Ransomware Forensic Case Study

Ransomware Forensic Case Study by LIFARS


Ransomware is on the rise and becoming a more prevalent means of attack that companies are facing. In addition to impacting the workflow, client’s trust, and general disruption of business, it typically imparts many additional costs. LIFARS Digital Forensics team has dealt with a number of ransomware cases where the team identified, contained, and removed the threats from the environment. The team examines digital evidence and compromised systems for forensic artifacts of data exfiltration, including social security numbers, heath records, or any other sensitive data. LIFARS digital forensics team also leverages knowledge from previous cases to understand an attacker’s lateral movement through an enterprise using attacker’s exploitation techniques, tools and procedures (TTPs).

This document is a case study on a global market investment and trading firm, which was experiencing issues accessing documents on their file server. All the files on the server had been encrypted, and some had multiple layers of encryption. The severity of the case was due to multiple outbreaks having gone unnoticed. LIFARS incident response team immediately identified the root of the problem; a newer variant of the XTBL ransomware, which LIFARS had responded to on a previous case. All the files on the server had been encrypted, and some had multiple layers of encryption. 

In this case study,  you will learn:

  • Challenges in dealing with a ransomware case
  • Different types of encryption: Symmetric encryption and Asymmetric encryption
  • How LIFARS team detected the most advanced threats infecting the firm’s network
  • The result and LIFARS team’s performance

For any questions, please contact our Digital Forensics team, or for advice on protecting your organization please contact LIFARS Incident Response team.