Ransomware Activity Investigation

When You See This

1. 1

   XDR alert for mass file modifications with entropy changes consistent with encryption

2. 2

   Volume Shadow Copy deletion (vssadmin delete shadows) or bcdedit /set changes

3. 3

   Ransom note files (README.txt, DECRYPT.txt) appearing across network shares

4. 4

   SIEM alert for suspicious PowerShell or batch scripts disabling security tools

5. 5

   Multiple endpoints showing the same suspicious process executing simultaneously

Investigation Steps

1. 1

   IMMEDIATELY isolate affected systems

   This is the one investigation type where containment comes BEFORE full analysis. Isolate affected systems from the network immediately; every minute of delay means more encrypted files and more lateral spread. Use XDR network isolation if available; otherwise coordinate with network team to block at the switch/VLAN level. Do NOT shut down affected systems as this destroys volatile forensic evidence.

   XDRFirewall
2. 2

   Determine the ransomware variant

   Identify the ransomware family from ransom notes, encrypted file extensions, or process names. This determines whether a decryption tool exists, the typical attack chain, and the threat actor group. Check ransomware identification services with file samples or ransom note text.

   XDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint (file_name="*.encrypted" OR file_name="README.txt" OR file_name="DECRYPT*") | stats count by dest_host, file_path | sort -count

   index=endpoint process_name!=("explorer.exe","svchost.exe","system") file_modifications>100 | stats count by dest_host, process_name, process_hash

3. 3

   Map the blast radius

   Determine which systems are encrypted, which are still clean, and which are actively being encrypted. Check network shares, domain controllers, and backup servers specifically. The attacker almost always targets backups as a priority.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=endpoint EventCode=11 file_extension IN ("encrypted","locked","crypt") | stats dc(dest_host) as affected_hosts, count as files_encrypted | timechart span=5m count

   Decision Point

   If: Encryption is still actively spreading

   Yes → Immediately isolate all systems that have not yet been encrypted. Consider emergency network segmentation.

   No → Encryption has stopped. Focus on determining backup integrity and data exfiltration evidence.

4. 4

   Check for data exfiltration

   Modern ransomware groups almost always exfiltrate data before encrypting; this is the double extortion model. Search for large outbound data transfers, connections to cloud storage services, or archive file creation in the days before encryption began.

   FirewallSIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=firewall action=allowed dest_port IN (443, 80) | stats sum(bytes_out) as total_bytes by src_ip, dest_ip | where total_bytes > 1000000000 | sort -total_bytes

   index=endpoint process_name IN ("7z.exe","rar.exe","winrar.exe","tar.exe") | stats count by dest_host, command_line | sort -count

5. 5

   Assess backup integrity and escalate

   Verify backup integrity: check if backups are offline/air-gapped and unaffected. Determine the most recent clean backup point. Escalate to incident response leadership with: affected systems count, backup status, exfiltration evidence, ransomware variant, and recommended recovery approach.

   SIEM

Common Mistakes

1. 1

   Spending time analyzing the alert while encryption continues to spread; isolate FIRST, investigate second

2. 2

   Shutting down affected systems, which destroys volatile memory evidence needed for forensics

3. 3

   Assuming no data was exfiltrated because you only see encryption; double extortion is standard

4. 4

   Not checking backup integrity immediately; attackers specifically target backup infrastructure

5. 5

   Attempting to negotiate with or respond to the attacker without involving legal and leadership

Escalation Criteria

• Any confirmed ransomware activity is an immediate escalation to incident response leadership

• Evidence of data exfiltration adds legal and regulatory reporting requirements

• Domain controller compromise means the entire Active Directory environment is at risk

Frequently Asked Questions

Should I shut down affected systems during a ransomware attack?

No. Isolate them from the network but do not shut them down. Shutting down destroys volatile memory evidence that forensic investigators need to determine the full attack chain. Use network isolation via XDR or physical network disconnection instead.

How do I know if data was exfiltrated?

Look for large outbound data transfers in firewall logs, connections to cloud storage or file-sharing services, and archive file creation (7zip, RAR) on compromised systems. Modern ransomware groups nearly always exfiltrate data before encryption as part of their double extortion strategy.

How do I practice ransomware investigations?

SOCSimulator includes multi-stage ransomware scenarios that simulate the full attack chain, from initial access through lateral movement to encryption. Practice the critical time-sensitive decisions in a safe environment. Start free forever.