├── README.md
└── ransomware-triage.txt


/README.md:
--------------------------------------------------------------------------------
1 | # collection of stuff
2 | 
3 | todo:
4 | - ransomware triage guide (completed)
5 | - adversary-driven threat hunt
6 | 


--------------------------------------------------------------------------------
/ransomware-triage.txt:
--------------------------------------------------------------------------------
 1 | ## dealing with ransomware? this might be somewhat useful for general triage
 2 | ## rev1.4
 3 | ## distribution: public
 4 | ## revision will stay the same unless major changes are added to the content
 5 | 
 6 | - Immediate Action (Containment)
 7 | * Disconnect affected systems
 8 | * Utilise information contained within the ransomware warning to search online (using a non-affected computer)for further information. E.g if it says send a mail to “ransomware@gmail.com” do a search for this. 
 9 | * Only do what you need to do on the infected computer. Some ransomware doesn't block your computer but replaces folders and files with malicious links that take further actions on clicking (e.g. Spora)
10 | * Don't reboot. The ransomware might encrypt further files if the computer is rebootet (e.g. Petya).
11 | * Don't reboot/shutdown - Forensics artifacts residing in memory are likely to be lost in the case of a reboot/shutdown.
12 | * Attempt to identify which strain of ransomware is responsible and check if a decryption tool is available:
13 | https://id-ransomware.malwarehunterteam.com
14 | https://www.nomoreransom.org/crypto-sheriff.php
15 | * Image each drive and store (there might not be a file decryptor available publically now but there might be in future)
16 | * If possible, take a memory dump
17 | * Identify initial compromise vector
18 | * Setup triggers based on IOCs to detect new affected systems — Usually some exe file that was downloaded. Often, the exe files containing the actual malware have been downloaded by another script (wsf, vbe, excel/word macro, javascript)
19 | * Corporate comms to send out notification organization wide to raise awareness among user base not to click on suspicious attachments or plug in random USB drives found in the carpark into the computers
20 | * On the fly defence to be deployed to reduce the threat surface - eg: mailflow rules in exchange
21 | * Notify insurance company and ask what their support is for cyber-security incidents
22 | * Consider notifying appropriate authorities (if relevant)
23 | 
24 | - Mid-incident Action (Assessment & Recovery)
25 | * Identify type and sensitivity of data which has been compromised
26 | * All egress/ingress traffic to be SPAN’ed to a separate switch port and analysed. All other logs should be correlated and threat hunting to be performed. — Ensure that timestamps are not out of sync
27 | * Set up IOC trigger list on alerting mechanism 
28 | * Roll out the tape backups or whatever backups there are if a decision is made to restore
29 | * Assume all passwords on the affected devices have been compromised and change them using a non-affected device
30 | * Remote Access Protocol is common threat entry point. Suggest shutdown or more secure implementation measure such as two factor authentication
31 | * In few cases, malware fails to disable windows restore mechanisms and shadowcopies, so you might be able to restore files. If you export any restored files from the system, treat them with caution and check them for infection.
32 | * If other restore attempts do not work, attempt to recover using tools such as:
33 | http://www.shadowexplorer.com (free)
34 | http://www.easeus.com/ad/data-recovery-wizard.htm
35 | 
36 | 
37 | * If in doubt, wipe the disk clean and reload the OS — Don’t take chances here
38 | -----PII affected-----
39 | * If PII is involved, consider personnel data breached - All affected tokens, passwords, etc MUST be reset or re-issued immediately
40 | * If personnel is breached, organization should watch out for fraud or impersonation. Some level of fraud detection/control must be implemented
41 | * Appropriate regulators to be informed (if necessary)
42 | 
43 | - Post-incident Action (Long term remediation)
44 | * Set up a proper backup strategy and test it
45 | * Security awareness training for end users
46 | * Segmentation of the network; this isn’t 1980
47 | * Penetration Tests/Red Team exercise
48 | * Incident Response planning and assessment
49 | * On-going threat hunting
50 | * Identification and classification of data within the organization
51 | * Identification of technical controls and their respective effectiveness
52 | * Utilise playbooks for response and hardening such as https://www.demisto.com/playbook-for-handling-ransomware-infections/
53 | * Get some workable threat intelligence or at least, data from abuse.ch, alienvault, etc.
54 | 
55 | NOTE: If the data must be recovered (ie: mission critical), ensure that the systems are hardened and defences are working prior to paying the ransom; you don’t want to get blindsided by another attack the moment you pay. 
56 | Be aware that when you pay ransom, you are supporting ransomware distribution.
57 | 
58 | 
59 | 


--------------------------------------------------------------------------------