Post Intrusion Ransomware Investigation

Provides the first step in the investigation of ransomware attacks. The playbook requires the ransom note and an example of an encrypted file (<1MB) to try to identify the ransomware and find a recovery tool via the online database. You will be guided with further investigation steps throughout the playbook, some of the key features are: - Encrypted file owner investigation - Endpoint forensic investigation - Active Directory investigation - Timeline of the breach investigation - Indicator and account enrichment Playbook settings and mapping: For the full operation of the playbook, the following data should be mapped to the relevant incident fields. Username - Usernames (common incident field) Hostname - Hostnames (common incident field)

Ransomware · 41 tasks · 5 inputs · 0 outputs

Inputs

  • AutoRemediation — Determines whether to perform auto-isolation and remediation for the infected endpoint and indicators. Values: - True - False. This is the default.
  • NotificationEmail — The email addresses to notify if there is a possibility of the malware spreading and infecting other endpoints. Can be a CSV list.
  • EmailBody — The malware notification message content.
  • UserVerification — Possible values: True/False. Whether to provide user verification for blocking IPs. False - No prompt will be displayed to the user. True - The server will ask the user for blocking verification and will display the blocking list.
  • AutoBlockIndicators — Possible values: True/False. Default: True. Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.

Commands used

ad-disable-account rasterize-email relatedIncidents send-mail setIncident setIndicators

Flowchart

yes yes True True yes Yes yes True Binary Note Start Start Isolate Endpoint - Generic - Isolate Endpoint - Generic Isolate Endpoint - Generic Isolate Endpoint - Generic Identification Identification Upload ransomware files Upload ransomware files Ransomware enrichment Ransomware enrichment Send ransomware notification to relevant stakeholders - send-mail Send ransomware notificat... send-mail Investigation Investigation File owner investigation File owner investigation Detonate File - Generic - Detonate File - Generic Detonate File - Generic Detonate File - Generic Test the ransomware recovery tool. Test the ransomware recov... Containment Containment Read ransom note Read ransom note Detonate File - Generic - Detonate File - Generic Detonate File - Generic Detonate File - Generic Were binary files retrieved? Were binary files retrieved? Done Done Fetch related incidents - relatedIncidents Fetch related incidents relatedIncidents Auto Remediation? Auto Remediation? Endpoint Enrichment - Generic v2.1 - Endpoint Enrichment - Generic v2.1 Endpoint Enrichment - Gen... Endpoint Enrichment - Generic... Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Active Directory - disable user account - ad-disable-account Active Directory - disabl... ad-disable-account Active Directory Investigation - Active Directory Investigation Active Directory Investig... Active Directory Investigation Is Active Directory enabled? Is Active Directory enabled? Advanced forensic investigation Advanced forensic investi... Was a Recovery tool found? Was a Recovery tool found? Set file owner field - setIncident Set file owner field setIncident Count - setIncident Count setIncident Display ransom note - rasterize-email Display ransom note rasterize-email Set attacker information fields - setIncident Set attacker information ... setIncident Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Send ransomware notification? Send ransomware notificat... Manual containment Manual containment Extract Indicators From File - Generic v2 - Extract Indicators From File - Generic v2 Extract Indicators From F... Extract Indicators From File ... Set Ransomware information - setIncident Set Ransomware information setIncident Set cryptocurrency indicators as malicious - setIndicators Set cryptocurrency indica... setIndicators Set onion addresses indicators as malicious - setIndicators Set onion addresses indic... setIndicators Set attacker email addresses indicators as malicious - setIndicators Set attacker email addres... setIndicators Auto Remediation? Auto Remediation? Handle ransomware files Handle ransomware files File Enrichment - File reputation - file_enrichment_-_file_reputation File Enrichment - File re... file_enrichment_-_file_reputa... File Enrichment - File reputation - file_enrichment_-_file_reputation File Enrichment - File re... file_enrichment_-_file_reputa... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3