Difference between revisions of "Ransomware Forensics"
Jump to navigation
Jump to search
| Line 8: | Line 8: | ||
# Preparation | # Preparation | ||
#* Take precautions for a possible attack | #* Take precautions for a possible attack | ||
#* Draw up an incident recovery plan | #* Draw up an incident recovery plan | ||
#* Design a strategy for data backup and restoration | #* Design a strategy for data backup and restoration | ||
#* Prepare a list of contacts (internal/external), including police, and insurance | #* Prepare a list of contacts (internal/external), including police, and insurance | ||
# Identification - threat indicators of a ransomware attack | # Identification - threat indicators of a ransomware attack | ||
#* Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...) | #* Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...) | ||
#* Burst of file update logs | #* Burst of file update logs | ||
Revision as of 17:07, 2 January 2024
Introduction: Digital Forensics and Incident Response of Ransomware
Digital Forensics and Incident Response (DFIR) for ransomware focuses on the identification, investigation, and remediation of ransomware attacks. DFIR entails collecting and analyzing digital evidence of a ransomware attack to recognize the scope of the incident, keep it under control, and get over it. Ransomware DFIR includes a number of tools and techniques, such as forensic imaging, malware analysis, network analysis, and log analysis. The aim is to help minimizing the damage caused by ransomware incidents and prevent them from happening. DFIR consists of the two different areas digital forensics and incident response.
Incident Response
Incident response for a ransomware attack consists of the following distinctive phases:
- Preparation
- Take precautions for a possible attack
- Draw up an incident recovery plan
- Design a strategy for data backup and restoration
- Prepare a list of contacts (internal/external), including police, and insurance
- Identification - threat indicators of a ransomware attack
- Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...)
- Burst of file update logs
- Anti virus alerts
- Connections to suspicious IPs
- High CPU usage on the infected computer (due to encryption going on)
- Ransom message being displayed