Bryley Basics: How to identify the ransomware source on a computer network

Mike Carlson and Gavin Livingstone, Bryley Systems Inc.

Mike Carlson, CTO and a young, 20-year employee at Bryley Systems, had these suggestions on what to do when you get ransomware on your computer network:

  • Identify the end-user login name associated with the ransomware “How to decrypt” text files that are placed in the shared folders. (You would look at the properties of all of these text files to determine the originator.)
  • Remove this end-user’s workstation from the network immediately; preferably disconnect the network cable, but, if not feasible, power it down.
  • Restore all encrypted files from backup.
  • Erase the infected workstation(s) completely, then rebuild it.

In addition, we offered these suggestions in our July 2015 Bryley Information and Tips (BITs):

  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

These three can’t hurt, but the first one won’t stop the next attack and the last two are a bit of a stretch; it seems unlikely that the criminals will ever be pursued unless they happen to be working in this country (which also seems unlikely).

The US Computer Emergency Readiness Team (US-CERT) defines ransomware, its variants, and some solutions at Alert TA16-091A, Ransomware and recent variants.