Ransomware Response Guideline, Digital Forensics and Incident Response Unit

Ransomware Response Guideline, Digital Forensics and Incident Response Unit

Like the name implies, ransomware is essentially digital extortion that is executed through software that uses encryption techniques to keep files and entire systems locked from use by their original owner and holds them hostage until (theoretically) a payment has been made.

Once ransomware enters a system, it makes itself known by taking control, encrypting files or complete systems, and blocking user access until requests for payments, which are often displayed in warning messages, are fulfilled. Unfortunately, there is no guarantee that the keys needed to break the encryption will be returned upon payment.

This devious malware typically enters opportunistically through drive-by downloads, email links, social network messages, and websites; more recently, ransomware has been distributed through aggressive worms and targeted attacks. Ransomware, like many Trojans, are disguised as legitimate files, with the ransom note appearing on screen, often with threats of deletion or publication without payment. The result is often brand damage, costly lawsuits, or lost customer loyalty.

Attacks such as WannaCry, Petya, Bad Rabbit were headliners in 2017 and 2018. WannaCry alone spread globally to 300,000 devices in over 150 countries in a single weekend, and caused millions, perhaps even billions, of damage.

Ransomware Containment and Remediation Detection.
Ransomware detection can be done various ways and possible scenarios are:

  • Endpoint security software detection – can be antivirus, or stronger EDR solution
  • Threat intelligence detection – deploying solutions that can scan systems and networks for Indicators of Compromise (IoCs), DNS protecting solutions such as OpenDNS and similar, lateral movement behavior in data flow
  • SIEM or log reviews – often execution of ransomware is detected from log analysis process…