Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked

Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.

Signals

•File extensions have been changed to a known ransomware suffix (.lockbit, .blackcat, .play, etc.)
•Ransom note files are present in multiple directories
•Forensic imaging succeeds but mounting the image shows encrypted/unreadable file content
•OS fails to boot and recovery console shows encrypted system files

Pivot Actions

1.Image the encrypted disk for preservation, then focus collection on sources OUTSIDE the encrypted host
2.Check if Volume Shadow Copies survived the encryption (some ransomware deletes them, but not always)
3.Collect EDR telemetry, SIEM logs, and network data that were captured before and during encryption
4.Analyze the ransomware binary (if obtained) for known decryption weaknesses or available decryptors (NoMoreRansom project)
5.Recover unencrypted artifacts from RAM dump, pagefile, or hibernation file if available

Alternate Evidence Sources

•EDR process and file telemetry captured before encryption completed
•SIEM-indexed logs from the affected host ingested prior to the ransomware execution
•Network captures or firewall logs showing pre-encryption C2 and lateral movement
•Surviving Volume Shadow Copies or backup snapshots taken before the encryption event

Related Procedures

EDR Telemetry Collection

collect

Volatile Memory Capture

preserve

Network Isolation of Compromised Systems

contain