Difference between revisions of "Ransomware Forensics"

Introduction: Digital Forensics and Incident Response of Ransomware

Digital Forensics and Incident Response (DFIR) for ransomware focuses on the identification, investigation, and remediation of ransomware attacks. DFIR entails collecting and analyzing digital evidence of a ransomware attack to recognize the scope of the incident, keep it under control, and get over it. Ransomware DFIR includes a number of tools and techniques, such as forensic imaging, malware analysis, network analysis, and log analysis. The aim is to help minimizing the damage caused by ransomware incidents and prevent them from happening. DFIR consists of the two different areas digital forensics and incident response.

Incident Response

Incident response for a ransomware attack involves the following six distinctive phases:

1. Preparation
   • Take precautions for a possible attack
   • Draw up an incident recovery plan
   • Design a strategy for data backup and restoration
   • Prepare a list of contacts (internal/external), including police, and insurance
2. Identification - threat indicators of a ransomware attack
   • Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...)
   • Burst of file update logs
   • Anti virus alerts
   • Connections to suspicious IPs
   • High CPU usage on the infected computer (due to encryption going on)
   • Ransom message being displayed
3. Containment
   • Request anti virus checks
   • Isolate possibly infected machines
   • Disconnect machines from the network to thwart data exfiltration
4. Eradication
   • Reformat hard drive, and reimage the machines
   • Installation of all operating system patches
5. Recovery
   • Validation of restored system and verify that it is back to a normal state
   • Installation of anti virus software, perform a full scan after updating the anti virus signatures
   • Restore user files with the most recent clean backup of the system
6. Lessons learned documentation
   • How was the ransomware attack initially detected?
   • Prepare a timeline of important events of the incident
   • Which actions were taken (primarily focussing on containment, eradication, recovery)
   • What went right, what went wrong?
   • Sum up the incident cost

Digital Forensics

Ransomware forensics means securing artifacts after an attack occurred to achieve the following:

• Find out what was destroyed, what did the attack do to the system, how far did it spread in the system
• Identify attackers
• Secure evidence for a court case
• Prevent another attack

Ransomware forensics does this by:

• Identifying the kind of ransomware
  • Opportunistic ransomware: normally does not give the attacker interactive access to your network
  • Ransomware worms: can spread quickly through networks
  • Targeted ransomware: deployed manually as part of a traditional intrusion
• Identifying the ransomware executable
  • Timeline analysis: looks for the creation of executables around the time the first encrypted files appear, or around the time of the initial compromise
  • Anti-Virus signatures and Yara rules
• Identifying the initial compromise
  • Drive-by compromise: identification of exploits in temporary internet files, employing Yara rules and Anti-Virus signatures; review of the internet history
  • Exploits of publicly accessible applications: review web-server logs, application logs (depending upon the application), look for web-shells, and other indicators of post-compromise
  • Spear-fishing attachment: analyse Outlook web archives (.pst files), and the attachments themselves; for webmail review Outlook temporary archive, Temporary Internet Files; extract URLs from messages, and check whether they are malicious

Ransomware Memory Forensics

Analysis of WannaCry Infected Memory Dump with Volatility

References