Ransomware Forensics
Regardless of how many countermeasures are set in place or how advanced the security boundaries are, we can never be 100% protected from cyberattacks. Therefore, it is always important to know what to do once you are attacked and to try and figure out how an attack occurred using a post-incident review.
Many organizations that have been the victim of ransomware and have paid the ransom have been attacked again just weeks after the initial attack because they were unable to close the vulnerability or implement proper countermeasures.
In this chapter, we will cover the following topics:
- Ransomware forensics – and what to do once you’ve been attacked
- What to look for in the filesystem, registry, and events from your infrastructure
- Figuring out the type of ransomware and looking at the most known attack vectors
- Ensuring that we remove the entry point that was used after we manage to get our systems up and running again
