Analyze Ransom Note and Variant Identification

Actions

1. 1.Collect the ransom note from affected systems without modifying it: `copy "C:\Users\*\Desktop\README*.txt" F:\case\ransom_notes\` -- preserve original metadata. Photograph any wallpaper-based notes with screenshots.
2. 2.Upload a sample encrypted file and the ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) or No More Ransom (nomoreransom.org) to identify the variant. Do NOT upload files containing sensitive data.
3. 3.Extract IOCs from the ransom note: Bitcoin/Monero wallet addresses, Tor .onion URLs, email addresses, unique victim IDs. Check these against threat intelligence platforms (VirusTotal, OTX, MISP).
4. 4.Analyze the encrypted file extension pattern and encryption markers: `Get-ChildItem -Recurse -Path C:\ -Include "*.locked","*.encrypted","*.crypt" | Select Name, Extension, Length, LastWriteTime | Export-Csv encrypted_files.csv`.
5. 5.Check for the ransomware binary: search EDR for the ransomware executable using known variant signatures. Use Volatility on memory dumps: `vol3 -f memdump.raw windows.pstree` to find the encryption process.

Queries

DeviceFileEvents | where Timestamp > ago(24h) | where ActionType == "FileRenamed" | where FileName endswith ".locked" or FileName endswith ".encrypted" or FileName endswith ".crypt" or FileName endswith ".enc" | summarize AffectedFiles=count(), EarliestRename=min(Timestamp) by DeviceName | order by EarliestRename asc

DeviceProcessEvents | where Timestamp > ago(24h) | where ProcessCommandLine has_any ("vssadmin delete shadows","wmic shadowcopy delete","bcdedit /set","wbadmin delete catalog") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | order by Timestamp asc

index=edr (file_extension=".locked" OR file_extension=".encrypted" OR file_extension=".crypt") | stats dc(host) as affected_hosts count by file_extension | sort -affected_hosts