Host-Based Ransomware Indicators

Investigators don’t always have the exact “best” data for their investigations. The data could have been not collected, corrupted, not exist, or even have been over-collected. In ransomware investigations time is critical to success for a business’s recovery from a ransomware attack. But what happens when all you have are dead box systems? This talk focuses on applying common forensic artifacts to your ransomware investigations. We will discuss common entry vectors, post-exploitation activities, and data exfiltration from ransomware groups and how we, as investigators/examiners/analysts, can find and interpret host-based artifacts using widely available tools. These artifacts apply regardless of if you’re responding to business that was recently attacked or searching for evidence to prepare for a trial. While not a comprehensive listing of all the possible artifacts that may apply, the artifacts presented are a good starting point for any forensic investigation.