after it has been encrypted. Furthermore, the results that is generated actually indicates both difficulties and prospects from the point of view of digital forensics. On the one hand, forensic investigations or experts can use the high entropy values seen in encrypted files as an indicator. To find files that might have been encrypted by ransomware, investigators frequently examine file entropy. However, using hybrid encryption (AES + RSA) makes it much harder to recover the original data if you don't have the decryption key. The reasons behinds this is that RSA protects the key that encrypts the file, while AES encrypts the file's contents very well. The study's overall conclusions show that hybrid encryption can effectively increase file randomization while preserving effective performance. These traits contribute to the explanation of why a lot of contemporary ransomware variations use hybrid cryptographic methods to protect encrypted files and stop illegal recovery. 1. Proposed Forensic Recommendations Based on the experimental results obtained in this study, several recommendations can be proposed to support digital forensic investigators when dealing with ransomware incidents that use hybrid cryptographic techniques. First, forensic experts should consider entropy analysis as an early detection method when examining suspicious files in a system. The results of this research show that encrypted files produced by hybrid encryption tend to have entropy values close to the maximum value of 8, which actually show a greater level of randomness. Therefore, entropy analysis can be used as a metrics to identify files that may have been encrypted by ransomware during forensic investigations. Another point is that, investigators should concentrate on the collection and preservation of cryptographic key artefacts during incident response. Most modern ransomware uses AES to encrypt files and RSA to protect the encryption keys. The reason behind it is that, recovery the AES key back is often the only way to get back encrypted data. When investigating a system shortly after an attack, memory forensics on the system as well as analysis of log files and temporary files can point toward the possible existence of keys. In addition, forensic analysis can help locate files or file behaviours that may be suspicious or malicious, as well as encrypting patterns. For example, monitoring for significant variations in file entropy, such as sudden increases or periods of high activity, or unusual file types will assist an investigator in identifying ransomware-related activity sooner. In addition, organizations should implement regular system backups and strong incident response strategies that will assist them to identify any kind of attack that will cause them financial loss. Reliable backups can make ransomware attacks much less harmful by letting systems be restored without having to pay the ransom. Finally, further research should explore more advanced forensic techniques such as memory forensics, behavioral analysis, and machine learning approaches for detecting ransomware encryption activities. These methods may provide additional capabilities for identifying ransomware attacks and supporting forensic investigations in complex cybercrime cases in order to extract malicious file. Conclusion and Future Work 6.1 Conclusion This experiment examines the cryptographic techniques employed in ransomware and their ramifications for digital forensic investigation. The study implemented a hybrid encryption model combining the Advanced Encryption Standard (AES) and the Rivest–Shamir–Adleman (RSA) algorithm to simulate the encryption mechanism commonly used in modern ransomware attacks which is among the most dangerous cybercrime in the world. The main objective of the work was to examine how hybrid encryption affects file entropy and encryption performance across different and multiple file types. The results of this research actually showed that the entropy values of the files increased significantly after encryption. In most cases, the entropy values approached the theoretical maximum value of 8, which indicates a high level of randomness in the encrypted data. This demonstrates that the hybrid encryption process effectively changes structured files into highly randomized ciphertext, which eventually making it more difficult to identify patterns in the encrypted data or files. The performance analysis also shows that the encryption process finished very quickly for most files. The results show that using AES to encrypt file contents speeds up processing, while RSA is only used to encrypt the AES key. This hybrid design lets the system be both very safe and very fast. From a digital forensic perspective, the findings indicates that entropy analysis can be useful in identifying encrypted files during ransomware investigations that is when expert analyzed the system. However, the use of hybrid encryption significantly increases the difficult in recovering the data that was encrypted without access to the decryption keys. This explains why modern ransomware families adopt hybrid cryptographic techniques to secure victim files and prevent unauthorized decryption. This research work has some limitations that should be accepted or acknowledge. Conducting experiments with a controlled dataset of sample files on my computer instead of real-world samples of ransomware using an implemented hybrid encryption model that simulates how ransomware operates but does not replicate all operational characteristics of any of the real ransomware families. Future research could include using real malware samples and larger datasets for more thorough forensic analyses. This work demonstrates that hybrid Encryption is highly efficacious in terms of both cryptography protection and speed when compared to traditional methods; thus, hybrid encryption was chosen as the most robust form of cryptographic protection for use with Ransomware attacks in today’s world and so forth. 6.2 Future Work Although this research work provides useful knowledge or insights into hybrid encryption techniques used in ransomware, several areas remain open for further investigation. A potential avenue for future research may explore more advanced forensic analyses for detection of Ransomware activity; these include Memory Forensics/Behavioral Analysis techniques, which could aid Investigators/Experts in identifying an encryption process while it is still ongoing during attacks. Another area of potential future work would be automated detection systems, which use Entropy Analysis and Machine Learning methods to detect files that are currently being encrypted by ransomware in “real-time,” thereby, improving an organization’s ability to detect ransomware in the early stages of an attack. In addition, future studies could expand the experimental dataset by including a larger number of files and additional file formats. This would allow researchers to evaluate the performance and behavior of hybrid encryption techniques across a broader range of data types. Finally, further research could investigate possible strategies for improving digital forensic recovery techniques in ransomware incidents, including the analysis of memory artifacts and key management mechanisms. References Nagar G (Jun. 2024) The Evolution of Ransomware: Tactics, Techniques, and Mitigation Strategies. Int J Sci Res Manag IJSRM 12(06):1282–1298. 10.18535/ijsrm/v12i06.ec09 Hartono B, Zaejuli H (Jan. 2025) Analysis Of The Development Of An Early Detection System For Cryptographic-Based Ransomware Attacks In A Cloud Environment. J Impresi Indones 4(1):996–1002. 10.58344/jii.v4i1.6188 Nayak SC, Tiwari V, Samanthula BK Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform, in (2023) IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC) , Las Vegas, NV, USA: IEEE, Mar. 2023, pp. 0605–0611. 10.1109/CCWC57344.2023.10099169 Berrueta E, Morato D, Magana E, Izal M (2019) A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access 7:144925–144944. 10.1109/ACCESS.2019.2945839 Prasetyo SE, Aripradono HW, Ricardo (2025) Ransomware Attack Analysis in Cybersecurity, J. E-Komtek Elektro-Komput.-Tek. , vol. 9, no. 1, pp. 302–312, Jul. 10.37339/e-komtek.v9i1.2279 Monika P, Zavarsky, Lindskog D (2016) Experimental Analysis of Ransomware on Windows and Android Platforms: Evolution and Characterization. Procedia Comput Sci 94:465–472. 10.1016/j.procs.2016.08.072 Begovic K, Al-Ali A, Malluhi Q (Sep. 2023) Cryptographic ransomware encryption detection: Survey. Comput Secur 132:103349. 10.1016/j.cose.2023.103349 Chen Q, Bridges RA Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware, Sep. 25, 2017, arXiv : arXiv:1709.08753. 10.48550/arXiv.1709.08753 Ogunseyi TB, Adedayo OM (2023) Cryptographic Techniques for Data Privacy in Digital Forensics. IEEE Access 11:142392–142410. 10.1109/ACCESS.2023.3343360 Kuswanto D (Jul. 2020) Cryptograph Rsa and Compression Shannon Fano Text File Services at Mobile Devices. J Phys Conf 1569(2):022079. Ser. 10.1088/1742-6596/1569/2/022079 Kumar A, Singh P, Kamble DP, Singh I (Oct. 2025) Hybrid cryptographic approach for strengthening IoT and 5G/B5G network security. Sci Rep 15(1):37971. 10.1038/s41598-025-21861-2 Hilaw C, Fotheringham M, Pemberton C, Sanderson D Introducing a Multi-Dimensional Cryptographic Behavioral Analysis Framework for Ransomware Detection, Dec. 03, 2024, In Review . 10.21203/rs.3.rs-5540978/v1 Osamor J et al (2025) Ethical Implications of WannaCry: A Cybersecurity Dilemma, Int. Conf. Cyber Warf. Secur. , vol. 20, no. 1, pp. 354–360, Mar. 10.34190/iccws.20.1.3353 De Loaysa Babiano LF, Macfarlane R, Davies SR (Sep. 2023) Evaluation of live forensic techniques, towards Salsa20-Based cryptographic ransomware mitigation. Forensic Sci Int Digit Investig 46:301572. 10.1016/j.fsidi.2023.301572 Davies SR, Macfarlane R, Buchanan WJ (Jun. 2020) Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Sci Int Digit Investig 33:300979. 10.1016/j.fsidi.2020.300979 Algorithms (Jul. 2022) Detection and Prevention of Ransomware Attacks using AES and RSA. J Digit Sci Technol 1(1):1–9. 10.59232/DST-V1I1P101 Şimşek H, Öncel ÖF (Jun. 2025) Fuzzy security level metric of hybrid cryptosystem algorithms. J Supercomput 81(9):1057. 10.1007/s11227-025-07547-6 Zhang W, Li X, Zhu T Entropy and Memory Forensics in Ransomware Analysis: Utilizing LLaMA-7B for Advanced Pattern Recognition Davies SR, Macfarlane R, Buchanan WJ (2022) Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification, Entropy , vol. 24, no. 10, p. 1503, Oct. 10.3390/e24101503 Manoj M, Rani VG (May 2022) Ransomeware classification using fuzzy neural network algorithm. Int J Health Sci 11268–11278. 10.53730/ijhs.v6nS2.8026 Additional Declarations The authors declare no competing interests. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-9304413","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":616695361,"identity":"e9541a36-0b8f-4ad0-a018-5cece9c37dce","order_by":0,"name":"Usman","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABCElEQVRIiWNgGAWjYNACgwMMDBKMDQwfeGzkQPwDD4jVwjhDJs0YrCWBsDUgLQwMzDw2hxMbQHx8WgzOn078XFBwJ59/dnPrxhk5h9Pnhx1+CLTFTk63AYeWG7mbpWcYPLOccedg240PZ9JzN95OMwBqSTY2O4BLC+8GaR6DwwYMNxLbbs7ssc7dODsBpOVA4jZcWs6f3fwbpEUeqOU27z/mdMPZ6R/wazmQuw1siwFICw+Pc4K8dA5+WyRv5G6z5jF4ZmAIctgMnjTDDdI5BQcSDHD7hQ/osNs8f+4YyN1If3YDGJXy8rPTN3/4UGEnh0sLNqeCSWKVg4B8AymqR8EoGAWjYCQAAL0bbZ8LmDBuAAAAAElFTkSuQmCC","orcid":"https://orcid.org/0009-0001-6445-1973","institution":"Shobhit University","correspondingAuthor":true,"prefix":"","firstName":"","middleName":"","lastName":"Usman","suffix":""},{"id":616695362,"identity":"2720f26f-ce4e-4627-a356-d8ee81406d05","order_by":1,"name":"Mamta Bansal","email":"","orcid":"https://orcid.org/0000-0002-6321-4204","institution":"Shobhit University","correspondingAuthor":false,"prefix":"","firstName":"Mamta","middleName":"","lastName":"Bansal","suffix":""}],"badges":[],"createdAt":"2026-04-02 14:34:02","currentVersionCode":1,"declarations":{"humanSubjects":false,"vertebrateSubjects":true,"conflictsOfInterestStatement":false,"humanSubjectEthicalGuidelines":false,"humanSubjectConsent":false,"humanSubjectClinicalTrial":false,"humanSubjectCaseReport":false,"vertebrateSubjectEthicalGuidelines":true},"doi":"10.21203/rs.3.rs-9304413/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-9304413/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":106094341,"identity":"ebf051e5-1a8e-444a-be09-bfca26bfe90b","added_by":"auto","created_at":"2026-04-03 11:42:13","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":200783,"visible":true,"origin":"","legend":"\u003cp\u003eSteps in ransomware activity\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-9304413/v1/a3b02cc26815c22d90cfc8f1.png"},{"id":106094181,"identity":"653f5462-d6e6-45ee-b818-0c76bff0a654","added_by":"auto","created_at":"2026-04-03 11:41:30","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":206803,"visible":true,"origin":"","legend":"\u003cp\u003eHybrid Encryption Model\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-9304413/v1/51f1198e72476893cfd21b0b.png"},{"id":106072100,"identity":"eb8047c9-4668-410f-a7f3-7dc4dcb8459c","added_by":"auto","created_at":"2026-04-03 06:45:35","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":200633,"visible":true,"origin":"","legend":"\u003cp\u003eEntropy comparison of sample files before and after hybrid encryption\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-9304413/v1/59e21510a14363d5ec1eae9b.png"},{"id":106095101,"identity":"420f0479-4058-4ec6-84be-c6efd181b3b5","added_by":"auto","created_at":"2026-04-03 11:44:22","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":68554,"visible":true,"origin":"","legend":"\u003cp\u003eEncryption Time for Sample Files\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-9304413/v1/991508e86075104532f45931.png"},{"id":106401940,"identity":"777e5df1-6469-4334-b3df-402cabfb386e","added_by":"auto","created_at":"2026-04-08 09:10:19","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1664317,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-9304413/v1/ec429bb5-2080-4119-b6e1-6c10abbbaa1d.pdf"}],"financialInterests":"The authors declare no competing interests.","formattedTitle":"\u003cp\u003e\u003cstrong\u003eAn Experimental Analysis of Cryptographic Techniques Used in Ransomware and Their Impact on Digital Forensic Investigation\u003c/strong\u003e\u003c/p\u003e","fulltext":[{"header":"Introduction","content":"\u003cdiv id=\"Sec2\" class=\"Section2\"\u003e \u003ch2\u003e1.1. Background of the study\u003c/h2\u003e \u003cp\u003eRansomware attack has grown to be a significant online threat over the past several decades. The AIDS Trojan, which was developed in the late 1980s, is part of the historical development of ransomware attack. Despite being less advanced than later evolution, it was the earliest known instance of ransomware. Examining the development of basic encryption malware reveals a number of important turning points, including the 2013 release of CryptoLocker [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Significant economic losses occur globally as a result of a phenomena in which a criminal uses encryption to hold crucial data hostage until the victim pays a ransom. Sensitive data can be accessed and encrypted by ransomware intruders, but the trend also introduces a new vulnerability [\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eRansomware, a special type of malware, is designed to encrypt data on a system and then demand ransom payments in exchange to regain control of the system [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. That is, a victim\u0026rsquo;s device is deceptively infected with ransomware to demand money and threaten to publish the victim\u0026rsquo;s data or make the data unavailable permanently. The files cannot and should not be recovered without paying the ransom since new generation ransomware uses advanced encryption. Additionally, it uses the Ransomware-as-a-Service (RaaS) paradigm, which makes ransomware available to everyone because it is easy to use and doesn't require a lot of hacking knowledge. The rise of cryptocurrencies like Bitcoin, which allow attackers to accomplish their goals through anonymous ransom payments, has made the situation worse [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eAs ransomware progress, attackers started encrypting files of a victim device using stronger encryption methods like AES and RSA which are the modern method of ransomware. This change greatly increased the pressure to yield with the attackers' demands by making it practically hard for victims to decrypt their data without paying the ransom. Later on the invention of modern ransomware incorporated the use of a hybrid encryption system that comprises both asymmetric and symmetric encryption [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e], [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e].\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec3\" class=\"Section2\"\u003e \u003ch2\u003e1.2 Problem Statement\u003c/h2\u003e \u003cp\u003eThe increasing use of hybrid cryptographic techniques in ransomware attacks presents critical challenges for digital forensic investigations whereby investigators find it difficult to analyze and recover data or file from the ransomware attacker. Modern ransomware uses asymmetric encryption (like RSA) to secure the encryption keys and symmetric encryption (like AES) to encrypt victim files, making data recovery extremely challenging without access to the secret key. Although hybrid encryption is always used in ransomware, little experimental research has shown how it changes or alter file entropy, encryption performance, and forensic detectability.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec4\" class=\"Section2\"\u003e \u003ch2\u003e1.3 Research Aim and Objectives\u003c/h2\u003e \u003cp\u003eThis research aims to simulate hybrid encryption techniques and analyze their forensic implications through controlled experimentation. The main objectives of this works are; implement hybrid encryption (AES\u0026thinsp;+\u0026thinsp;RSA) on selected sample files to simulate ransomware behavior, measure and analyze file entropy, encryption time, and file size changes before and after encryption, evaluate the forensic detectability of hybrid-encrypted files using entropy and file metadata and lastly, provide insights on the challenges hybrid encryption poses to digital forensic investigations.\u003c/p\u003e \u003cp\u003e \u003cb\u003e1.4 Research Questions\u003c/b\u003e \u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eHow does hybrid encryption (AES\u0026thinsp;+\u0026thinsp;RSA) used in ransomware affect the entropy of victim files?\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eHow does using hybrid encryption affect the size and performance of encrypted files depending on what type of file is involved?\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eHow easily can hybrid encryption be detected by forensic means such as metadata inspection and entropy analysis?\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eWhat barriers might exist for forensic investigators wishing to recover files that have been encrypted with hybrid encryption (e.g. ransomware)?\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec5\" class=\"Section2\"\u003e \u003ch2\u003e1.5 Research Contribution\u003c/h2\u003e \u003cp\u003eThe findings of this research project are generally summarized as follows:\u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eThe authors of this report have implemented a Hybrid Encryption Model (AES\u0026thinsp;+\u0026thinsp;RSA) and simulated it against the encrypting behaviors of ransomware that is currently being used in the current cybercrime landscape.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eThis research evaluated through experimental testing how Hybrid Encryption will impact various file types (e.g. documents, images, audio, video, and structured data) regarding the manner in which they become encrypted by applying Hybrid Encryption techniques.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eThe study evaluates the forensic implications of ransomware encryption by measuring entropy variation, encryption time, and file size changes before and after encryption.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eThe work provides practical insights that may assist digital forensic investigators in detecting ransomware-encrypted files using entropy and metadata analysis.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e \u003c/div\u003e "},{"header":"Literature Review","content":"\u003cdiv id=\"Sec6\" class=\"Section2\"\u003e \u003ch2\u003e2.1 Overview of Ransomware\u003c/h2\u003e \u003cp\u003eRansomware is a type of cyberattack that encrypts the victim's data and prevents access unless the victim pays the attacker a ransom. Ransomware sneaks onto a victim's device to demand money and threaten to publish the victim's data or render it permanently unusable[\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. In this attack, hackers infiltrate security vulnerability in information systems to infect the victim\u0026rsquo;s devices and secretly encrypt the data. The frequency and complexity of ransomware assaults are still evolving. Attackers use advanced technology, psychological manipulation methods (social engineering), and system flaws to carry out their attacks [\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e]. According to [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e], refers ransomware as a form of malicious code or malware that infects a computer and spreads rapidly to encrypt the data or to lock the machine.\u003c/p\u003e \u003cp\u003eUsers are unable to access their data due to this infection, and the attackers require payment from the victim to unencrypt and make their files available. Ransomware is currently attacking organizations and individuals globally, and the payment is frequently sought in Bitcoin or other untraceable cash. Ransomware's primary goal is to use malware to maximize revenue. It prevents victims from making payments by locking the system or encrypting the data, and occasionally it threatens to reveal private information to the public if payment is not made. Although they employ different types of payloads, all ransomware families exhibit very identical behaviors[\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eThere are different types of ransomware attack including crypto-ransomware, and Master Boot Record (MBR) Ransomware, locker ransomware. According to [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e], define crypto-ransomware as a process where by an intruder encrypts user files and asks for a payment to provide the decryption key. Encryption keys and the assault coordination are chosen by a command-and-control server. CryptoWall, CryptoLocker, TeslaCrypt, and CTB Locker are some well-known examples of Crypto ransomware[\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. Locker ransomware actually looks for files with certain extensions that perform basic functionalities on the compromised system and encrypts them. Upon locking (or encrypting) these data files using AES encryption, it will display a popup message with the ransom demand and details on infections. Specifically, the message includes information about the file system corruption, along with the payment details and a demand for 0.1 BTC in ransom. Although Locker ransomware typically targets non-critical system files, it still causes significant disruption to business operations[\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e], [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e]. MBR ransomware came into existence in 2010, This type of ransomware replaces the original MBR with its own code and then locks the user from accessing its services. It never encrypts file and displays the ransom message at computer boot-up time [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e].\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eThe above diagram which is Fig.\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e indicates the ransomware families and how they implement each step starting from 1 to 5. The detection techniques take advantage of known ransomware behavior during one or more of the above-mentioned steps. Infection stage is carried out following the same procedures as any malware. The infector vectors are Spam, corrupted web pages, vulnerability (loopholes in a system), phishing. Contact C\u0026amp;C server comprises the actions a ransomware performs which require Internet access and are previous to the data encryption phase. It contacts a C\u0026amp;C server or a cluster of servers. A C\u0026amp;C server is an Internet host or set of hosts that manage malware actions, distribute command and collect information from victims. Step 3 which is Encryption keys management is type of encryption algorithm used by a ransomware and the key management strategy determine the presence of the decryption key in a user\u0026rsquo;s machine. Data encryption is the main task in a ransomware lifecycle is encrypting the content of user files, rendering them unusable unless the user pays a ransom to obtain the decryption key. The last stage is extortion the malware asks for payment of a ransom. The most frequent technique is the creation of text files, HTML documents, or image files inside the directories where the files were encrypted. In these files the hacker informs the user as to what has occurred and what the user must do to recover one\u0026rsquo;s files. Some strains of ransomware use system calls to change the computer desktop background or lock access to the computer and show only the ransom information [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e].\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec7\" class=\"Section2\"\u003e \u003ch2\u003e2.2 Evolution of Ransomware\u003c/h2\u003e \u003cp\u003eThe AIDS Trojan PC in the Cyborg release or came into existences in the year of 1989 is credited with creating ransomware. During the World Health Organization's AIDS conference, 20,000 floppy discs labelled \"AIDS Information\u0026mdash;Introductory Diskettes\" were used to transmit this ransomware by Dr. Joseph Popp, a biologist with training from Harvard. The virus was put into hidden mode after installing the compromised disc in the sense that I can\u0026rsquo;t no easily to detect, and it stayed hidden in the system for ninety reboots before encrypting the filenames on a computer hard drive. In order to release the decryption key, the attacker will the asked user to send \u003cspan\u003e$\u003c/span\u003e189 to a PO box located in Panama. The AIDS Trojan presented the basic idea of ransomware: it transmitted the data in encrypted form and then requested that the owner of the data pay a ransom to have his data freed. Despite being very simple by today's standards, it was swiftly neutralized.\u003c/p\u003e \u003cp\u003eIn mid-2000, ransomware reappeared with even more sophisticated techniques and increased levels of stealth. During this time, professionally crafted strategies and operations replaced simple, unprofessional techniques. Gpcode came in in 2004 through the point-of-sale purchase model, it locked the file with RSA encryption instead used of AES encryption. The used of RSA made it more difficult for users to decrypt the locked file after encrypted [\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]. In 2006 Archivius was further demonstrates as ransomware where files were encrypted using the strongest RSA-1024 encryption model. It accomplished this by using the \"phishing\" technique, which involves spicing up emails to look authentic. Later ransomware assaults used a similar technique.\u003c/p\u003e \u003cp\u003eLater on, Advent of Cryptographic Ransomware was released at the late of 2000s to Early 2010s including CryptoLocker and CryptoWall. One could characterise CryptoLocker (2013) as the \"Second Generation\" of ransomware. It used AES-256 and RSA-2048 encryption to encrypt information and demanded a ransom in Bitcoin while making money off of the technology that allowed the currency to remain anonymous [\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]. Phishing emails with attachments containing the encryption Trojan were the main method used to spread CryptoLocker. Millions of people's devices were impacted over the course of several months, generating hundreds of millions of dollars in ransom payment. After CryptoLocker, CryptoWall is another significant ransomware threat that was published in 2014. In order to get around the security software, it integrated some disguise and protection with decoding features, but it used the same encryption algorithms and distribution channels. Therefore, the CryptoWall ransomware demonstrated positive outcomes in its operations, further demonstrating that ransomware is a lucrative enterprise for criminals [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eRansomware-as-a-service (RaaS) emerged in the mid-2010s, making it easier for a larger community to control ransomware creation, distribution, and targeting. Tox (2015) was among the first providers of ransomware as a service (RaaS), which enables anyone to start distributing ransomware by just registering with them. The Tox developers stated that the payment method was encrypted, but they also received a portion of the ransom, making both the hacking attempts and the business of developing these platforms profitable for all. Another popular RaaS was Cerber (2016), which was set up with strong encryption and regular upgrades that were typically sent via emails, phishing scams, and exploit kits. As a result, Cerber became a model of the RaaS model, sustaining the hackers' expanding assault cycle. In May 12, 2017 Wannacry or Wcry ransomware came into existence whereby the attacker compromised more than 300,000 computers in more than 150 countries. This attack impacted a number of organizations, including those in the manufacturing, oil and gas, government, healthcare, and communications sectors. Preventing WannaCry infestation is extremely difficult due to its wormlike dissemination characteristics [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e], [\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eDouble extortion and targeted attacks came later 2010s to Early 2020s, One of the new organizations, Maze ransomware, has been using double extortion since 2019. In addition to encrypting data, Maze took confidential information and demanded a payment to keep it secret. The likelihood of paying to address the lack of data and the possibility of data breaches is increased by these extra demands [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e].\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec8\" class=\"Section2\"\u003e \u003ch2\u003e2.3 Cryptography in Cybersecurity\u003c/h2\u003e \u003cp\u003eCryptography-based methods, which employ encryption to provide confidentiality, integrity, authentication, and nonrepudiation, are widely used in computing. As a result, their use in preventing or restricting access to information and safeguarding personal information is not new. However, the use of cryptographic approaches in digital forensics is still relatively new, with few studies concentrating on various digital forensics areas [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e]. Encryption can be defined as a process of changing data or information from plaintext(readable) into ciphertext(unreadable). In another word, randomize data or information to prevent others from reading it [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eCryptographic techniques are divided into two different types namely: symmetric encryption and asymmetric encryption. Symmetric encryption is a process of using the same key for both locking data and unlocking it. The Advanced Encryption Standard (AES) is one of the most popular symmetric encryption methods due to its strength and speed of operation, and it is used frequently to protect sensitive data by quickly encrypting large amounts of information [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e].\u003c/p\u003e \u003cp\u003ePublic or asymmetric encryption employs two separate keys for encrypting or decrypting the information: The encrypting key is known as the public key and the decrypting key is known as the private key.\u003c/p\u003e \u003cp\u003eIn contrast, asymmetric encryption, also known as public-key cryptography, uses two different keys: a public key for encryption and a private key for decryption. The Rivest\u0026ndash;Shamir\u0026ndash;Adleman (RSA) algorithm is one of the most widely used asymmetric cryptographic [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e].\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec9\" class=\"Section2\"\u003e \u003ch2\u003e2.4 Hybrid Encryption in Ransomware\u003c/h2\u003e \u003cp\u003eModern ransomware has advanced significantly in terms of the cryptographic techniques that is used to encrypt victim data in today\u0026rsquo;s world. Early form of ransomware often relied on weak encryption methods or locally stored keys that is either primary or public keys, which made it possible for security researchers and forensic experts to recover encrypted files. However, in order to increase security of the system and prevent unwanted decryption, modern ransomware variants or types are now employ hybrid encryption approaches, which combine symmetric and asymmetric cryptographic algorithms [\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eHybrid encryption is a cryptographic approach that merge or combines the benefits of symmetric and asymmetric encryption methods. This method uses a symmetric encryption algorithm like the Advanced Encryption Standard (AES) to encrypt the victim's files because it is fast and efficient when working with a lot of data with just one key for both encrypting and decrypting. After the files are encrypted, the symmetric encryption key is then encrypted using an asymmetric algorithm such as Rivest\u0026ndash;Shamir\u0026ndash;Adleman (RSA). The intruder either stores or sends the encrypted symmetric key, while the attacker keeps the private key needed to decrypt it [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eThis method gives ransomware attackers a number of benefits. First, symmetric encryption lets the malware encrypt files quickly without slowing down the system too much. Second, asymmetric encryption makes it hard to get the symmetric encryption key back without the attacker's private key. Because of this, victims can't decrypt their files unless they get the decryption key from the attacker, which usually means paying a ransom.\u003c/p\u003e \u003cp\u003eCryptoLocker, Locky, and WannaCry are three of the most well-known ransomwares that use hybrid encryption methods to protect encrypted files and stop forensic recovery [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e]. Ransomware developers can make a very secure encryption system that is hard to break with regular forensic methods by using AES to encrypt files and RSA to protect keys.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec10\" class=\"Section2\"\u003e \u003ch2\u003e2.5 Forensic Challenges of Ransomware\u003c/h2\u003e \u003cp\u003eRansomware attacks mainly generate or create significant challenges for digital forensic investigations. One of the key difficulties comes from the use of strong cryptographic algorithms to encrypt victim files that is to make it unreadable for the user. Modern ransomware often uses a mix of algorithms like AES and RSA to encrypt files. This makes it very hard to get back encrypted data without the decryption key [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eAnother problem is that ransomware can encrypt a lot of files in a short amount of time, which makes it less likely that the attack will be found early. In many cases, ransomware may also delete backup copies or system recovery options to prevent victims from restoring their data.\u003c/p\u003e \u003cp\u003eIn addition, attackers also often use cryptocurrencies and anonymization techniques to hide their identities, which makes it harder for investigators to find out who did the attack. These things make ransomware a big problem for digital forensic investigators [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e].\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec11\" class=\"Section2\"\u003e \u003ch2\u003e2.6 Summary of Literature\u003c/h2\u003e \u003cp\u003eThe literature reviewed in this research work actually highlights the increasing threat of ransomware and the important role of cryptographic techniques in modern attacks. Earlier ransomware depends or relied on weaker approached, but recent ones are now using strong encryption algorithms such as AES and RSA to secure victim files. Many modern ransomware variants implement hybrid encryption, which combines symmetric and asymmetric cryptography to achieve both efficiency and strong security in a system.\u003c/p\u003e \u003cp\u003eThe reviewed studies also indicate that these advanced encryption techniques create serious challenges for digital forensic investigations in the world. Once files are encrypted using hybrid encryption, recovering them without access to the decryption key becomes highly difficult. Although several studies have examined ransomware behavior and cryptographic mechanisms, limited experimental research has focused on analyzing the impact of hybrid encryption on file entropy and encryption performance. As a result of such an evaluation, the researchers have collected relevant data through empirical means which may assist them in establishing clear lines of cooperation between the use of Hybrid Encryption and the successful completion of forensic investigations.\u003c/p\u003e \u003cp\u003eNumerous studies have appeared regarding the evolution of Ransomware and Cryptographic Methods being employed by today\u0026rsquo;s advanced Malware. However, several studies have employed theoretical models or case studies to illustrate their findings. The authors of this study have employed experimentation to implement a Hybrid AES-RSA Encryption Model, and have used experimental data taken from actual samples to provide practical examples of the impact of present-day Cryptographic Techniques on the ability of Digital Forensic Analysts to detect and analyze Ransomware-encrypted data.\u003c/p\u003e \u003c/div\u003e"},{"header":"Methodology","content":"\u003cdiv id=\"Sec13\" class=\"Section2\"\u003e \u003ch2\u003e3.1 Research Design\u003c/h2\u003e \u003cp\u003eThis study adopts an experimental research design to analyze the influence of hybrid cryptographic techniques used in ransomware on digital forensic investigation. A controlled ransomware simulation was developed to encrypt different file types using a combination of symmetric AES and asymmetric encryption RSA techniques. The experiment actually focuses on measuring changes in file characteristics such as entropy and encryption time before and after encryption.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec14\" class=\"Section2\"\u003e \u003ch2\u003e3.2 System Overview\u003c/h2\u003e \u003cp\u003eThe system developed in this research simulates ransomware behavior by encrypting files within a designated folder. The system uses a hybrid encryption strategy, where Advanced Encryption Standard (AES) is used for file encryption which is the symmetric encryption, and Rivest Shamir Adleman (RSA) is used to encrypt the AES key that is the asymmetric encryption. The encrypted files and associated cryptographic keys are stored for further forensic analysis. Furthermore, the system records essential metrics such as entropy and encryption time for each processed file.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec15\" class=\"Section2\"\u003e \u003ch2\u003e3.3 Dataset\u003c/h2\u003e \u003cp\u003eThe variety or diversity of file types ensures that the experiment illustrates the outcome of encryption across different data structures and formats.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eDistribution of sample file types used for ransomware encryption simulation\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"4\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eFile Type\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eFile Extension\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eNumber of Files\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003ePurpose in Experiment\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eImage\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.jpg, .png\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e6\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent common multimedia image files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eDocument\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.pdf\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent widely used document files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eSpreadsheet\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.xlsx\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent structured data files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eText Data\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.csv\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent data storage and dataset files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eWord Document\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.docx\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent office document files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003ePresentation\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.pptx\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent presentation files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAudio\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.mp3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent multimedia audio files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eVideo\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.mp4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent large multimedia files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eText File\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.txt\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eRepresent simple text-based The dataset used in this study consists of 33 sample files of different formats to simulate real-world user data or information, furthermore the dataset are from my system. These include:\u003c/p\u003e \u003cp\u003e\u0026bull; Image files (.jpg)\u003c/p\u003e \u003cp\u003e\u0026bull; Image file(.jpeg)\u003c/p\u003e \u003cp\u003e\u0026bull; Audio files (.mp3)\u003c/p\u003e \u003cp\u003e\u0026bull; Video files (.mp4)\u003c/p\u003e \u003cp\u003e\u0026bull; Document files (.docx)\u003c/p\u003e \u003cp\u003e\u0026bull; Presentation files (.pptx)\u003c/p\u003e \u003cp\u003e\u0026bull; Text files (.txt)\u003c/p\u003e \u003cp\u003e\u0026bull; Excel file (.xlsx)\u003c/p\u003e \u003cp\u003edata\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eThe experiment used multiple types of file formats to simulate realistic user data that may exist on a victim\u0026rsquo;s system which is named as \u0026ldquo;TestFile\u0026rdquo; in the work. These files types include documents (.docx, .pdf, .txt), multimedia files (.mp3, .mp4), spreadsheets and structured (.csv, .xlsx) data files. Using different file formats helps examines how hybrid encryption affects various data structures during ransomware attacks.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec16\" class=\"Section2\"\u003e \u003ch2\u003e3.4 Implementation of Hybrid Encryption\u003c/h2\u003e \u003cp\u003ePython programing language and the PyCryptodome cryptographic library which is also located in python were used to make the hybrid encryption system. AES encryption was used to encrypt the files of the victim, and RSA encryption was used to protect the AES key.\u003c/p\u003e \u003cp\u003eDuring the encryption process, the original files located in the victim folder were read by the program and encrypted using AES. Instead of substituting the original files, the system then generated new encrypted files with the extension .\u003cem\u003eencrypted\u003c/em\u003e for each and every files. Moreover, the AES encryption key was encrypted using RSA and stored separately as a .\u003cem\u003ekey\u003c/em\u003e file.\u003c/p\u003e \u003cp\u003eThis method which is illustrated in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e allows the preservation or keeps the original dataset while generating encrypted outputs for analysis. The encryption process also recorded important metrics such as entropy values of before and after encryption together with encryption time, which were stored in a CSV file which is named as \u0026ldquo;result.csv\u0026rdquo; for further analysis.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 2\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eExperimental parameters used for implementing the hybrid ransomware encryption simulation\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"3\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eParameter\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eDescription\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eValue / Tool Used\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eProgramming Language\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eLanguage used to implement the ransomware simulation\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003ePython\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eCryptographic Library\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eLibrary used to implement encryption algorithms\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003ePyCryptodome\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eSymmetric Encryption Algorithm\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eAlgorithm used to encrypt file data\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eAES (Advanced Encryption Standard)\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAES Key Length\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eSize of the symmetric encryption key\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e128-bit\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAsymmetric Encryption Algorithm\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eAlgorithm used to encrypt the AES key\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eRSA\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eRSA Key Length\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eSize of the asymmetric encryption key\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e2048-bit\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eEncryption Mode\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eMode used for AES encryption\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eAES EAX Mode\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eDataset Location\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eFolder containing sample files for the experiment\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eTestFiles\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eNumber of Sample Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eTotal number of files used in the experiment\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e40\u0026thinsp;+\u0026thinsp;Files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eOutput Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eFiles generated after encryption\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eEncrypted files and .key files\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eResult Storage\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eFormat used to store experimental results\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eCSV File\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eEvaluation Metrics\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eMetrics used for analysis\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eEntropy, Encryption Time\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eTable\u0026nbsp;\u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003e2\u003c/span\u003e above actually summarizes the key parameters and tools used in the implementation of the ransomware simulation. The experiment was developed using Python programming using PyCryptodome library to implement hybrid encryption (RSA and AES algorithms). The configuration ensures secure encryption while permitting the measurement of important forensic variable such as entropy of encryption (before and after) and encryption time.\u003c/p\u003e \u003cdiv id=\"Sec17\" class=\"Section3\"\u003e \u003ch2\u003e3.4.1 Advanced Encryption Standard (AES)\u003c/h2\u003e \u003cp\u003eThe Advanced Encryption Standard (AES) is a symmetric encryption algorithm which is widely used for securing digital data or information. In AES, the same secret key is used for both encryption and decryption processes[\u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e]. The encryption process can be mathematically represented as[\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e] in Eq.\u0026nbsp;(\u003cspan refid=\"Equ1\" class=\"InternalRef\"\u003e1\u003c/span\u003e):\u003cdiv id=\"Equ1\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ1\" name=\"EquationSource\"\u003e\n$$\\:\\:\\:\\:\\:\\:C=AES(K,P)$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e1\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003ewhere,\u003c/p\u003e \u003cp\u003e \u003cb\u003eC\u003c/b\u003e is Ciphertext of encrypted data\u003c/p\u003e \u003cp\u003e \u003cb\u003eP\u003c/b\u003e is Plaintext of original file\u003c/p\u003e \u003cp\u003e \u003cb\u003eK\u003c/b\u003e is Secret encryption key\u003c/p\u003e \u003cp\u003eThis process or procedure uses the AES symmetric key to change the original plaintext data into ciphertext that is unreadable format. Because of its excellent resilience to cryptographic attacks and high efficiency, AES is widely used.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec18\" class=\"Section3\"\u003e \u003ch2\u003e3.4.2 Rivest\u0026ndash;Shamir\u0026ndash;Adleman (RSA) Key Encryption\u003c/h2\u003e \u003cp\u003eRSA is an asymmetric cryptographic algorithm is a type of cryptographic algorithm that uses a pair of keys consisting of a public key and a private key. In modern ransomware systems, RSA is commonly used to encrypt the symmetric key generated by AES[\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e]. The RSA formular [\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e] is shown in Eq.\u0026nbsp;(2):\u003c/p\u003e\n\u003cp\u003e\u003cimg src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbEAAAAlCAYAAADMUNdQAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAFiUAABYlAUlSJPAAAAhnSURBVHhe7dzPaxNPHwfwd5671k2u4iHbg4Ig6LaKFuFbsFv/ANkcC17c4E3QktJbKSbiTW0KCl5qUvBoqvXgoYml2igJCp4SxPOGIv4B8xyezLA72c2P2n51+7xfsNDMbLa7mzCfzMxnNiGEECAiIoqh/+gFREREccEgRkREscUgRkREscUgRkREscUgRkREscUgRkREscUgRkREscUgRkREscUgRkREscUgRkREscUgRj1qtRqy2SwSiYReRUTUV6fTQaFQQLvd1qv6qtVqWF1d1YsH2lcQK5fLmJiYQCKRUNvs7Oy+TuAwNJvNnnOL0m63kUwmkUgkkEwmUavV9F2U8fFxJBKJkT+cOKnVatje3sbKyopeRUTUV6fTweLiIm7evIl0Oq3Km80mMpmMapMnJiZ62tqpqSlcunQJmUwGnU4nUNeXGIHnecKyLGEYhigWi8LzPCGEEPl8XgAQuVxOf8sfU6lUBAABQBiGoVcrjuOo/Uqlkl6tlEolAUCYpiny+bxefeQYhiFG/HoQ0f8xGR8ajUagvNFoCMMwhGmawrZt1bZEtbnFYlHYtq0XRxq6lZInCKDnJMX/noQvKpWKXvzHVKtVAUDYth3ZGFerVWEYhrouGZTDmKYpXNcV+XxeGIbRd9+joN99IyLSOY4jXNfVi4XjOKJYLKrXnucJ13X7djBs2x66szB0K5XL5QSAoQ/8p5VKJWHbtjrvsMBrmqaqN01Tr1ZkQKxWq8LzPAEg8KEcRQxiRDQs2UaGtbNRMcM0TdWu6uTIV6vV0qt6DDUn1m63sby8DNM0cffuXb36r7S1tYV0Oo2xsTEAwK9fvwL1hUIBAHDlyhUAwMzMTKDeb2lpCZZlYWpqCqlUCq7r4sGDB/puysbGhpozTCaTWFhYGGqMd2NjA7OzsygUCuh0OlhYWEAymVTHQHfMWSZdJJNJlMtl/TBAyDlks9nIuTx9vDqbzQ51vvAlgch5x0KhoOYY5TkT0dG2tLQEwzBw7tw5vSoyZoyPjwMAjh07pldhcnISAPDs2TO9qpce1cLErRcmhBCWZYlisagiun/stdVqCcMwRLVaVfN5UT2rVqvV8/5Go9FTJpVKpcC4sLx3juPouwZUKhU1P5fL5YTjOKJUKolKpaKGO0ulUmi5/usnl8up6xO+YVPDMHr2lePVrusKz/NEq9VSxx309Wg0Gur6ZK+3VCqJarWqjhH2K4uIjg7ZRo4yjyW6oz39RsAwYIRM6t9Kdclun94A7pdsIEfZRmkM5ZBftVpV3Vx/AHYcRwUVOWwWdW2u64aO29q2LSzLCpR5nhcIHlJUsNHJc7UsKzDnJpNU9HIZoP3XJo+hB1i5r/5Fk5OtfvJLiQFBTEJ3bNvf9Q+770R09Mj2adTEvkFJcoPaZmngcGKz2USr1YJpmqFdxf3oBs+RtqmpKf0wkT58+AB0UzbPnDkDAPj+/TvQHf56+/YtlpeXAQAfP34EgNBra7fbWFlZwfz8vF6Fubk51Ov1QJroy5cvge7/9TNNEwCwubkZKI9y48YNpFIp9fr48eOh5SdPnlR/Sy9evAAAXLt2LVCeyWRgmiY2NzfRbDaB7pBjq9XC3NxcYN90Oq3OeViTk5OBlFrp3bt3ehERHSFfv34FADV1M4xyuQzDMCKHGv30qSDdwCD27ds3wDd+GQfv37+HbdsAoBp9OR80NzeH+fl5pNNpNJtN7O3tqX116XQaQojQG53JZHqCqzyef41aIpHA+vo64Aukh0nOkfmDnWRZFuALpq9evQIigmGcPm8iio9Op4OHDx/i6dOnelWo7e1tvShgYBD78eMHAGB6elqv+mt9+vQJFy5cUK8ty1KryOGbaJQB+qCurd1uw7Ksnl6k3J48eaK/5cDt7e3pRcr58+cDr6MSPYiIDsvi4iLu3LkTOvq1HwOD2GHQeyrDbPrq7n42NzdV1iG6vZJ6vY779+/j+fPnqnxrawsAcPbsWVX2O06cOIF6vT50Zt9hkkOGYU6dOqUXEREdunK5jKtXryKTyehVkS5fvqwXBfx2EBsfH8fGxoZe3JfeQxlm0+eZoshgd/r0aVUme2UzMzOB4+zu7gIALl68qMp+xz///AP45sZ0UenwB8lxHADAzs6OXoWfP38CvvRVeV9ev34d2I+IaFiyEzBoukS2f6MEMESk4PsNDGJyvujz5896FVZXV9FqtQIB40+T46f+JIOxsTEYhqGSOdAdl63X6zAMI3T+aD9kMsWtW7d6niOZzWZD557CyGCzH7dv3waA0HVs6+vrcF1X3Zvr168DAFZWVnp6bn9Db5KI/n6yE9BveqJcLuPLly+hASybzepFQDfpLmrtWYCerhhGpjrKtVSe54lisThSGva/wfM8tRxg0GOh5Pqmg36ElExlR3eNg3xWWNjjWHTynuqp9FHlco2bbduBcvlIF7n2Sz7mxTTNnmv1P/5FrvGS+6KbNtsvxVWumdNT7OU5h/1PIjpaHMcJXYoktOU9+mYYRmhqvlwmFVanGyoCeZ6nFtD6G2i58PZv4V+kG3VDha/x91/LQapUKioIDFoLIckfCv6tWq2OVO6Xz+fVOfgXM4eRz4NE94vWaDSEbdvCdd2+AUy/j+iuCws7N33tHBEdHXJdqN5e+B/EHrXp7xEjPnYqIYQQeu+MiIhoFJlMBslk8kCysGdnZzE9PR26vEk3cE6MiIhokMePH2N3d7dnfn1UMjlvmAAGBjEiIjoIqVQKb968wb179/YdyJrNJh49eoS1tTW9KhKDGBERHYhUKoW1tTXs7Oz0zVYM02w2sbOzg3K5PFLGOOfEiIgottgTIyKi2GIQIyKi2GIQIyKi2GIQIyKi2GIQIyKi2PovvpBB2SE02PIAAAAASUVORK5CYII=\" width=\"433\" height=\"37\"\u003e\u003c/p\u003e\n\u003cp\u003ewhere,\u003c/p\u003e \u003cp\u003e \u003cb\u003eC\u003c/b\u003e is the Encrypted message\u003c/p\u003e \u003cp\u003e \u003cb\u003eM\u003c/b\u003e is original message or data\u003c/p\u003e \u003cp\u003e \u003cb\u003ee\u003c/b\u003e is public key exponent\u003c/p\u003e \u003cp\u003e \u003cb\u003en\u003c/b\u003e is RSA modulus\u003c/p\u003e \u003cp\u003eRSA ensures that the AES encryption key remains protected, since only the corresponding private key can decrypt it.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec19\" class=\"Section3\"\u003e \u003ch2\u003e3.4.3 Entropy Analysis\u003c/h2\u003e \u003cp\u003eIn these experiment Shannon Entropy is used to calculate the entropy of each file before and after encryption[\u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e]. Shannon Entropy refers to a specific measure of randomness, additionally it used to express the information content. This value basically indicates how predictable a given byte in the file is based on bytes that came before it [\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e] [\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e20\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eEight bits of entropy per byte, which indicates total randomness, is the highest amount of entropy that can exist per byte. The generally accepted formula for Shannon entropy (H)[\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e] is express in Eq.\u0026nbsp;(3):\u003c/p\u003e \u003cp\u003e \u003cspan class=\"InlineEquation\"\u003e \u003cspan class=\"mathinline\"\u003e\\(\\:H\\left(X\\right)=\\:-\\)\u003c/span\u003e \u003c/span\u003e Σ p(xi) log2 p(xi) (3)\u003c/p\u003e \u003cp\u003ewhere\u003c/p\u003e \u003cp\u003eH(X) is Entropy (measure in bits)\u003c/p\u003e \u003cp\u003ep(Xi) is the Probability of occurrence of byte value \u003cem\u003exi\u003c/em\u003e\u003c/p\u003e \u003cp\u003e \u003cb\u003elog₂\u003c/b\u003e = Logarithm base 2\u003c/p\u003e \u003cp\u003eHigher entropy values indicate a greater level of randomness, which is characteristic of encrypted data.\u003c/p\u003e \u003c/div\u003e \u003c/div\u003e \u003cdiv id=\"Sec20\" class=\"Section2\"\u003e \u003ch2\u003e3.5 Experimental Procedure\u003c/h2\u003e \u003cp\u003eThe experiment was carried out step by step. First, all the sample files were placed inside a folder named \u0026ldquo;TestFile\u0026rdquo; The encryption program was then executed to process each file in that folder. Before encryption, the entropy of each file was calculated. After that, the file was encrypted using the hybrid encryption method. Once encryption was completed, the entropy was calculated again. The time taken to encrypt each file was also recorded. All the results were saved into a CSV file for further analysis.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec21\" class=\"Section2\"\u003e \u003ch2\u003e3.6 Evaluation Metrics\u003c/h2\u003e \u003cp\u003eThe following metrics were used to evaluate the impact of encryption:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eEntropy\u003c/b\u003e:\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eEntropy is used to measure the randomness of file data. Higher entropy indicates or implies stronger encryption and increased difficulty for forensic analysis or investigation[\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e].\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eEncryption Time\u003c/b\u003e:\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eThis actually measure the time take to encrypt each file in the folder or in a system and it also used to indicate system performance[\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e].\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eFile Type Analysis\u003c/b\u003e:\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eFile type analysis or comparison is used to observed how different file formats behave under encryption[\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e].\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eThese metrics are useful in understanding both the effectiveness or stronger of the encryption techniques and their impact on digital forensic investigations.\u003c/p\u003e \u003c/div\u003e"},{"header":"Results and Analysis","content":"\u003cdiv id=\"Sec23\" class=\"Section2\"\u003e \u003ch2\u003e4.1 Experimental Results\u003c/h2\u003e \u003cp\u003eThe experiment or work was conducted using a 42 dataset of files consisting of different file types including multimedia (.mp3, .mp4, .png, .jgp), documents (.docx, .txt, .pdf), and structured data (.csv, .xlsx) file. Each file was encrypted using the hybrid cryptographic (AES\u0026thinsp;+\u0026thinsp;RSA) model implemented in this research. The entropy values of the files were measured before and after encryption, and the encryption time was recorded.\u003c/p\u003e \u003cp\u003eThe results actually show a significant increase in entropy after encryption. The average entropy value increased from 7.31 before encryption to 7.93 after the files is been encrypted. Many encrypted files reached entropy values close to 8, which indicates a high level of randomness typical of encrypted data.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec24\" class=\"Section2\"\u003e \u003ch2\u003e4.2 Entropy Analysis\u003c/h2\u003e \u003cp\u003eThis experiment's entropy analysis highlights that the hybrid encryption method successfully changed structured files into extremely random ciphertext. The minimum entropy observed before encryption was 3.30, while the maximum entropy after encryption reached 8.00. This reveals that the encryption algorithm successfully removed detectable patterns from the original data.\u003c/p\u003e \u003cp\u003eDigital forensic investigators regularly use high entropy values, which are always linked with the encrypted files, as a sign of possible ransomware procedure.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eThe entropy values that were produce from the result outcome of the sample files before and after encryption are illustrated in Fig.\u0026nbsp;\u003cspan refid=\"Fig3\" class=\"InternalRef\"\u003e3\u003c/span\u003e. The outcomes indicates that the entropy values of all files significantly increased after the encryption process of each file. In most cases, the entropy approached the theoretical maximum value of 8, indicating that the hybrid encryption method produced highly randomized ciphertext (encrypted message).\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec25\" class=\"Section2\"\u003e \u003ch2\u003e4.3 Encryption Performance Analysis\u003c/h2\u003e \u003cp\u003eThe encryption of files in the group \u0026ldquo;TestFile\u0026rdquo; was observed in terms of time elapsed to encrypt each file. The results specifically shows that the average encryption time was approximately 0.047 seconds per file. Most files were encrypted within a second, indicating that the hybrid encryption approach provides efficient performance.\u003c/p\u003e \u003cp\u003eRSA is only used to encrypt the AES key, which reduce computational overhead, while the use of AES for file encryption in this work ensures high-speed processing.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eFigure \u003cspan refid=\"Fig4\" class=\"InternalRef\"\u003e4\u003c/span\u003e above illustrates the encryption time recorded for each sample file during the hybrid encryption process. The outcome actually indicate that the encryption operation was completed within a very specific short period time for all file types including document, multimedia, and etc. In fact, it demonstrating the efficiency of the implemented hybrid encryption scheme or method. Although slight variations in encryption time can be observed among the files, these differences are mainly influenced by factors such as file size and data structure.\u003c/p\u003e \u003cp\u003eThe findings shows that how successful AES works for encrypting file of different type, which provides fast encryption performance within a short period of time, while RSA is used to secure the encryption key without significantly increasing computational overhead. Generally, the results confirm that the hybrid encryption approach is capable of encrypting multiple file types efficiently while maintaining strong cryptographic protection.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec26\" class=\"Section2\"\u003e \u003ch2\u003e4.4 Summary of Experimental Results\u003c/h2\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab3\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 3\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eSummary of Encryption Impact on Sample Files\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"4\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eParameter\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eBefore Encryption\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eAfter Encryption\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003eObservation\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAverage File Entropy\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e7.32\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e7.94\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eSignificant increase in entropy indicating strong encryption randomness\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eFile Structure\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eStructured and readable\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003eHighly randomized\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eEncryption makes files unreadable without the key\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eEncryption Time\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eNot applicable\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c3\"\u003e \u003cp\u003e0.047 seconds (average)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eHybrid encryption performs very fast\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eThe summary results presented in Table X show that encryption significantly increased the entropy of the files from an average value of approximately 7.32 to about 7.94 after encryption. A number of factors suggest that files have become highly random, which is consistent with the creative application of the majority of available cryptographic techniques. This demonstrates that the hybrid encryption method is capable of processing encrypted files very quickly and can encrypt each file in just over 0.047 seconds on average. Therefore, it can be concluded that the AES - RSA hybrid encryption approach successfully simulates what modern ransomware uses for its encrypted files.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec27\" class=\"Section2\"\u003e \u003ch2\u003e4.5 File Type Encryption Behaviour\u003c/h2\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab4\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 4\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003eEncryption Behaviour Across Different File Types\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"6\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c6\" colnum=\"6\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eFile Type\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eExample Extensions\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eNumber of Files\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003eAverage Entropy Before Encryption\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c5\"\u003e \u003cp\u003eAverage Entropy After Encryption\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c6\"\u003e \u003cp\u003eObservation\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eDocument Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.docx, .txt, .pdf\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e10\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eLow to moderate\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eVery high (~\u0026thinsp;7.9\u0026ndash;8.0)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c6\"\u003e \u003cp\u003eFiles became completely unreadable after encryption\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eImage Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.jpg, .jpeg\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eModerate\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eVery high (~\u0026thinsp;7.9\u0026ndash;8.0)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c6\"\u003e \u003cp\u003eImage structure lost due to encryption\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eAudio Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.mp3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eHigh\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eVery high (~\u0026thinsp;7.9\u0026ndash;8.0)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c6\"\u003e \u003cp\u003eEncrypted audio cannot be played\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eVideo Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.mp4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eHigh\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eVery high (~\u0026thinsp;7.9\u0026ndash;8.0)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c6\"\u003e \u003cp\u003eVideo data fully randomized\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eData Files\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e.csv, .xlsx\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c4\"\u003e \u003cp\u003eModerate\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c5\"\u003e \u003cp\u003eVery high (~\u0026thinsp;7.9\u0026ndash;8.0)\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c6\"\u003e \u003cp\u003eStructured data converted into random encrypted format\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eThe results presented in Table X show that hybrid encryption had a similar effect across all file categories used in the experiment. Prior to encryption, the contents of many files reflected a relative level of structure resulting in low entropy values. After encryption, however, the entropy values had increased to nearly maximum levels of randomness, signifying that the encryption process had successfully converted the original file contents to highly randomized ciphertext. As a consequence, accessing and reading the data files would not be possible without the proper key with which to decrypt the data.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec28\" class=\"Section2\"\u003e \u003ch2\u003e4.6 Discussion of Findings\u003c/h2\u003e \u003cp\u003eThe results of the experiment indicate that different file types composed of multiple file types demonstrate similar behaviors when employing hybrid cryptographic techniques through the AES - RSA hybrid model. The result indicates a clear transform in the entropy of the files (before and after) the encryption process.\u003c/p\u003e \u003cp\u003eThe most obvious result of the experiment is that the entropy values went up after encryption. Before encryption, the amount of entropy in a file changed based on what type it was. Some files, like spreadsheets and papers, had lower entropy values because they had clear and organized data.\u003c/p\u003e \u003cp\u003eAfter encryption, though, the entropy values of almost all files got closer to the maximum entropy value which is 8. This change shows that the encryption process turned the original files into very random data. Files that have been encrypted often indicates a lot of unpredictability, which means that the hybrid encryption architecture is working as it should which means is working appropriately.\u003c/p\u003e \u003cp\u003eAnother important thing to note is how well the encryption process works. The recorded encryption time shows that most files were encrypted in a very short amount of time. This result shows how well AES works for encrypting files. AES is fast, which makes it a good choice for encrypting a lot of data. In this study's hybrid encryption model, RSA was only used to encrypt the AES key, not the whole file. This design cuts down on the amount of work that needs to be done by computers and makes the encryption process more efficient as a whole.\u003c/p\u003e \u003cp\u003eThe results also show that even though the files were originally different in type and structure, the encrypted versions of these files seem to have the same amount of entropy. This means that the encryption process takes away most of the patterns that can be seen in the data, making it hard to tell what the file's original structure was after it has been encrypted.\u003c/p\u003e \u003cp\u003eFurthermore, the results that is generated actually indicates both difficulties and prospects from the point of view of digital forensics. On the one hand, forensic investigations or experts can use the high entropy values seen in encrypted files as an indicator. To find files that might have been encrypted by ransomware, investigators frequently examine file entropy. However, using hybrid encryption (AES\u0026thinsp;+\u0026thinsp;RSA) makes it much harder to recover the original data if you don't have the decryption key. The reasons behinds this is that RSA protects the key that encrypts the file, while AES encrypts the file's contents very well.\u003c/p\u003e \u003cp\u003eThe study's overall conclusions show that hybrid encryption can effectively increase file randomization while preserving effective performance. These traits contribute to the explanation of why a lot of contemporary ransomware variations use hybrid cryptographic methods to protect encrypted files and stop illegal recovery.\u003c/p\u003e \u003c/div\u003e\n\u003ch3\u003e1. Proposed Forensic Recommendations\u003c/h3\u003e\n\u003cp\u003eBased on the experimental results obtained in this study, several recommendations can be proposed to support digital forensic investigators when dealing with ransomware incidents that use hybrid cryptographic techniques.\u003c/p\u003e \u003cp\u003eFirst, forensic experts should consider entropy analysis as an early detection method when examining suspicious files in a system. The results of this research show that encrypted files produced by hybrid encryption tend to have entropy values close to the maximum value of 8, which actually show a greater level of randomness. Therefore, entropy analysis can be used as a metrics to identify files that may have been encrypted by ransomware during forensic investigations.\u003c/p\u003e \u003cp\u003eAnother point is that, investigators should concentrate on the collection and preservation of cryptographic key artefacts during incident response. Most modern ransomware uses AES to encrypt files and RSA to protect the encryption keys. The reason behind it is that, recovery the AES key back is often the only way to get back encrypted data. When investigating a system shortly after an attack, memory forensics on the system as well as analysis of log files and temporary files can point toward the possible existence of keys. In addition, forensic analysis can help locate files or file behaviours that may be suspicious or malicious, as well as encrypting patterns. For example, monitoring for significant variations in file entropy, such as sudden increases or periods of high activity, or unusual file types will assist an investigator in identifying ransomware-related activity sooner.\u003c/p\u003e \u003cp\u003eIn addition, organizations should implement regular system backups and strong incident response strategies that will assist them to identify any kind of attack that will cause them financial loss. Reliable backups can make ransomware attacks much less harmful by letting systems be restored without having to pay the ransom.\u003c/p\u003e \u003cp\u003eFinally, further research should explore more advanced forensic techniques such as memory forensics, behavioral analysis, and machine learning approaches for detecting ransomware encryption activities. These methods may provide additional capabilities for identifying ransomware attacks and supporting forensic investigations in complex cybercrime cases in order to extract malicious file.\u003c/p\u003e"},{"header":"Conclusion and Future Work","content":"\u003cdiv id=\"Sec31\" class=\"Section2\"\u003e \u003ch2\u003e6.1 Conclusion\u003c/h2\u003e \u003cp\u003eThis experiment examines the cryptographic techniques employed in ransomware and their ramifications for digital forensic investigation. The study implemented a hybrid encryption model combining the Advanced Encryption Standard (AES) and the Rivest\u0026ndash;Shamir\u0026ndash;Adleman (RSA) algorithm to simulate the encryption mechanism commonly used in modern ransomware attacks which is among the most dangerous cybercrime in the world. The main objective of the work was to examine how hybrid encryption affects file entropy and encryption performance across different and multiple file types.\u003c/p\u003e \u003cp\u003eThe results of this research actually showed that the entropy values of the files increased significantly after encryption. In most cases, the entropy values approached the theoretical maximum value of 8, which indicates a high level of randomness in the encrypted data. This demonstrates that the hybrid encryption process effectively changes structured files into highly randomized ciphertext, which eventually making it more difficult to identify patterns in the encrypted data or files.\u003c/p\u003e \u003cp\u003eThe performance analysis also shows that the encryption process finished very quickly for most files. The results show that using AES to encrypt file contents speeds up processing, while RSA is only used to encrypt the AES key. This hybrid design lets the system be both very safe and very fast.\u003c/p\u003e \u003cp\u003eFrom a digital forensic perspective, the findings indicates that entropy analysis can be useful in identifying encrypted files during ransomware investigations that is when expert analyzed the system. However, the use of hybrid encryption significantly increases the difficult in recovering the data that was encrypted without access to the decryption keys. This explains why modern ransomware families adopt hybrid cryptographic techniques to secure victim files and prevent unauthorized decryption.\u003c/p\u003e \u003cp\u003eThis research work has some limitations that should be accepted or acknowledge. Conducting experiments with a controlled dataset of sample files on my computer instead of real-world samples of ransomware using an implemented hybrid encryption model that simulates how ransomware operates but does not replicate all operational characteristics of any of the real ransomware families. Future research could include using real malware samples and larger datasets for more thorough forensic analyses. This work demonstrates that hybrid Encryption is highly efficacious in terms of both cryptography protection and speed when compared to traditional methods; thus, hybrid encryption was chosen as the most robust form of cryptographic protection for use with Ransomware attacks in today\u0026rsquo;s world and so forth.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec32\" class=\"Section2\"\u003e \u003ch2\u003e6.2 Future Work\u003c/h2\u003e \u003cp\u003eAlthough this research work provides useful knowledge or insights into hybrid encryption techniques used in ransomware, several areas remain open for further investigation.\u003c/p\u003e \u003cp\u003eA potential avenue for future research may explore more advanced forensic analyses for detection of Ransomware activity; these include Memory Forensics/Behavioral Analysis techniques, which could aid Investigators/Experts in identifying an encryption process while it is still ongoing during attacks. Another area of potential future work would be automated detection systems, which use Entropy Analysis and Machine Learning methods to detect files that are currently being encrypted by ransomware in \u0026ldquo;real-time,\u0026rdquo; thereby, improving an organization\u0026rsquo;s ability to detect ransomware in the early stages of an attack.\u003c/p\u003e \u003cp\u003eIn addition, future studies could expand the experimental dataset by including a larger number of files and additional file formats. This would allow researchers to evaluate the performance and behavior of hybrid encryption techniques across a broader range of data types.\u003c/p\u003e \u003cp\u003eFinally, further research could investigate possible strategies for improving digital forensic recovery techniques in ransomware incidents, including the analysis of memory artifacts and key management mechanisms.\u003c/p\u003e \u003c/div\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eNagar G (Jun. 2024) The Evolution of Ransomware: Tactics, Techniques, and Mitigation Strategies. Int J Sci Res Manag IJSRM 12(06):1282\u0026ndash;1298. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.18535/ijsrm/v12i06.ec09\u003c/span\u003e\u003cspan address=\"10.18535/ijsrm/v12i06.ec09\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eHartono B, Zaejuli H (Jan. 2025) Analysis Of The Development Of An Early Detection System For Cryptographic-Based Ransomware Attacks In A Cloud Environment. J Impresi Indones 4(1):996\u0026ndash;1002. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.58344/jii.v4i1.6188\u003c/span\u003e\u003cspan address=\"10.58344/jii.v4i1.6188\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eNayak SC, Tiwari V, Samanthula BK Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform, in (2023) \u003cem\u003eIEEE 13th Annual Computing and Communication Workshop and Conference (CCWC)\u003c/em\u003e, Las Vegas, NV, USA: IEEE, Mar. 2023, pp. 0605\u0026ndash;0611. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/CCWC57344.2023.10099169\u003c/span\u003e\u003cspan address=\"10.1109/CCWC57344.2023.10099169\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBerrueta E, Morato D, Magana E, Izal M (2019) A Survey on Detection Techniques for Cryptographic Ransomware. IEEE Access 7:144925\u0026ndash;144944. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/ACCESS.2019.2945839\u003c/span\u003e\u003cspan address=\"10.1109/ACCESS.2019.2945839\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePrasetyo SE, Aripradono HW, Ricardo (2025) Ransomware Attack Analysis in Cybersecurity, \u003cem\u003eJ. E-Komtek Elektro-Komput.-Tek.\u003c/em\u003e, vol. 9, no. 1, pp. 302\u0026ndash;312, Jul. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.37339/e-komtek.v9i1.2279\u003c/span\u003e\u003cspan address=\"10.37339/e-komtek.v9i1.2279\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMonika P, Zavarsky, Lindskog D (2016) Experimental Analysis of Ransomware on Windows and Android Platforms: Evolution and Characterization. Procedia Comput Sci 94:465\u0026ndash;472. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.procs.2016.08.072\u003c/span\u003e\u003cspan address=\"10.1016/j.procs.2016.08.072\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBegovic K, Al-Ali A, Malluhi Q (Sep. 2023) Cryptographic ransomware encryption detection: Survey. Comput Secur 132:103349. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.cose.2023.103349\u003c/span\u003e\u003cspan address=\"10.1016/j.cose.2023.103349\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eChen Q, Bridges RA Automated Behavioral Analysis of Malware A Case Study of WannaCry Ransomware, Sep. 25, 2017, \u003cem\u003earXiv\u003c/em\u003e: arXiv:1709.08753. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.48550/arXiv.1709.08753\u003c/span\u003e\u003cspan address=\"10.48550/arXiv.1709.08753\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOgunseyi TB, Adedayo OM (2023) Cryptographic Techniques for Data Privacy in Digital Forensics. IEEE Access 11:142392\u0026ndash;142410. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/ACCESS.2023.3343360\u003c/span\u003e\u003cspan address=\"10.1109/ACCESS.2023.3343360\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKuswanto D (Jul. 2020) Cryptograph Rsa and Compression Shannon Fano Text File Services at Mobile Devices. J Phys Conf 1569(2):022079. Ser.\u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1088/1742-6596/1569/2/022079\u003c/span\u003e\u003cspan address=\"10.1088/1742-6596/1569/2/022079\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKumar A, Singh P, Kamble DP, Singh I (Oct. 2025) Hybrid cryptographic approach for strengthening IoT and 5G/B5G network security. Sci Rep 15(1):37971. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1038/s41598-025-21861-2\u003c/span\u003e\u003cspan address=\"10.1038/s41598-025-21861-2\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eHilaw C, Fotheringham M, Pemberton C, Sanderson D Introducing a Multi-Dimensional Cryptographic Behavioral Analysis Framework for Ransomware Detection, Dec. 03, 2024, \u003cem\u003eIn Review\u003c/em\u003e. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.21203/rs.3.rs-5540978/v1\u003c/span\u003e\u003cspan address=\"10.21203/rs.3.rs-5540978/v1\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOsamor J et al (2025) Ethical Implications of WannaCry: A Cybersecurity Dilemma, \u003cem\u003eInt. Conf. Cyber Warf. Secur.\u003c/em\u003e, vol. 20, no. 1, pp. 354\u0026ndash;360, Mar. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.34190/iccws.20.1.3353\u003c/span\u003e\u003cspan address=\"10.34190/iccws.20.1.3353\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDe Loaysa Babiano LF, Macfarlane R, Davies SR (Sep. 2023) Evaluation of live forensic techniques, towards Salsa20-Based cryptographic ransomware mitigation. Forensic Sci Int Digit Investig 46:301572. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.fsidi.2023.301572\u003c/span\u003e\u003cspan address=\"10.1016/j.fsidi.2023.301572\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDavies SR, Macfarlane R, Buchanan WJ (Jun. 2020) Evaluation of live forensic techniques in ransomware attack mitigation. Forensic Sci Int Digit Investig 33:300979. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.fsidi.2020.300979\u003c/span\u003e\u003cspan address=\"10.1016/j.fsidi.2020.300979\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAlgorithms (Jul. 2022) Detection and Prevention of Ransomware Attacks using AES and RSA. J Digit Sci Technol 1(1):1\u0026ndash;9. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.59232/DST-V1I1P101\u003c/span\u003e\u003cspan address=\"10.59232/DST-V1I1P101\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eŞimşek H, \u0026Ouml;ncel \u0026Ouml;F (Jun. 2025) Fuzzy security level metric of hybrid cryptosystem algorithms. J Supercomput 81(9):1057. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1007/s11227-025-07547-6\u003c/span\u003e\u003cspan address=\"10.1007/s11227-025-07547-6\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eZhang W, Li X, Zhu T Entropy and Memory Forensics in Ransomware Analysis: Utilizing LLaMA-7B for Advanced Pattern Recognition\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDavies SR, Macfarlane R, Buchanan WJ (2022) Comparison of Entropy Calculation Methods for Ransomware Encrypted File Identification, \u003cem\u003eEntropy\u003c/em\u003e, vol. 24, no. 10, p. 1503, Oct. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.3390/e24101503\u003c/span\u003e\u003cspan address=\"10.3390/e24101503\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eManoj M, Rani VG (May 2022) Ransomeware classification using fuzzy neural network algorithm. Int J Health Sci 11268\u0026ndash;11278. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.53730/ijhs.v6nS2.8026\u003c/span\u003e\u003cspan address=\"10.53730/ijhs.v6nS2.8026\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"Shobhit University","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Ransomware, Cryptographic, Advance Encryption Standard (AES), Rivest–Shamir–Adleman (RSA), Digital forensic","lastPublishedDoi":"10.21203/rs.3.rs-9304413/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-9304413/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eRansomware attacks have become one of the most major cybersecurity threats globally, causing serious financial and operational damage to organizations and individuals that cause significant data breaches and financial loss. Modern ransomware commonly uses hybrid cryptographic techniques that combine symmetric (e.g. AES) and asymmetric (e.g. RSA) encryption algorithms to protect victim files and prevent unauthorized recovery. This study presents an experimental analysis of cryptographic techniques used in ransomware and evaluate their impact on digital forensic investigations. In this research, a hybrid encryption model based on the Advanced Encryption Standard (AES) and the Rivest\u0026ndash;Shamir\u0026ndash;Adleman (RSA) algorithm was implemented to simulate the encryption mechanism used in today\u0026rsquo;s ransomware attack that. The experiment was conducted on multiple file types including documents (.docx), images (.jpg, and .png), audio (.mp3), video (.mp4), and spreadsheet (.csv, .xlsx) files. Key metrics that was used in this work include file entropy and encryption time were analyzed to examines the behavior and performance of the encryption process of each file. The results show that file entropy went up a lot after encryption, getting close to the theoretical maximum value. This means that the encrypted data is very random. Also, the encryption process was finished quickly for most files, which shows how well the hybrid encryption method works. These results show how hard it is for digital forensic investigators to look at files that have been encrypted by ransomware. The experiment shows that hybrid encryption is both very secure and very fast, which is why it is so popular in modern ransomware attacks. The results also show that entropy analysis can help find encrypted files during forensic investigations.\u003c/p\u003e","manuscriptTitle":"An Experimental Analysis of Cryptographic Techniques Used in Ransomware and Their Impact on Digital Forensic Investigation","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-04-03 06:45:31","doi":"10.21203/rs.3.rs-9304413/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"96467cbe-6dce-4563-b1ef-adce43ff1b76","owner":[],"postedDate":"April 3rd, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2026-04-03T06:45:32+00:00","versionOfRecord":[],"versionCreatedAt":"2026-04-03 06:45:31","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-9304413","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-9304413","identity":"rs-9304413","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.