Investigate and Recover From Ransomware Attacks With Digital Forensics

In the first quarter of 2021, the U.K. recorded three-times as many ransomware attacks than it did in all of 2019, according to the National Cyber Security Centre. Attack volumes on organizations have also increased globally, according to a Check Point report that recorded a 93% rise in the first half of 2021.

Cyber-criminals are becoming more aggressive with the volume of attacks, ransom demands and the extortion techniques they’re relying on. In the face of this growing threat, organizations must be ready to respond to ransomware attacks by investigating them with digital forensics. Here are four steps security teams with digital forensics strategies can take to assess the damage, stop the spread and facilitate recovery.

Isolate Infected Systems and Ensure Backups Are Secure

According to Comodo, the average time it takes for encryption to begin in a ransomware attack is three seconds. It’s crucial that security teams immediately isolate known impacted systems and ensure their backups and volume shadow copies have not been encrypted. The former will help them minimize the infection’s spread to a handful of systems in a best-case scenario. The latter is essential to recovery: if backups and volume shadow copies are secure, security teams can restore systems without paying a ransom.

Triage Impacted Systems

Large-scale enterprises may have thousands of devices linked to their systems when they’re under siege. Performing a full digital forensic analysis on each one individually would take months. Instead, analysts can begin their investigation of the attack by utilizing digital forensic triage solutions.

Here, analysts focus on scanning network connections, event logs, RAM and other volatile data. Doing so will quickly give them important insights into the attack that will shape the rest of the investigation. They’ll be able to pinpoint every endpoint a cyber-criminal infected in the attack and identify if malicious activity or data exfiltration occurred on them. For the first time, analysts will also have some insight into the attack’s tactics, techniques and procedures (TTPs). This should help them acquire another piece of valuable information for the next step of the investigation: the variant of ransomware. Any discovery of irregular activity on an endpoint will lead to a full forensic analysis being performed.

Perform a Full Disk Forensic Analysis

Analysts will perform a full disk forensic analysis on each impacted system to determine what data was accessed and what was done with it. Cyber-criminals are widely engaging in double extortion, where they encrypt, exfiltrate and threaten to leak data. For example, Group-IB recorded a 935% spike in the number of enterprises that saw data released to data leak sites in 2021. To be able to assess the impact of an attack, analysts will use digital forensics to build a timeline of events and trace a cyber-criminal’s activity in a system. There are multiple considerations at this stage: Did cyber-criminals gain admin access? Did they encrypt personal identifiable information? Did they exfiltrate intellectual property?

To begin, analysts will look to identify the centralized assets that were used to push the ransomware across the network. They’ll investigate the role each infected device played in the attack, whether it was used to gain entry, move laterally or exfiltrate data. Instead of physically collecting each device, analysts can use digital forensics to perform remote acquisitions of target endpoints, even when they’re not connected to the organization’s networks, and acquire full disk images, volatile memory, the most recent back-ups and system logs and log files. From there, the identity of the variant and its TTPs will guide them. Some variants, for example, may lead them to prioritize network connections, while others may require them to dive into scheduled tasks. In the end, they’ll have populated the entire cyber kill chain and have a full understanding of the attack.

Use the Results to Facilitate Recovery

With the investigation complete, security teams can use the results to begin recovery. They will want to begin by blocking outbound connections to the IP addresses linked to the attack. Next, they’ll want to perform a final digital forensic scan to ensure indicators of compromise are gone and that no backdoors were installed in preparation for a repeat attack. This is quite common, according to Cybereason, as more than 80% of ransomware victims who paid a ransom were hit by a second attack.

The cyber kill chain will also be central to recovery efforts. If security teams know exactly how an attack took place, they have the opportunity to learn from their mistakes. No defense is impenetrable, but if security teams can develop a better understanding of their weaknesses and work to patch them, they should be able to ensure that a future attack does not occur in the same fashion. 

What’s Hot on Infosecurity Magazine?