Phase three – understanding the attack vector and what to look for
Once we have understood what kind of ransomware variant has been used and determined how many systems and endpoints have been affected by the attack, the next step is to try and figure out how it happened.
As an example, if we have established that we have been compromised with Quantum ransomware, we can validate that either using the ID Ransomware service or evidence in the ransom text file found on a compromised machine. Then, we see what we can find publicly available on the internet related to ransomware and what kind of mechanisms are usually used to gain access.
Upon viewing the publicly available information, we learn that Quantum mostly uses phishing emails as the initial attack vector. Then, we need to check whether we have any logs that may indicate whether someone opened an attachment on their machine in the last 24 hours if none of the users reported any suspicious emails.
This step is, of...
