Investigating a ransomware attack requires a systematic approach, leveraging event logs, process execution data, and registry modifications to uncover the attack's full scope. This lab walkthrough explores a sophisticated ransomware intrusion where the attacker employed various techniques to deploy and execute malicious payloads, evade detection, exfiltrate sensitive data, and ultimately encrypt files for ransom. By analyzing Sysmon logs, Master File Table (MFT) records, and network activity, we reconstruct the attack timeline and identify key indicators of compromise (IoCs). The adversary in this scenario demonstrates a high level of operational security, utilizing trusted binaries to execute their attack, manipulating file timestamps to mislead forensic investigators, and disabling security controls to ensure persistence. Their approach includes dropping multiple malicious binaries, executing system utilities for reconnaissance and data collection, and employing secure deletion tools to cover their tracks. The forensic analysis involves identifying command-line executions, tracking process relationships, and analyzing registry modifications that provide insights into the attacker’s tactics, techniques, and procedures (TTPs).
Through this investigation, we uncover how the attacker delivered their payloads, executed ransomware operations, and attempted to erase forensic evidence. The analysis also highlights the importance of monitoring event logs, detecting suspicious process executions, and correlating system modifications to detect and mitigate similar attacks in r