Impacts on Ransomware Investigations, or Why Not To Focus On The EXE

Current ransomware reporting places an all-too-heavy emphasis on the RE of ransom executables. In most attacks, file encryption is the last action taken by threat actors.

Through a better understanding of pre-cursor ransomware actions and the complex ransomware ecosystem, defenders will be better equipped to detect and respond threat actors, inhibiting or even obviating data exfiltration and file encryption.