Ransomware Response Guide

The document is intended to be a guide for organizations faced with a ransomware infection. This guide is split into several sections, with the most critical and time-sensitive being in the initial response section. 

8669816859?profile=original

If you are currently experiencing a ransomware incident, it is highly recommended you immediately review the containment section below, and return to this section at a later time for an overall background of ransomware.

>>Download The Report

Why Read This Report ?

  • Incident Lifecycle
  • Preparation, Detection, Analysis
  • Containment
  • Eradication, Recovery
  • Post Incident Activity

>>Download The Report

When a computer is infected with ransomware, the malware typically generates a very small amount of external network traffic. Upon infection, most versions/variants of ransomware utilize a Domain Generation Algorithm (DGA) to randomize the DNS request that it makes to the command & control (C&C) server. This makes blacklisting the known domains much harder since the malware will use the DGA to generate thousands of randomized domain names, where one may be a legitimate domain used to connect to the C&C server. This initial contact with the C&C server is to enroll the computer with the C&C server and to obtain the public encryption key(s) it then uses to encrypt all the user’s files. Therefore, a memory dump or network traffic capture will do very little to help gain the necessary information to restore the files since the private key that is needed to decrypt the files never exists on the victim computer. In the case of SamSam, there is no key-exchange as the public key (used to encrypt files) is included in the deployed package. However, as SamSam is introduced via traditional hacking activities, other indicators of compromise should be visible and acted upon.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)