Review Ransomware Resilience and Backup Isolation Failures
Post-Incident ReviewP290 min
Perform a ransomware-specific resilience review focused on how the operator reached backups, how encryption spread, and which defensive controls failed to slow propagation.
Actions
- 1.Map the exact propagation path used by the ransomware operator across identity, endpoint, and network layers. Document which controls should have interrupted each hop.
- 2.Review backup platform exposure: admin network reachability, credential reuse, domain trust relationships, and whether immutable or offline recovery tiers were actually isolated.
- 3.Identify the controls that failed to detect or block pre-ransomware activity such as mass credential abuse, GPO changes, shadow copy deletion, or remote execution.
- 4.Produce a prioritized remediation backlog covering backup isolation, privileged access segmentation, rapid host isolation, and ransomware-specific detections.
Queries
DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("vssadmin.exe","wbadmin.exe","bcdedit.exe","psexec.exe") | summarize count() by FileName, InitiatingProcessAccountName, DeviceNameCommonSecurityLog | where TimeGenerated > ago(30d) | where DestinationPort in (445, 135, 3389, 5985, 5986) | summarize Attempts=count(), Hosts=make_set(SourceIP) by DestinationPort
Notes
- The resilience review should focus on the operator path to impact, not just the final encryption event.
- Backup systems that were reachable from normal admin workstations should be treated as control failures even if they survived this incident.
Where to Go Next
Related Artifacts
Full Memory Dump
Acquired via live capture (RAM)
Volume Shadow Copies (VSS)
System Volume Information (accessed via vssadmin or mklink)
Group Policy Event Logs
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
Firewall Logs (Allow/Deny)
Firewall management console or syslog server (vendor-specific: Palo Alto, Fortinet, pfSense, iptables)