If the Colonial Pipeline, Accenture and JBS attacks didn’t convince you of the severity of ransomware, perhaps the grim words of FBI Director Christopher Wray will. In an interview with the Wall Street Journal, Wray recently went as far as comparing the challenges posed by ransomware to 9/11, revealing the FBI is investigating 100 different ransomware variants.

As their ambitions grow, cybercriminals are becoming increasingly dangerous. In 2020, a new organization became a victim of ransomware every 10 seconds, according to Check Point. It’s never been easier to carry out a ransomware attack, especially when the Ransomware as a Service model opens the door for criminals without the technical knowledge to develop their own variants. Emsisoft recently estimated that the global damages in ransom costs alone have surpassed $18 billion, with $920 million of that sum attributed to the United States. By all accounts, those numbers are only projected to worsen.

In the face of this rising threat, it is crucial for organizations to plan for what may very well be inevitable. Leadership teams can no longer afford to deploy short-sighted cybersecurity strategies that focus on preventative measures. If ransomware breaches their first line of defense, it is essential for organizations to have a post-incident strategy in place that includes plans, procedures and responsibilities to mitigate the damage. Part of this strategy must leverage digital forensics to investigate the initial threat vector, assess the damage and ensure repeat attacks cannot occur.

Digital forensics may not have had a consistent role in some legacy cybersecurity suites, but it was being used for post-incident analysis as early as 2001. The National Institute of Standards and Technology (NIST) cybersecurity framework has also validated the role of digital forensics in cybersecurity strategies by identifying it as a key action that takes place during the “respond” phase. Over time, organizations have increasingly begun to seek out digital forensics technology to play a key role in how they handle a new generation of threats.

The organizations that have successfully implemented digital forensics will either keep digital forensic specialists on staff to lead investigations or have them pre-identified, or even on retainer, from a third party. In a ransomware attack, these forensic analysts will be alerted to a potential threat by their security teams and immediately begin to validate the initial threat vector and identify the first system that was corrupted. This is possible with the remote acquisition technology incorporated into digital forensic tools that enable analysts to remotely connect to employee devices, image entire disk drives on Windows or Mac and recover data from cloud-based sources such as Microsoft Office 365, Slack or Amazon Web Services. 

The most common ransomware attacks begin with an employee or contractor accidentally clicking on a malicious link. Many of those links are socially engineered to lure the employee in. In this case, performing remote data acquisitions would allow an analyst to quickly cycle through every employee’s email inbox, narrow their focus down to emails that were only recently opened and confirm one of them contained malicious content to identify their “patient zero.” Time is of the essence and analysts cannot afford to wait for an employee to admit to their mistake, if they’re even aware of it, when it takes ransomware an average of three seconds to begin file encryption. 

By the time the initial threat vector has been identified, cybercriminals will have already wreaked havoc on the system and sent a ransom note. It now becomes the job of the analyst to use digital forensics to trace the attacker’s movements and try to contain the damage and prevent further spread across other network segments.

Analysts can build timelines of events using timestamps, event logs and other data that give them a step-by-step breakdown of what a cybercriminal did after gaining access to the system. Criminals deploying ransomware will often seek to transfer important documents onto their own devices, plant back doors, begin encrypting valuable data and find a jumping-off point to another system that may bring them one step closer to achieving domain access or entering the C-suite. If the attacker does successfully gain access to another system, an analyst can connect to that new endpoint and repeat their work.

This process isn’t just critical while a criminal is in the midst of encrypting files, it directly influences how well an organization can recover from an attack. In their digital forensic analysis, analysts can seek to identify whether volume shadow copies, backups that are periodically made on Windows files, have also been tampered with. In some cases, attackers will look to delete shadow copies in advance of encrypting an organization’s files so that victims feel they have no recourse but to pay a ransom. Working to recover deleted files is a much better scenario for analysts than the encryption alternative because digital forensic tools have the ability to retrieve them. In fact, it’s one of the technology’s main uses for police agencies investigating cybercrime and cyber-enabled crime, such as terrorism and human trafficking. With volume shadow copies recovered, organizations can feel secure that they have enough data to fast-track recovery and potentially avoid paying a ransom.

Regardless of whether an organization chooses to pay a ransom or move on without their encrypted files, they’ll need to begin to build up their defenses once more in preparation for the next attack.  A digital forensic analysis will allow organizations to learn from their mistakes and have a full understanding of how a phishing email, remote desktop protocol hack or more sophisticated method opened the door for cybercriminals. With this information in hand, organizations can patch their defences and ensure a second breach does not occur through the same weakness. 

Unfortunately, repeat attacks are common with ransomware. A 2021 Cybereason report found that 80 percent of organizations that pay ransoms were exposed to a repeat attack and, in 46 percent of the cases, the attack was carried out by the same culprit. These criminals are known to leave back doors in the systems they’ve breached so they can attack a second time or sell the access to another criminal. Shipping and technology company Pitney Bowes suffered two attacks within a single year, while Toll Group, an Australian logistics company, was attacked twice in the span of three months. A digital forensic analyst can identify any back doors or remnants of ransomware on an organization’s systems before they’re brought back online. 

The final goal of digital forensic analysis is to identify the attacker and bring them to justice. The chances of doing so in an external ransomware attack are limited because criminals are often protected by geographic and political barriers. However, the same cannot be said about insiders that unleash ransomware on their own systems. Cybercriminals are reaching out to employees and offering a cut of the rewards if they unleash ransomware on their own employers. Some groups, like LockBit, even leave a solicitation for employees as part of their ransomware notes. 

Analysts can determine if a ransomware attack originated from inside their organizations by building out the timeline of events that occurred before an attack. They may find a USB drive was connected to the system where the attack originated and that the files that were opened from it were malicious. This data will serve as critical digital evidence in both civil and criminal proceedings. Prosecutors can rest assured that the tools used to recover it have been deemed reliable multiple times in state and federal courts because they’re forensically sound and uphold the chain of custody. 

Leadership teams can no longer afford to underestimate ransomware. Cybercriminals have more than proven that they are able to crack the defenses of some of the world’s largest organizations. With each passing day, they’re growing in number, experience and sophistication. It may be uncomfortable, but organizations have to plan for the day that their systems are breached, their files are encrypted and criminals extort them for millions of dollars. Within a diversified cybersecurity strategy, digital forensics can ensure, on that day, organizations have the means to react and, more importantly, recover.