Citation: McDonald, G.;
Papadopoulos, P.; Pitropakis, N.;
Ahmad, J.; Buchanan, W.J.
Ransomware: Analysing the Impact
on Windows Active Directory
Domain Services. Sensors 2022, 22,
953. https://doi.org/10.3390/
s22030953
Academic Editor: Yuh-Shyan Chen
Received: 23 December 2021
Accepted: 24 January 2022
Published: 26 January 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
Ransomware: Analysing the Impact on Windows Active
Directory Domain Services
Grant McDonald, Pavlos Papadopoulos * , Nikolaos Pitropakis * , Jawad Ahmad and William J. Buchanan
Blockpass ID Lab, School of Computing, Edinburgh Napier University, Edinburgh EH10 5DT, UK;
grant.a.mcdonald@gmail.com (G.M.); j.ahmad@napier.ac.uk (J.A.); b.buchanan@napier.ac.uk (W.J.B.)
* Correspondence: pavlos.papadopoulos@napier.ac.uk (P.P.); n.pitropakis@napier.ac.uk (N.P.)
Abstract: Ransomware has become an increasingly popular type of malware across the past decade
and continues to rise in popularity due to its high profitability. Organisations and enterprises have
become prime targets for ransomware as they are more likely to succumb to ransom demands as
part of operating expenses to counter the cost incurred from downtime. Despite the prevalence
of ransomware as a threat towards organisations, there is very little information outlining how
ransomware affects Windows Server environments, and particularly its proprietary domain services
such as Active Directory. Hence, we aim to increase the cyber situational awareness of organisations
and corporations that utilise these environments. Dynamic analysis was performed using three ran-
somware variants to uncover how crypto-ransomware affects Windows Server-specific services and
processes. Our work outlines the practical investigation undertaken as WannaCry, TeslaCrypt, and
Jigsaw were acquired and tested against several domain services. The findings showed that none of
the three variants stopped the processes and decidedly left all domain services untouched. However,
although the services remained operational, they became uniquely dysfunctional as ransomware
encrypted the files pertaining to those services.
Keywords:
ransomware; WannaCry; TeslaCrypt; Jigsaw; Windows Server; Active Directory Services
1. Introduction
There is no questioning that information technology (IT) and computing play an
integral part in the day-to-day operations of enterprises and organisations in modern society.
IT systems have immeasurably increased productivity in the modern workplace, and as a
result, a dependency upon this has been created, so much so that “IT services are becoming
a critical infrastructure, much like roads, electricity, tap water, and financial services” [
1
].
When IT systems stop functioning in business environments, companies can lose a large
amount of money through non-utilised staff wages, missed opportunities, and reputational
harm, with the average cost of downtime totalling $141,000 [
2
]. Cybercriminals have caught
on to this and have begun to take advantage of the harm caused by data destruction and
downtime by using a particular form of malware called ransomware. Designed to hold the
system or its contents hostage until a ransom is paid, they are particularly damaging to
organisations due to the aforementioned consequences of downtime, making organisations
much more lucrative targets. The profitability of ransomware relies upon the willingness
to pay the ransom, and when the cost of downtime is 23 times greater than the average
ransom demand of USD 5900, it is no surprise that the ransomware industry continues to
grow [2].
With downtime having the largest financial impact when it comes to corporate IT
utilisation, in conjunction with the threat of blackmail from stolen files, succumbing to
the ransom demand becomes very appealing. In a 2018 study, researchers were able to
trace an estimated USD 16 million in ransom payments through a two-year period from
a potential 19,750 victims [
3
], with a further estimated total of over USD 25 million in
Sensors 2022, 22, 953. https://doi.org/10.3390/s22030953 https://www.mdpi.com/journal/sensors
