Incident Response Playbook: Ransomware Investigation

A ransomware incident represents the most critical threat to business operations, often resulting in severe financial damage and total infrastructure paralysis. Speed and methodical execution are paramount.

Note

Executive Summary: This playbook provides a structured methodology to investigate a ransomware attack. The objective is to rapidly contain the propagation, identify the intrusion vector and the scope of the compromise, eradicate the threat actor from the network, and guide system recovery.

1. Immediate Triage and Containment (The Golden Hour)

The primary goal during the first 60 minutes is to stop the bleeding and assess the situation.

1. Confirm the Incident: Identify the indicators of compromise. Look for encrypted files, unusual file extensions (.medusa, .akira), ransom notes on desktops, and mass alerts from the EDR or antivirus solutions.
2. Initial Containment (The “Red Button” Action):
   • Isolate Affected Hosts: Utilize the “Network Isolate” function of the EDR. If an EDR is unavailable, physically disconnect network cables or disable virtual network adapters.
   • Isolate Network Segments: If multiple machines within the same VLAN are impacted, coordinate with the network team to block ingress/egress traffic for this VLAN at the internal firewall level.
   • Rotate Critical Passwords IMMEDIATELY: Prioritize Domain Admin accounts and service accounts identified on compromised machines.
3. Secure Backups: Verify that backup servers are strictly offline or isolated and have not been compromised. They are the ultimate insurance policy.

2. Scoping and Patient Zero Identification

Once containment is established, the focus shifts to understanding the threat actor’s identity and their initial access vector.

1. Identify the Ransomware Strain: Analyze the ransom note and the encrypted file extensions. Cross-reference these details with threat intelligence platforms (e.g., ID Ransomware). Identifying groups like Medusa or Akira immediately provides insights into their probable TTPs (Tactics, Techniques, and Procedures).
2. Identify Patient Zero and the Entry Vector: Begin with the first critical server that was encrypted.
   • Hunt the Upstream Pivot:
     • RDP/VPN Access: Analyze RDS and VPN logs for anomalous connections (e.g., unusual geolocations, impossible travel).
     • Phishing: Collaborate with the messaging team to hunt for suspicious emails containing macro-enabled documents or malicious links.
     • Vulnerability Exploitation: Verify the versions of perimeter devices (VPN gateways, firewalls) against known CVEs.
3. Map Lateral Movement: Determine how the attacker moved from Patient Zero to the rest of the network.
   • Analyze Event ID 4624 (Logon Type 3 and 10) on servers to trace network logons.
   • Hunt for traces of lateral movement tools like PsExec (Event ID 7045 for service installation) or execution via Windows Management Instrumentation (WMI).

3. In-Depth Investigation

Confirming double extortion (data theft followed by encryption) and finding persistence mechanisms are the priorities of this phase.

A. Confirming Data Exfiltration

Data exfiltration confirmation is a strict requirement for GDPR and regulatory notifications.

Network Telemetry

Analyze Firewall and Proxy logs for anomalous high-volume outbound traffic towards unknown destinations or cloud storage services (e.g., Mega, Dropbox).

Endpoint Artifacts

Check the System Resource Usage Monitor (SRUM) for processes with abnormally high Bytes Sent values. Hunt for execution traces of tools like rclone or megasync in Prefetch (.pf) Files, Amcache, or Event ID 4688 logs.

B. Persistence and Payload Analysis

• Analyze the Payload: Safely acquire a sample of the ransomware binary. Perform basic static analysis (hashes, strings extraction) to quickly generate IOCs for the EDR.
• Hunt for Backdoors (Persistence): Never assume the ransomware is the only artifact left behind. Hunt for classic persistence mechanisms: new malicious services (Event ID 7045), scheduled tasks (Event ID 4698), WMI event subscriptions, and newly created local/domain accounts (Event ID 4720).

4. Eradication and Recovery

1. Eradication: Ensure all accounts utilized by the attacker have been reset or disabled. If a Golden Ticket attack is suspected, reset the krbtgt account password twice.
2. Rebuild, Do Not Clean: The only secure method to recover from a ransomware incident is to rebuild servers from clean, golden images rather than attempting to clean the malware from the infected OS.
3. Recovery: Restore data from verified and clean backups. Reconnect systems to the network in a phased approach, under heightened EDR surveillance.

5. Post-Incident Activities

Conduct a comprehensive post-mortem session to identify the root cause. Document the entire attack lifecycle in a formal incident report. Formulate strategic recommendations based on the lessons learned, such as enforcing MFA, improving network segmentation, and hardening patch management procedures.