You’ve been hit by a ransomware attack. Most of us are familiar with what happens after a typical crime is committed: crime scene tape goes up, the evidence is preserved and collected, and the investigation begins. But the process of containing and investigating a cyber crime is a lot less cut and dry, and you’re probably wondering: how can I preserve digital evidence for ransomware forensics?
What is ransomware forensics?
Ransomware forensics is a type of digital forensic service that can help you discover and understand the actions taken while the cyber criminal was in your network. This can give you insight into how to effectively respond.
At Proven Data, we have assisted thousands of ransomware victims with recovering from ransomware. Additionally, our digital forensics experts have uncovered crucial information about ransomware attacks, including:
- Tools and methods used to launch the attack
- Vulnerabilities exploited by attackers to gain access into the network
- List of networks, systems, files, and applications affected
- List of sensitive files and folders accessed or removed from the network
This all seems like very useful information, right? But what if you are unable to determine all of the above because the evidence was not properly collected? That’s why we are here to help you understand the importance of ransomware forensics and evidence preservation.
By the end of this blog, you will:
- Discover how a ransomware forensic investigation is a crucial step to recovering from an attack
- Know the immediate steps to take to preserve evidence after a ransomware attack
- Understand the next steps to take to recover from the ransomware incident
How is ransomware forensics beneficial to me?
Below, you will find a breakdown of how preserving and analyzing evidence with a ransomware forensics investigation should be a part of ransomware incident response activities.
Learn how the attack happened and how to prevent repeat attacks
A ransomware forensic investigation is crucial to find out how the threat actor gained access to your network.
Common ransomware attack methods include:
- Exploiting unsecured RDP ports
- Brute forcing or dictionary attacks of weak passwords
- Sending phishing emails with malicious links or attachments
- Utilizing exploit kits to target known operating system vulnerabilities
- Gaining unauthorized access via out of date, unpatched software, servers, or firewalls
If you do not determine the specific gap in your cyber security protection that was exploited, you will be targeted again by ransomware. Arming yourself with knowledge of how the attack occurred can enable you to implement proactive cyber security to prevent a ransomware attack from happening again.
Find out if your data was compromised or stolen
Depending on the type of data your organization stores, a cyber criminal’s actions during a ransomware attack could critically compromise sensitive data and result in legal consequences for your organization.
If your organization stores data protected under privacy laws, you must determine what happened during the attack and discover how/if the data was compromised.
Data exfiltration resulting from a ransomware attack is particularly dangerous as attackers increasingly target healthcare facilities and other critical infrastructure. These organizations store personally identifiable information (PII), protected health information (PHI), and other data that is protected under privacy laws.
The U.S Department of Health & Human Services (HHS) released a fact sheet regarding their stance on ransomware and HIPAA regulations in 2018. A breach under the HIPAA rules is defined as “..the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which comprises the security or privacy of the PHI.”
Per the HHS, a ransomware attack is considered a breach unless the entity can demonstrate a low probability of compromise of the PHI. See the HIPAA Breach Notification Rule for more information.
A ransomware forensics investigation can help you establish a low probability of data compromise and provide the proper preservation of digital evidence necessary in legal cases.
Healthcare facilities and critical infrastructure are not the only ones at risk. The data exfiltration trend has been picked up by over 19 ransomware variants to date. In other words, more ransomware attackers are removing sensitive data from the affected network as well as encrypting the data.
Improve chances of ransomware recovery if a decrypter is released or developed in the future
While there is never any guarantee that decryption keys will eventually be released or developed for the ransomware strain that infected your network, preserving ransomware-encrypted files can ensure your data at least has a chance of being decrypted in the future.
Ransomware groups sometimes cease operations and release decryption keys, as demonstrated when the Shade ransomware gang released 750,000 decryption keys in April 2020.
Unfortunately, many ransomware victims who are unable to find a method of recovery for their files fail to preserve evidence of the attack and the data that was encrypted, eliminating any opportunity to recover lost data through a decryption key that is released or developed down the road.
Help law enforcement agencies identify and investigate the attackers
A forensic investigation can provide information necessary to report a ransomware attack to your respective law enforcement agency. This information includes IP addresses, digital currency wallet addresses, threat actor email addresses, and the attack vectors exploited to carry out the ransomware attack.
Additionally, a forensic investigation can attempt to geolocate the unauthorized account logins and map them to determine the location where the attack originated from; critical information authorities can use to track, investigate and prosecute the perpetrators of the attack.
The information provided by a ransomware forensics report can help authorities identify ransomware attack patterns and bolster law enforcement investigations and prosecutions of the perpetrator of the attack. In addition, the indicators of compromise are typically shared through publicly accessible alerts to help the cyber community prevent future attacks.
Reporting a ransomware attack should always be a part of your incident response plan. Reporting an attack can help mitigate sanction compliance violations if you have exhausted all ransomware recovery options and are considering paying the ransom.
How do I preserve forensic evidence of a ransomware attack?
Now that you understand why preserving evidence and investigating a ransomware incident is important, how do you ensure the affected systems are able to be preserved and analyzed?
Immediately after being hit by a ransomware attack:
- Do not shut down your affected device – shutting down your device may erase critical forensic artifacts pertinent to the forensic investigation.
- Disconnect the affected device – immediately disconnect any network, Wi-Fi or Bluetooth connection and remove any USB or external hard drives that are connected to the affected machine to stop the infection from spreading.
- Create a forensically sound image – As soon as possible, create a forensically sound image of any systems which have access to sensitive data using forensic imaging software such as FTK imager to an external hard drive.
- Create a second copy of the forensic images – saving an extra copy of the forensic images in a safe place is advised.
- Preserve logs – save firewall logs, VPN logs, and any logs which can be saved within the environment. These logs may have a short lifespan so grabbing them in a timely manner is important.
- Document all information pertaining to the ransomware attack – this includes:
- Photo or copy of the ransom demand note/splash screen
- Ransomware variant name if known
- The file extension of encrypted files
- The approximate date and time of the attack
- The file naming scheme for the ransom note/readme file left by attacker
- Any email addresses or URL or other method provided by the attacker for communications
- Required payment method/bitcoin addresses provided by the attacker
- Ransom amount demanded if known
What next steps should I take to learn more about ransomware forensics?
Taking prompt action is critical when responding to a ransomware attack. Following the steps listed above will help you properly preserve evidence of the attack immediately after it occurs.
Pursuing a ransomware forensic investigation can take that evidence and uncover vital information regarding the threat actors actions during the attack and the probability of data compromise. Additionally, a ransomware forensic analysis can provide information on the anatomy of ransomware attack and create a roadmap for how to secure your network to prevent future ransomware attacks.
At Proven Data, our forensics examiners are here to help you navigate the complicated process of understanding the scope of the ransomware incident through thorough investigation and comprehensive reporting.