volGPT: Evaluation on triaging ransomware process in memory forensics with Large Language Model

In the face of the harm that ransomware can inflict upon users' computers, the imperative to efficiently and accurately triage its processes within memory forensics becomes increasingly crucial. However, ransomware perpetrators employ sophisticated techniques, such as process masquerading, to evade detection and analysis. In response to these challenges, we propose a novel ransomware triage method leveraging a Large Language Model (LLM) in conjunction with the Volatility framework, the de-facto standard in memory forensics. We conducted experiments on memory dumps infected by five different ransomware families, utilizing LLM-based approaches. Through extensive experiments, our method named volGPT demonstrated high accuracy in identifying ransomware-related processes within memory dumps. Additionally, our approach exhibited greater efficiency and provided more comprehensive explanations during ransomware triage than other state-of-the-art methods.