Investigating a ransomware attack
This article covers techniques for investigating ransomware attacks that have already been detected. If you are looking for searches to help you detect ransomware attacks, go to Detecting a ransomware attack.
A user in your organization turns on their Windows desktop one morning and is greeted by a message claiming that files on the system have been encrypted and payment must be made to get the files back. As a security analyst, it is your goal to investigate the ransomware by attempting to reconstruct the events that led to the system being infected. You also want to understand the full scope of the security breach and prevent additional systems from becoming infected.
You can use Splunk software to investigate programs or binaries that executed on the infected system, examine connections the infected machine had to other network devices, construct a timeline of events, and create traffic flow diagrams to help visualize what happened.
Required data
How to use Splunk software for this use case
There are many searches you can run with Splunk software in the event of a ransomware attack. You can investigate the origin of the attack using these searches:
- FQDN associated with an IP address
- Files downloaded to a machine from a website
- Suspicious domains visited by a user
- Suspicious scripts in the command line
- Removable devices connected to a machine
- Files added to the system through external media
You can scope the impact of the attack using these searches:
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Notifying law enforcement and all other authorities relevant to your industry
- Implementing your security incident response and business continuity plan
- Filing cyber insurance claims with your provider
Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Time to detection: The time from when the source of the ransomware was downloaded to the user’s machine and when the user received the ransomware notice
- Time to complete the investigation: The time from when the user reported the ransomware to when the investigation was completed
The content in this use case comes from a hands-on security investigations workshop developed by Splunk experts. To find out what educational resources are available to you, talk to your Customer Service Manager. These additional Splunk resources might help you understand and implement this specific use case:
- Use case: Detecting Clop ransomware
- Use case: Detecting a ransomware attack
- Use case procedure: Executable uploaded to a web server
- Use case procedure: MD5 hash of an uploaded file
- Webinar: Detection of ransomware and prevention strategies
- Blog: Operationalize ransomware detections quickly and easily with Splunk