Posted by Tyler Chancey, GCFA on

Tyler Chancey is a seasoned cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services, With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

Featured image for this post

Assuming you are here reading this article, then your system must have been hit by a ransomware attack. Now you are here searching for a way back. Well, ransomware forensics is the exact way to do that.

Ransomware forensics includes all the steps in seeking a solution to a malware attack. It is a way of investigating and analyzing various aspects of the said attack to find out the reason and culprits behind it. Through this investigation, you find your way back to recovery.

Ransomware attacks are one of the major concerns these days when it comes to business. If we compare the past four years, it’s clear that there are a lot more victimized organizations in 2021. Even if your company has one of the most isolated networks, you still have a chance of having exposure. That’s why getting familiar with ransomware forensics should be one of your top priorities.

Keep on reading this extensive guide and understand everything about ransomware forensics. Let’s dive in.

What is Ransomware Forensics?

Ransomware Forensics includes the techniques and ways to investigate cybercrime. During this process, the digital evidence is preserved and later used to discover the actions taken by cybercriminals. Different methods take place that give insights to respond effectively to recover and decrypt your files and loss data.

The whole process of ransomware forensics involves full-fledged investigation. In which forensics labs along with different law enforcement take steps and find their way back to recovery.

The investigation usually relies on the digital evidence collected. Getting this evidence is one other process which is explained down below. There are cases in which this digital evidence is not properly collected, and that makes it quite hard to take steps to recover your files.

You need to understand how you can preserve digital evidence against particular cyber crimes. This is quite an important step, the complete process of investigation depends on the data received from evidence. That’s why we are here to guide you in protecting evidence and in giving a required ransomware incident response.

Ransomware Incident Response - The Investigation Checklist

We have divided ransomware investigation into five phases. Anyone who’s been hit by a ransomware attack should follow these phases. He should understand the ins and outs of every aspect of the investigation. Take a look.

Phase One - Validating Alert

The possibility of your system being compromised depends on the size of your organization. Perhaps, your company has the exposure of getting hundreds and thousands of cyber security events, and any of them could be a possible signal of a breach. Upon this sign, the SOC sends an alert of the potential malware attack to the forensics lab. This alert could be a false positive, it could be nothing, or perhaps it could be an actual malware attack.

Every single alert from the SOC should be dealt with with utmost priority. Not a single alert should go unnoticed. Being slow or lazy while validating an alert like this could be crucial for you. So, make sure that the team is up to full speed.

Use accurate, precise, and fast forensic tools. Analyze the notification/alert thoroughly and find out exactly what it’s about. The alert alone will lead you to the affected device or the compromised endpoint.

Using a triage tool is highly recommended to verify the alert. Such tools are used for triage or quick scan of target endpoints to analyze the malicious activity. Triage tools have the capability of scanning many endpoints simultaneously.

It’s not always SOC that sends alerts and notifications your way. An alert can come from another system, an outside source, or an appliance. Once you have received the notification, confirm it and find out if you need to move further.

Phase Two - Enacting the Incident Response Plan

Suppose your triage results confirm that there’s a security breach in your system, a ransomware attack. Immediately get ready to put your incident response plan into practice. You aim to perform a root cause analysis, and for that, the most integral role comes to the forensics lab.

Whatever comes up after deep scanning the affected device or endpoints will be shared throughout the team. It’ll help the entire team to make informed decisions while doing their job.

Share the information and get in touch with your Cybersecurity services security teams, including Endpoint Security, Cloud, and Network. You need to do it as fast, every affected endpoint, device, network, and server needs to be isolated. 

Employee Who Triggered The Attack

While you connect with your Cyber security services teams, make sure to get in touch with the employee who triggered the attack. You’ll need to communicate with your Marketing or Public Relations teams to find out that employee. This is a very crucial step during the investigation. All relevant information is very valuable at this moment.

All the external teams, including your cybersecurity insurance provider, should be engaged as well. If the scope and size of the ransomware attack are big, you need to call in law enforcement. For instance, you should probably consider calling the FBI or Secret Service. See also: Who to report ransomware to?

Your incident response plan should have the potential to become a means of communication as well. It’s highly recommended that you have a single point of contact for a streamlined flow of focused work. It’s very likely that your cybersecurity insurance provider will present you with some requirements to keep the policy valid. Whatever the steps are included in these requirements, make sure that they are built in your Incident Response Plan.

The next three phases are all about countering the ransomware attack. Take a look.

Phase Three - The Root Cause Analysis and Protecting the Evidence

Once you are done with the first two phases, you need to ask yourself this series of questions. Getting answers to these questions will help you move forward with your incident response plan.

  • What caused the security breach? How did our system get hit?
  • How many endpoints are compromised from the ransomware attack?
  • What did we lose? Which type of data was encrypted?
  • Was PII or any customer data stolen?
  • Is the attack over? Are our systems secure now?

It will be the duty of the forensics lab to answer all these questions. Getting these answers will not be easy. There’s a high chance that affected endpoints are still encrypted. So, how can you gather the important digital evidence for ransomware forensics investigation? You should use the best ransomware forensic tools to perform the root cause analysis. Take a look.

How can I Preserve Digital Evidence for Ransomware Forensics Investigation?

As mentioned above, ransomware forensics is only helpful if the digital evidence is protected properly. Agencies need to have this evidence to investigate thoroughly. So, how can you preserve such evidence? Should your system be made that way before the attack? How do you ensure this? Protecting evidence against ransomware attacks can be a hassle. But don’t worry, with this easy-to-understand guide, it’ll be a piece of cake for you.

Right after the Ransomware Attack:

The first thing that comes to mind for most people is to shut down the affected device, but you should never do that. You’ll lose the most important data and evidence that can be used for investigating right at the beginning. So, never shut down your device.

Stop the Spread

To stop the attack from spreading, cut off all its connections. Whether it’s Wi-Fi, Bluetooth, or LAN. Detach any external devices (USBs, Hard Drives, etc.) connected to it. Usually, the virus spreads to your other devices through different networks and connections.

Use the forensic Toolkit Imager

This particular tool will help you in creating a forensically sound image. Create images of systems that have access to sensitive information using this tool. The recent snapshots and backups of the affected endpoint can be very helpful for investigation. Don’t forget to make an extra copy of the same image and save it in another safe place.

Preserve Records (Logfiles)

You need to save every log file on everything that is relevant. It can include VPN logs and firewall logs, or any other log that can be saved. Such log files should be grabbed as soon as possible as they don’t have a long lifespan. So, save them and preserve them as evidence before you lose them.

Create a Single Document Featuring Every Detail there is about the ransomware attack

Your document should include the following.

  • Extension of each encrypted (lost) file.
  • Timing of the attack. It should be approximately correct. Add date and time.
  • The attacker leaves a note or a readme file. Make sure to add the file naming scheme for the said ransomware note.
  • Name of the Ransomware Variant. (Only if possible).
  • The most important thing is to add a copy, an image of the ransom demand left by the miscellaneous person.
  • The culprits behind a ransomware attack leave with the email address or a link to stay in communication for further steps. Make sure to add that email to your document.
  • The attacker also leaves the payment methods. It can be a bitcoin address as well. Add whatever’s given to your document. Also, add the amount demanded by the attacker.

Phase Four - Inspecting Security Perimeter for Network Restoration

Restoring the Networks and getting the business fully operational again can take up to 10-15 days. The inactive days aren’t great for any business, and it’s a huge loss. So, you should start working on network restoration as soon as possible. Eliminate any cross-contamination. It’s time to get those isolated endpoints online again.

Next up, the forensics team will be responsible for inspecting the traces of the malware attack. They will make sure that any backdoors or IOCs are removed. The culprits behind the ransomware attack install backdoors to find their way back into your system. Thus, leaving your system vulnerable again. 

80% of the organizations get hit by ransomware attacks again. So, you have to make sure that you don’t leave your system unprotected and vulnerable. It’s very likely that you will find such backdoors placed in your active directory and in your email servers.

Make sure that you inspect your backups as well before you start restoring them. In most cases, ransomware attacks also affect backups. Your system is better off protected against ransomware attacks, but you can use this opportunity and update all your servers.

Phase Five - Generating Report

After successfully implementing the fourth phase, the infected endpoints are restored and safe. You have gotten rid of the ransomware infection from your systems and network. It’s time to generate a full-fledged report about the entire process, including the aspects of attack and investigation.

Reports are quite helpful in the future. Use this report and debrief your team, so they can learn valuable lessons from their mistakes. Doing this will assist your organization in preventing future ransomware attacks.

If you have followed this guide, you have documented each step throughout your incident response plan. This is where those documents will come in handy. Add those documents to report for future references.

Write everything plainly in your report, don’t be so technical. The resort is to go to each department of your organization. So, you have to make sure that every stakeholder is able to understand the report. It’s best if you arrange a group meeting and explain everything to each person according to their caliber of understanding.

What Should You Do Next?

Your incident response plan is very critical. If you follow all the steps mentioned above, you will end up with preserved evidence and a full restoration plan. If you need to, make sure you go through every step and follow this guide. Once you are done protecting your system and weak endpoints, it’s time to make your networks fully isolated to prevent this from happening again.

The guide above explains the whole anatomy of ransomware forensics from in and out. You have learned what it is, how it can be beneficial to you, and what you can do to make it fruitful. Keep in mind that it all depends on your incident response team and preserving the digital evidence properly. If you fail to protect evidence, a simple malware attack can turn into a huge loss.

That’s it from this guide, and we hope that you never have to perform this type of investigation ever again. But we highly recommend being prepared with the right set of tools before every situation.


Share this

Related Articles

Learn the Three Rules of HIPAA: Essential Guidelines for Security and Privacy

Cybersecurity experts show how you can delete your private information from internet platforms

Live Nation reveals data breach at its Ticketmaster subsidiary