In the current era of interconnected cyberspace, there is an adverse effect of ransomware on individuals, startups, and large companies. Cybercriminals hold digital assets till the demand for payment is made. The success of ransomware upsurged with the introduction of Ransomware as a Service(RaaS) franchise in the darknet market. Obfuscation and polymorphic nature of malware make them more difficult to identify by Antivirus system. Signature based intrusion detection is still on role suffering from the scarcity of RaaS packet signatures. We have analysed RaaS samples by network forensic approach to investigate on packet captures of benign and malicious network traffic. The behavior analysis of RaaS family Ransomwares, Ryuk and Gandcrab have been investigated to classify the packets as suspicious, malicious, and non-malicious which further aid in generating RaaS packet signatures for early detection and mitigation of ransomwares belonging to RaaS family. More than 40\% of packets are found malicious in this experiment. The proposed method is also verified by Virus Total API Approach. Further, the proposed approach is recommended for integration into honeypots in the present scenario to combat with data scarcity concerned with malware samples(RaaS). This data will be helpful in developing AI-based threat intelligence mechanisms. In turn enhance detection, prevention of threats, incident response and risk assessment.

翻译：在当今互联网络空间时代，勒索软件对个人、初创企业及大型公司均产生了负面影响。网络犯罪分子通过挟持数字资产直至支付赎金要求。随着暗网市场中勒索软件即服务（RaaS）模式的出现，勒索软件的成功率急剧上升。恶意软件的混淆性和多态性特征使其更难被反病毒系统识别。基于特征的入侵检测系统仍面临RaaS数据包特征稀缺的困境。本研究采用网络取证方法分析RaaS样本，通过对比良性网络流量与恶意网络流量的数据包捕获记录展开调查。针对RaaS家族勒索软件Ryuk和Gandcrab的行为分析，实现了数据包的可疑、恶意与非恶意分类，进而助力生成RaaS数据包特征，以实现对RaaS家族勒索软件的早期检测与缓解。本实验中发现超过40%的数据包具有恶意属性。所提方法已通过Virus Total API方法验证。在当前场景下，建议将该方法集成至蜜罐系统，以应对恶意软件（RaaS）样本数据稀缺的挑战。相关数据将有助于开发基于人工智能的威胁情报机制，从而提升威胁检测与预防、事件响应及风险评估能力。