An Experimental Analysis of Cryptographic Techniques Used in Ransomware and Their Impact on Digital Forensic Investigation

Ransomware attacks have become one of the most major cybersecurity threats globally, causing serious financial and operational damage to organizations and individuals that cause significant data breaches and financial loss. Modern ransomware commonly uses hybrid cryptographic techniques that combine symmetric (e.g. AES) and asymmetric (e.g. RSA) encryption algorithms to protect victim files and prevent unauthorized recovery. This study presents an experimental analysis of cryptographic techniques used in ransomware and evaluate their impact on digital forensic investigations. In this research, a hybrid encryption model based on the Advanced Encryption Standard (AES) and the Rivest–Shamir–Adleman (RSA) algorithm was implemented to simulate the encryption mechanism used in today’s ransomware attack that. The experiment was conducted on multiple file types including documents (.docx), images (.jpg, and .png), audio (.mp3), video (.mp4), and spreadsheet (.csv, .xlsx) files. Key metrics that was used in this work include file entropy and encryption time were analyzed to examines the behavior and performance of the encryption process of each file. The results show that file entropy went up a lot after encryption, getting close to the theoretical maximum value. This means that the encrypted data is very random. Also, the encryption process was finished quickly for most files, which shows how well the hybrid encryption method works. These results show how hard it is for digital forensic investigators to look at files that have been encrypted by ransomware. The experiment shows that hybrid encryption is both very secure and very fast, which is why it is so popular in modern ransomware attacks. The results also show that entropy analysis can help find encrypted files during forensic investigations.