Ransomware Incident Response and Forensics - Post Breach

Conducting a thorough forensics investigation post breach is critical to identifying the root cause and preventing future breaches. As we’ve seen, ransomware operators are known to execute repeat-ransomware attacks where they target the same victim twice using the knowledge they gained or the tools they left behind from the initial intrusion. Further, as outlined in our former analysis of the HelloKitty ransomware, ransomware operators often disappear and resurface with new branding, so it’s extremely important to understand how these attackers operate across all stages of the attack lifecycle to ensure future detections are investigated thoroughly before they escalate.

Below we’ve outlined some high-level guidance on investigating ransomware, post breach.

Kicking off a Ransomware Investigation
Generally it’s a good idea to switch off or hibernate the infected system. If you do so quickly, it’s possible that the ransomware hasn’t finished encrypting the files on disk. If it’s a Virtual Machine, take a snapshot.

Many ransomware variants encrypt files on network shares, or spread within networks. If you are unable to turn off the system, isolate the host from the network. You can do this remotely, or simply disconnect it from the network if you have physical access to the machine.

Understanding the Type of Ransomware You’re Dealing With
It’s important to identify if you are dealing with common opportunistic ransomware, or something more targeted as soon as possible. Historically, ransomware was deployed through malicious emails. These normally don’t provide the attacker with interactive access to your network. Today, more commonly seen in cloud environments, opportunistic ransomware includes worm-like functionalities that enable the attackers to spread through the network quickly.

Most of the ransomware that makes the news today, such as DarkSide, are deployed manually by an attacker as part of a classic intrusion. The attacker will then likely spread to multiple systems, and maintain access until they are removed.

You can identify the type of ransomware you’re dealing with by:

  • Researching the ransomware note using a search engine or uploading to ID ransomware;
  • Identifying the ransomware executable; and
  • Identifying the initial infection vector

Researching the Ransomware Note
Ransomware notes are normally easy to find, as the ransomware author wants you to find them. But you can also search for it by running keyword searches or yara rules for common phrases found in ransomware notes. This search may also yield the ransomware executable itself.

The ransomware note from DarkSide ransomware displayed in Cado Response

Identifying the Ransomware Executable
Normally the ransomware executable is easy to find using timeline analysis. Look for the creation of executables surrounding the first encrypted files, or the initial compromise. Alternatively, most ransomware is well detected by both Anti-Virus signatures and Yara rules.

The classic WannaCry executable shown in Cado Response

Identifying the Initial Compromise
Identifying the initial compromise is required to protect other systems that could be vulnerable too. You can do so by following the below steps:

  1. Identify how the ransomware was distributed within your environment. Typically this would have been initiated from a central management server such as a File Server or Domain Controller
  2. Identify the accounts and systems that were used by the ransomware threat actors to gain access to the end servers
  3. Follow the trail back and investigate all servers and workstations that were leveraged by the ransomware threat actors to identify patient0 and therefore, the method of exploitation the attackers used to gain initial access
  4. Examine the netflow/network traffic to identify signs of data exfiltration
  5. It’s also important to analyse the TTPs used at the initial point of entry so you can search for and prevent additional entry across your environment
  6. The attackers may have exploited a public facing web application. Depending on the application, you may have both web-server logs and application logs to review. Look for web-shells and other signs of post compromise.
  7. Today it’s very common for ransomware attacks to start with a malicious email. You can parse Outlook web archives (PST files) using forensic tools such as Encase or pffexport (included with SIFT). You can also review attachments if you have access to the mail system itself. Once extracted, attachments can be analysed using Yara and Anti-virus, or by hand.
  8. Lastly, you can also review Outlooks temporary archive, and Temporary Internet Files for web-mail. In addition to reviewing attachments, you may also want to extract any URLs from messages and check to see if they are malicious.

Once you have identified the initial access point, review event logs to identify any potential lateral movement from the infected system.

File Recovery
It’s critical that you have a sound backup and recovery process in place. With backups, it’s important to ensure you have true offline copies, as some attackers will target how your backup systems function. Further, some incremental backups rely on there being a known good state of a system, so it is important that you also consider if you need a full backup vs incremental. Depending on the variant of ransomware, it will normally overwrite original files, and look to delete volume shadow backups. As such, forensic recovery of files is usually met with limited success.

Ransomware in the Cloud
If the ransomware attack also targets cloud assets, Amazon GuardDuty does provide detection of well-known ransomware samples. For example, as you can see below, we executed DarkSide ransomware in our sandbox environment and it was successfully detected:

Amazon GuardDuty detections for DarkSide ransomware

As GuardDuty primarily operates at the network level, its detections are somewhat limited; however, these detections can often provide hints of where to look on the disk for more detailed information.

Outside of this, Amazon provides some additional guidance on how to prevent ransomware within AWS. And Microsoft, for mitigating ransomware within Azure.

Response and Remediation
If you’re dealing with manually-deployed ransomware, such as DarkSide, you will need to consider a number of steps in your response. Some useful references can be found here, and here.

If it’s an opportunistic attack, identify the initial method of intrusion and close all gaps. For example, if the initial infection was through an exploit kit, make sure your network is patched against the successful exploit.

To ensure timely recovery, it’s important that you have off-site data backups and have tested that you can successfully restore the data into a new environment. If this isn’t the case, consider how effective your backup strategies are and if they can be improved. In addition, any passwords or credentials used on the infected system should be considered compromised, and reset. Normally the infected system should be wiped and reinstalled after any data for an investigation has been captured. US-CERT provides additional guidance around responding to ransomware.

About Cado Security

Cado Security provides the first and only cloud-native digital forensics platform for enterprises. By automating data capture and processing across cloud and container environments, Cado Response enables security teams to efficiently investigate and respond to cyber incidents at cloud speed. Backed by Blossom Capital and Ten Eleven Ventures, Cado Security has offices in the United States and United Kingdom. For more information, please visit or follow us on Twitter @cadosecurity.

[1]According to the Australia Cyber Security Centre (ACSC), between 1 July 2019 and 30 June 2020, the ACSC responded to 2,266 cybersecurity incidents and received 59,806 cybercrime reports.