Ransomware cases are everywhere and Cyber Triage users are more frequently responding to them. Recent Cyber Triage releases (3.0.1 and 3.0.2) have been adding ransomware-specific DFIR features and this video from Brian Carrier covers them.
Investigating Ransomware
At the end of the day, incident response for a ransomware attack is a lot like investigating other types of attacks. All attacks ultimately go through a standard set of phases of:
- Obtaining initial access to a network
- Installing some form of persistence for future access.
- Performing reconnaissance to find things that are relevant to them.
- Undertaking their ultimate goal, which varies by group. It could be to monitor, steal data, or encrypt data.
Ransom Note Detection
Cyber Triage uses two digital forensics techniques to identify ransomware notes:
- A list of common ransomware note names.
- A heuristic that looks for lots of files with the same name and size. This allows you to detect notes that have unique names or really common names (such as readme.txt).
Encrypted Database Detection
Cyber Triage will now look for encrypted versions of key files, such as browser databases, as it is collecting from the target system.
Download the latest version from cybertriage.com for all your ransomware assessment and ransomware forensics needs
Watch On YouTube