Ransomware Forensics
Introduction: Digital Forensics and Incident Response of Ransomware
Digital Forensics and Incident Response (DFIR) for ransomware focuses on the identification, investigation, and remediation of ransomware attacks. DFIR entails collecting and analyzing digital evidence of a ransomware attack to recognize the scope of the incident, keep it under control, and get over it. Ransomware DFIR includes a number of tools and techniques, such as forensic imaging, malware analysis, network analysis, and log analysis. The aim is to help minimizing the damage caused by ransomware incidents and prevent them from happening. DFIR consists of the two different areas digital forensics and incident response.
Incident Response
Incident response for a ransomware attack consists of the following distinctive phases:
- Preparation
- Take precautions for a possible attack
- Draw up an incident recovery plan
- Design a strategy for data backup and restoration
- Prepare a list of contacts (internal/external), including police, and insurance
- Identification - threat indicators of a ransomware attack
- Users cannot access their files, files are corrupted, or files have been replaced and now show strange file extensions (.xyz, .abc, .aaa, ...)
- Burst of file update logs
- Anti virus alerts
- Connections to suspicious IPs
- High CPU usage on the infected computer (due to encryption going on)
- Ransom message being displayed