Analyze Ransom Note and Variant Identification
Collect and analyze the ransom note to identify the ransomware variant, threat actor group, and potential decryption options. The note provides critical intelligence for response strategy.
Actions
- 1
Collect the ransom note from affected systems without modifying it: `copy "C:\Users\*\Desktop\README*.txt" F:\case\ransom_notes\` -- preserve original metadata. Photograph any wallpaper-based notes with screenshots.
- 2
Upload a sample encrypted file and the ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) or No More Ransom (nomoreransom.org) to identify the variant. Do NOT upload files containing sensitive data.
- 3
Extract IOCs from the ransom note: Bitcoin/Monero wallet addresses, Tor .onion URLs, email addresses, unique victim IDs. Check these against threat intelligence platforms (VirusTotal, OTX, MISP).
- 4
Analyze the encrypted file extension pattern and encryption markers: `Get-ChildItem -Recurse -Path C:\ -Include "*.locked","*.encrypted","*.crypt" | Select Name, Extension, Length, LastWriteTime | Export-Csv encrypted_files.csv`.
- 5
Check for the ransomware binary: search EDR for the ransomware executable using known variant signatures. Use Volatility on memory dumps: `vol3 -f memdump.raw windows.pstree` to find the encryption process.
- 6
Look for Volume Shadow Copy deletion as a pre-encryption indicator: Event ID 524 (System) for catalog deletion, and check for `vssadmin delete shadows /all /quiet`, `wmic shadowcopy delete`, or `bcdedit /set {default} recoveryenabled No` in process execution logs (EID 4688 or Sysmon EID 1).
- 7
Examine Prefetch files for the ransomware executable: `PECmd.exe -d C:\Windows\Prefetch --csv . --csvf prefetch.csv` -- Prefetch captures the first and last 8 execution timestamps, revealing the exact time encryption began even if the binary was deleted.
Queries
DeviceFileEvents | where Timestamp > ago(24h) | where ActionType == "FileRenamed" | where FileName endswith ".locked" or FileName endswith ".encrypted" or FileName endswith ".crypt" or FileName endswith ".enc" | summarize AffectedFiles=count(), EarliestRename=min(Timestamp) by DeviceName | order by EarliestRename asc
DeviceProcessEvents | where Timestamp > ago(24h) | where ProcessCommandLine has_any ("vssadmin delete shadows","wmic shadowcopy delete","bcdedit /set","wbadmin delete catalog") | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName | order by Timestamp ascindex=edr (file_extension=".locked" OR file_extension=".encrypted" OR file_extension=".crypt") | stats dc(host) as affected_hosts count by file_extension | sort -affected_hosts
index=sysmon EventCode=1 (CommandLine="*vssadmin delete shadows*" OR CommandLine="*wmic shadowcopy delete*" OR CommandLine="*bcdedit*recoveryenabled*" OR CommandLine="*wbadmin delete catalog*") earliest=-24h | stats count by Computer, Image, CommandLine, User, ParentImage | sort -count
Notes
NEVER communicate with the threat actor via the ransom note channels without explicit authorization from legal counsel and executive leadership. All communications should go through a professional ransomware negotiator.
The ransom note variant identification helps determine if a free decryptor is available. Check nomoreransom.org before considering payment.
Capture the MFT ($MFT) from encrypted volumes to build a complete file modification timeline: `MFTECmd.exe -f "$MFT" --csv . --csvf mft_timeline.csv`. Cluster file rename timestamps to identify the encryption start time and propagation speed across drives.