Phase one – validating an alert
Here, we have received the initial feedback that systems are not working and end users have stated that multiple machines are showing a ransomware note. You are also able to confirm that this also applies to some internal servers that have been checked.
Here are the steps involved:
- Check for known alerts in security tools, either SIEM/EDR or antivirus tools. If you see multiple alerts related to a compromise, it might be that your infrastructure has already been attacked since it is only at the final step that the attackers deploy the encryption script. If the SIEM/EDR services are only showing attempts of compromise, there might still be time to try and disconnect the attackers by disabling the outbound connectivity.
- Disable internet outbound connectivity from your infrastructure if possible. This is to ensure that attackers are not able to continue exporting data that they might have gotten access to. This should be done regardless...
