Ransomware Forensics: How to Preserve Evidence After a Ransomware Attack

Cybercrimes are investigated by competent authorities, and victims have to provide as much evidence as possible for a better investigation. This will help catch the cybercriminals and prevent other crimes and even terrorism. After being hit by a ransomware attack, you may question: how can I preserve digital evidence for ransomware forensics?

By the end of this article, you will understand:

  • What is ransomware forensics
  • Why is digital forensics important
  • What part does a ransomware forensic investigation have in recovering from an attack
  • How you can collect and preserve ransomware evidence

What is ransomware forensics?

Ransomware forensics is a type of digital forensic service that can help you discover and understand the actions taken while the cybercriminal was in your network. This can give you insight into how to effectively respond.

Proven Data digital forensics experts can uncover crucial information about ransomware attacks, including:

  • Tools and methods used to launch the attack
  • Vulnerabilities exploited by attackers to gain access to the network
  • List of networks, systems, files, and applications affected
  • List of sensitive files and folders accessed or removed from the network

Ransomware – Close up of Your Files Are Encrypted on the Screen

The importance of ransomware forensics

Preserving and analyzing evidence with a ransomware forensics investigation is a part of ransomware incident response activities. And you can’t ignore it as it can benefit your business to increase its cybersecurity and prevent threats.

1. Learn how the attack happened and how to prevent repeat attacks

A ransomware forensic investigation is crucial to find out how the threat actor gained access to your network.
Common ransomware attack methods include:

  • Exploiting unsecured Remote Desktop Protocol (RDP) ports
  • Brute forcing or dictionary attacks on weak passwords
  • Sending phishing emails with malicious links or attachments
  • Utilizing exploit kits to target known operating system vulnerabilities
  • Gaining unauthorized access via out-of-date, unpatched software, servers, or firewalls       

By determining the specific gap in your cyber security protection that was exploited, you can prevent new ransomware attacks on your network.

2. Find out if your data was compromised or stolen

A cyber criminal’s actions during a ransomware attack could critically compromise sensitive data and result in legal consequences for your organization. That’s because data security laws protect users’ sensitive and private data usage. And ransomware not only encrypts the files but can also leak them or sell them on the deep web. Data exfiltration resulting from a ransomware attack is particularly dangerous as attackers increasingly target healthcare facilities and other critical infrastructure. These organizations store personally identifiable information (PII), protected health information (PHI), and other data that is protected under privacy laws. 

If your organization stores data protected under privacy laws, you must determine what happened during the attack and discover if the data was compromised, and take actions to minimize or prevent further damage.

The Department of Health & Human Services (HHS) has a fact sheet regarding its stance on ransomware and HIPAA regulations. A breach under the HIPAA rules is defined as “..the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which comprises the security or privacy of the PHI.”  Per the HHS, a ransomware attack is considered a breach unless the entity can demonstrate a low probability of compromise of the PHI. See the HIPAA Breach Notification Rule for more information. A ransomware forensics investigation can help you establish a low probability of data compromise. It also provides the proper preservation of digital evidence necessary in legal cases.  

Healthcare facilities and critical infrastructure are not the only ones at risk. The data exfiltration trend has been picked up by over 19 ransomware variants to date. In other words, more ransomware attackers are removing sensitive data from the affected network as well as encrypting the data.

3. Improve chances of ransomware recovery if a decrypter is released or developed in the future

Preserving ransomware-encrypted files can ensure your data has a chance of being decrypted in the future.  Ransomware groups sometimes cease operations and release decryption keys. Although rare, it’s not impossible, as demonstrated when the Shade ransomware gang released 750,000 decryption keys in April 2020.

Unfortunately, many ransomware victims who are unable to find a method of recovery for their files fail to preserve evidence of the attack. As well as preserve the encrypted data. As a result, they reduce the chances of using a decryption key that is released or developed later to recover lost data.

4. Help law enforcement agencies identify and investigate the attackers

Reporting a ransomware attack should always be a part of your incident response plan. A forensic investigation can provide the information necessary to report a ransomware attack to your respective law enforcement agency.

This information includes

  • IP addresses
  • Digital currency wallet addresses
  • Threat actor email addresses
  • The attack vectors exploited to carry out the ransomware attack

Additionally, a forensic investigation can attempt to geolocate the unauthorized account logins and map them to determine the location where the attack originated. These are critical information authorities can use to track, investigate and prosecute the perpetrators of the attack.

Handcuffs on the laptop,cyber concept

The information provided by a ransomware forensics report can help authorities identify ransomware attack patterns and bolster law enforcement investigations and prosecutions of the perpetrator of the attack. In addition, the indicators of compromise are typically shared through publicly accessible alerts to help the cyber community prevent future attacks.

How do I preserve forensic evidence of a ransomware attack?

Ensuring the preservation of infected systems and files is crucial for the analysis and investigations of a ransomware attack.  

To do so, immediately after being hit by a ransomware attack, you must follow the next steps:

  1. Do not shut down your affected device. Shutting down your device may erase critical forensic artifacts pertinent to the forensic investigation.
  2. Disconnect the affected device. Immediately disconnect any network, Wi-Fi, or Bluetooth connection and remove any USB or external hard drives that are connected to the affected machine to stop the infection from spreading.
  3. Create a forensically sound image. As soon as possible, create a forensically sound image of any systems which have access to sensitive data using forensic imaging software or contacting a ransomware recovery service.
  4. Create a second copy of the forensic images. (Optional) Saving an extra copy of the forensic images in a safe place is advised.
  5. Preserve logs. Save firewall logs, VPN logs, and any logs which can be saved within the environment. These logs may have a short lifespan so grabbing them promptly is important.
  6. Document all information pertaining to the ransomware attack. This includes:
  • Photo or copy of the ransom demand note
  • Ransomware variant name if known
  • The file extension of encrypted files (if it’s the case)
  • The approximate date and time of the attack
  • The file naming scheme for the ransom note/readme file left by the attacker
  • Any email addresses or URLs or other methods provided by the attacker for communications
  • Required payment method/bitcoin addresses provided by the attacker
  • Ransom amount demanded if known

Next steps to ensure ransomware forensics

Taking prompt action is critical when responding to a ransomware attack. Following the steps listed above will help you properly preserve evidence of the attack immediately after it occurs.

The ransomware forensic analysis can provide information on the anatomy of a ransomware attack and create a roadmap for how to secure your network to prevent future ransomware attacks.

Proven Data forensics examiners are here to help you navigate the complicated process of understanding the scope of the ransomware incident through thorough investigation and comprehensive reporting.

Need to find out how your data was affected in a ransomware attack?

Get a full report on what happened and what to do next

Open a ransomware forensic case today!

What do you think?

Leave a Reply
Read more

Related Articles

Contact us

Leading experts on stand-by 24/7/365

If you suspect data loss or network breach, or are looking for ways to test and improve your cyber security – our team can help.

What we offer:
What happens next?

Our advisor will reach out with the free consultation


We evaluate your inquiry and review solutions


We send a custom proposal or quote for approval

Request a Free Consultation