Ransomware Incident Response and Forensics

Forensic Labs
3 min readMay 12, 2018

Initial Triage

Generally it’s a good idea to switch off or hibernate the infected system, in case you are lucky enough it hasn’t finished encrypting files on disk. If it’s a Virtual Machine, take a snapshot.

Many ransomware variants encrypt network shares, or spread within networks.

If you choose not to turn the system off, or are unable to, isolate the host from the network. You can do this remotely, or simply disconnect it from the network if you have physical access to the machine.

We’ve built a platform to perform incident response and forensics in AWS/Azure/GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

What kind of ransomware are you dealing with?

It’s important to quickly identify if you are dealing with common opportunistic ransomware - or something more targeted.

Opportunistic Ransomware

Most ransomware is deployed through malicious emails or exploit kits. These normally don’t provide the attacker with interactive access to your network.

Ransomware Worms

Increasingly though opportunistic ransomware includes worm-like functionalities to spread quickly through networks.

Targeted Ransomware

Some ransomware, such as SamSam and LockCrypt, are deployed manually by an attacker as part of a classic intrusion. The attacker will likely spread to multiple systems, and maintain access until they are removed.

You can identify what ransomware you are dealing with by:

  • Comparing the ransomware note by searches on a search engine or uploading to ID ransomware;
  • Identifying the ransomware executable responsible; and
  • Identifying the initial infection vector

Identifying Ransomware Notes

Ransomware notes are normally easy to find, as the ransomware author wants you to find them.

But you can double-check by running keyword searches or yara rules for common phrases in ransomware notes. These may also find the ransomware executable itself.

Identifying the Ransomware Executable

Normally the ransomware executable is easy to find using timeline analysis. Look for the creation of executables surrounding the first encrypted files, or the initial compromise.

Timeline analysis of a JBoss web-server compromised withSamSam ransomware. Via RSA

Alternatively, most ransomware is well detected by both Anti-Virus signatures and Yara rules.

Identify the Initial Compromise

Identifying the initial compromise is required to protect other systems that could be vulnerable too.

Drive-by Compromise

You can identifty exploits in temporary internet files using Yara and Anti-Virus signatures. Review the Internet history.

Exploit Public-Facing Application

Depending upon the application, you may have both web-server logs and application logs to review. Look for web-shells and other signs of post-compromise. SamSam ransomware is known to target JBoss.

Spear-phishing Attachment

You can parse Outlook web archives (PST files) using forensic tools such as Encase or pffexport (included with SIFT). You can also review attachments if you have access to the mail system itself.

Once extracted, attachments can be analysed using Yara and Anti-virus, or by hand.

You can also review Outlooks temporary archive, and Temporary Internet Files for web-mail.

In addition to reviewing attachments, you may want to extract any URLs from messages and check to see if they are malicious.

Check for Lateral Movement

Review Event logs to identify any potential lateral movement from the infected system.

File Recovery

There are a number of tools that may used to recover deleted files, both paid and free. You can run these over forensic images of the infected disk.

Normally ransomware will delete volume shadow backups

Response and Remediation

If you’re dealing with manually deployed ransomware such as SamSam you will need to go through a number of steps to secure your network.

If it’s an opportunistic attack, identify the initial method of intrusion and fix any gaps. For example if the initial infection was through an exploit kit, make sure your network is patched against the successful exploit.

Ideally you have off-site back-ups of any lost data that you can recover from. If not, consider how effective your back-up strategies were and if they could be improved.

Any passwords or credentials used on the infected system should be considered compromised, and reset. Normally the infected system should be wiped and re-installed.

US-CERT provides additional guidance around responding to ransomware.

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.