Case Study: Ransomware Investigation

1 min read Advanced Security Topics

Case Study: Ransomware Investigation

Scenario: Organization hit by ransomware, need to identify initial access vector

Memory Analysis Steps:

  1. Acquire memory from infected systems
  2. Identify ransomware process
  3. Extract process memory
  4. Analyze parent-child relationships
  5. Review network connections
  6. Check for persistence mechanisms
  7. Extract encryption keys if possible

Key Findings:

  • Initial access through RDP brute force
  • Lateral movement via PsExec
  • Encryption keys partially recovered
  • C2 infrastructure identified