Saved in:
Bibliographic Details
Main Authors: Compagnucci, Tommaso, Callegati, Franco, Giallorenzo, Saverio, Melis, Andrea, Melloni, Simone, Vannini, Alessandro
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.07868
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910908460040192
author Compagnucci, Tommaso
Callegati, Franco
Giallorenzo, Saverio
Melis, Andrea
Melloni, Simone
Vannini, Alessandro
author_facet Compagnucci, Tommaso
Callegati, Franco
Giallorenzo, Saverio
Melis, Andrea
Melloni, Simone
Vannini, Alessandro
contents Ransomware poses a significant threat to individuals and organisations, compelling tools to investigate its behaviour and the effectiveness of mitigations. To answer this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI's design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI's capabilities by building a proof-of-concept implementation and using it to run two case studies. The first analyses five renowned ransomware strains (including WannaCry and LockBit) to identify their encryption patterns and file targeting strategies. The second evaluates Ranflood, a contrast tool which we use against three dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI's potential to advance ransomware research and defence development.
format Preprint
id arxiv_https___arxiv_org_abs_2504_07868
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle SAFARI: a Scalable Air-gapped Framework for Automated Ransomware Investigation
Compagnucci, Tommaso
Callegati, Franco
Giallorenzo, Saverio
Melis, Andrea
Melloni, Simone
Vannini, Alessandro
Cryptography and Security
Ransomware poses a significant threat to individuals and organisations, compelling tools to investigate its behaviour and the effectiveness of mitigations. To answer this need, we present SAFARI, an open-source framework designed for safe and efficient ransomware analysis. SAFARI's design emphasises scalability, air-gapped security, and automation, democratising access to safe ransomware investigation tools and fostering collaborative efforts. SAFARI leverages virtualisation, Infrastructure-as-Code, and OS-agnostic task automation to create isolated environments for controlled ransomware execution and analysis. The framework enables researchers to profile ransomware behaviour and evaluate mitigation strategies through automated, reproducible experiments. We demonstrate SAFARI's capabilities by building a proof-of-concept implementation and using it to run two case studies. The first analyses five renowned ransomware strains (including WannaCry and LockBit) to identify their encryption patterns and file targeting strategies. The second evaluates Ranflood, a contrast tool which we use against three dangerous strains. Our results provide insights into ransomware behaviour and the effectiveness of countermeasures, showcasing SAFARI's potential to advance ransomware research and defence development.
title SAFARI: a Scalable Air-gapped Framework for Automated Ransomware Investigation
topic Cryptography and Security
url https://arxiv.org/abs/2504.07868