Find the source of ransomware?
How do I find the source of the ransomware?
ransomware data recovery?
how to recover from ransomware attack?
how to recover ransomware encrypted files?
how to decrypt files encrypted by ransomware?
avast ransomware decryption tools?
decrypt tool free download?
ransomware decrypt tool 2019-2020?
Find the source of ransomware?
Finding the source of the ransomware on your network will not only help you find encrypted files, but will also give you an idea of how this attack took place. This will help you to change your security settings accordingly to reduce the risk that the threat will recur on your computer.
Most successful ransomware attacks to date are determined based on the following symptoms:
IT Administrators realize that they are encrypted on their servers; files are no longer opened or file extensions are changed most of the time.
Users who report that they cannot open or find files that they previously used.
Users and desktop images that have not been able to open files on their machines have been changed to a ransom note.
 |
| Find the source of ransomware |
If you are not familiar with how the ransomware entered the machines, find the encrypted files. The ransomware software was often run with the permission of the computer user. This is useful if encrypted files reside in directories that can only be accessed by single users or small groups.
Quite often, you can obtain the user name of the person who encrypts the files by looking at the file properties. Do the following:
Locate an encrypted file on your computer.
Right-click the file and select Properties.
Select the Details tab.
Search for owner information.
To define owner details for all files in a folder, do the following:
In Windows Explorer, navigate to a folder with encrypted files (network shares are best accessible to users of floors).
Switch to the Details view, which gives you different columns of information about files.
Right-click a column heading, and then select Selection.
Scroll down and select Owner from the list, and then click OK.
Note: Sorry, this will not help you if the owner shows SYSTEM or Administrator.
If owner details don't help you, check which user has access to the locations where you find the encrypted files. Looking at the modification dates of encrypted files can give you a better idea of when this attack started.
Once the relevant users have been identified, learn more, search and check if users have opened suspicious emails at that time or on suspicious websites. See email inboxes, deleted emails, and browsing histories. This will help you understand security weaknesses and improve security in these areas.
Protect and clean infected machines
After a ransomware attack it is important to ensure that your security products are working correctly. Many variants of ransomware will encrypt files that are used by software in order to run. A good example of this is .xml files which are commonly used by software programs to store configuration settings. As a result of this type of damage, you may have to reinstall software that is no longer working correctly.
For Sophos products, check that they are updating correctly and reporting their status to your console. Resolve any errors and if a re-installation is required, do this as soon as possible. Make sure full scans are run on all affected machines.
Restore data
Most modern ransomware use strong encryption methods such as RSA-2048 or AES-128. This makes it impossible to get your files back unless you restore from backups or pay the ransom. If you pay the ransom, there is no guarantee that you will get your files back, or that you won't be targeted again.
Most files encrypted by ransomware cannot be restored. However, occasionally there are some variants of ransomware that can be restored. This is possible if:
the used encryption method is weak
the ransomware criminals made a mistake in their code
the criminals were arrested and the authorities got the decryption keys
Unfortunately these scenarios are rare. If you are hit by ransomware, do a search on the internet for decryption tools. However, these tools do not restore the encrypted files but delete them and the ransom notes.
Notes:
If you do not have backups of the files that were encrypted, save them as a decryption tool might become available soon.
If you are using Microsoft Shadow copies, most ransomware deletes the backups too unfortunately.
Steps to help reduce this happening again
It is important to understand that if you were a victim of ransomware and it was able to execute on your endpoint machines that means it got through all of your security not just the anti-virus on the machine. Ransomware is not a single file but a multi layered attack that touches several areas of your network. There is no security feature in the world that can protect against every possible threat by itself. Security is made up of layers, each layer has a specific area to protect. Many of these overlap and can communicate with each other for even more protection.
In the example of ransomware spread via spam email your first layer of protection is your email gateway. Securing this layer allows you to scan all emails for spam and malicious files, you could also combine this with a sandboxing product to execute the attachments in a safe environment so detailed analysis can be performed automatically.
Please send us the questions you want to ask by writing in the comments below.
0 Comments