Investigating a Ransomware Attack Using Magnet AXIOM Cyber
Ransomware attacks are all over the news and being experienced by corporations large and small. If you are a victim of this crime, investigating the Indicators of Compromise (IOC) to help protect the rest of your network is extremely important.
How to Use Magnet AXIOM Cyber to Quickly Get IOC
Once the targeted systems are isolated, the investigation into what happened can begin. Examine collected evidence items (RAM image, running processes, Windows Event Logs, IDS logs, EDR logs, Firewall logs etc.) with AXIOM Cyber.
This tool allows you to load all the obtained images into one case. The strength and power of AXIOM Cyber can be used to quickly index and search these items. Timelines and connections between data sources can be created. This will allow you to identify Indicators of Compromise so you can start securing the other systems on your network.
To Pull the Plug or Do a Graceful Shutdown?
Not all ransomware is created equally. If the ransomware is still encrypting the contents of the drive, you might want to pull the plug on the box to stop the process. However, if the ransomware has completed, then the debate is whether to pull the plug or do a graceful shutdown. The target areas you are hoping that might have some golden nuggets of information include the hyperfil and pagefile.
With that in mind, this might not get you anything. If possible, grab a memory image off the infected computer. If it’s not possible to acquire a memory image, then grab a full disk image. Even though the Ransomware has encrypted the system, there is a possibility that not all the files on the endpoint have been encrypted. There are several ransomware variants which do not encrypt everything.
Be sure to use Magnet’s Process Capture tool, which can be downloaded for free here.
Acquiring System Logs
Next, acquire any system logs that you can. Specifically, Window Event Logs and Firewall Logs. The Volume Shadow Copy is another very good resource to look for evidence, if it hasn’t been encrypted.
Begin pulling the most recent backups or snapshots of the infected endpoint(s). If they haven’t been encrypted, they can be a vital source of evidence. In 2021 the Ransomware “dwell” time has dropped to 24 days.
It’s important to keep in mind, if your backups aren’t routinely updated, you may not find IOC on that backup. However, it’s worth reviewing even if the backup is older. It’s also important to also verify that data on the backup is valid and has not also been encrypted. Criminal organizations and the ransomware that they produce also targets backups. Your backups need to be inspected prior to restoration to make sure that they are free of malware or IOCs.
Creating a Timeline and Connections
Once the evidence is processed with AXIOM Cyber, run both the Timeline and Connections features, which will assist AXIOM Cyber in determining the dates of infection and possibly the patient zero on the network. AXIOM Cyber does an excellent job of putting Windows Event Logs and Firewall Logs into a format that can be sorted quickly allowing you to cut through the noise and get to the evidence faster.
While there are several different tools that you’ll use throughout an entire lifecycle of a ransomware attack, AXIOM Cyber can be an integral part of your road to recovery.
Technical Advice Disclaimer
Magnet Forensics is dedicated to engaging with the DFIR community through our blogs and whitepapers. However, properly addressing technological issues often includes numerous variables that require independent assessment and strategies designed for each specific circumstance. Since Magnet Forensics cannot have complete insight into all variables involved in a specific situation, this blog/whitepaper is for informational purposes and should not be read as professional advice recommending techniques or technologies to address your specific situation. We do not accept responsibility for any omission, error, or inaccuracy in this blog/whitepaper or any action taken in reliance thereon.