You Were the Victim of Ransonware. Now What?
You were the Victim of Ransonware. Now What?The first step is to know some basic information, such as who was the first to arrive to answer the call. What information is visible the first time? Ransonware is usually quite flashy and noisy; it wants to seen. Moreover, one layperson can just pay a ransom if you do not find the account information and details about how it happened.But before answering these questions, we need to isolate the perimeter compromised. If a server or machine is suspected, it should be isolated immediately to be further analyzed and take appropriate action based on your device analysis.After isolating and identifying the infected device, there are paths to follow to identify the type of ransonware. Today, ransonware is sold freely on the Internet and black markets exploits. Specifying exactly the kind of malware that your system has been the victim becomes crucial for developing for cryptographic and security measures in key applications to mitigate the chances of others being the victim of the same type of ransonware.You can and should make the fastest possible analysis to indicate the following:
- Identify the process that's consuming more computing resources
- Look for information about the process involved in online repositories
- Identify the location where the process is hosted and store this information
- Kill the process
- Look for changes in the operating system registry that can be linked to the malware; remember most ransonware has some persistent system (usually by adding an entry in the operating system boot record)
- Write down everything that's done for later forensic analysis
- Look for a redemption request usually a txt or background
- Isolate the malware binary and bring itto a controlled environment (Sandbox)
- Submit the sample to antivirus services, such as virus-Total
- Submit the sample to other specific services for the analysis of malware behavior. You can find out a lot at this stage, including where they're getting cryptographic keys ransonware and on which servers it communicates
- Make a scan at the machine boot with a toolre remove already present malware. We recommend Kaspersky Rescue Disk, which can be downloaded for free from the manufacturer's website.
- After the malware removal, back up the files on a separate device from the network and in a controlled environment