Closing the door
While we have focused a lot on how to analyze the ransomware variant, we also need to ensure that we can close the door that the attackers used so that we do not fall victim to the same approach again.
With the example I mentioned earlier of Quantum ransomware, their primary attack vector tends to be phishing emails. However, what if we were hit by something else?
A timeline is an important tool for understanding the origin of an attack. When gathering evidence from user accounts and logs, it is important to create a timeline that traces the first events that may have indicated initial compromise. To do this, consider the primary methods of compromise and work backward to determine how the attack may have occurred:
- End user workstations
- Misconfigured servers that are publicly available
- A zero-day vulnerability on an external service
If the initial compromise occurred through a phishing email sent to an end user, it is important to determine...
