Have Fun with It!: Tracking Ransomware Operator Lateral Movement and Recovering Deleted Files the Easy Way!


Ransomware sucks! We all know that. Even though it annoys us, we cannot simply ignore the threat. Should a ransomware incident occur (including an encryption event or not), you will need to track lateral movement, identify tools/scripts used, and even analyze forensic artifacts to identify deleted files. In this talk, Ryan will be covering two open source tools (free ftw!) that you can leverage to identify lateral movement and analyze malicious data from a system, even when that data has been deleted. Would you like to generate a visual graph of threat actor movement throughout a network? All you need are some Security.evtx files, easy right? Would you like to recover scripts, malicious tool output, and more, even if that data has been deleted? All you need are the MFT and UsnJrnl files. Also easy, right? Yup! Easy mode ftw!