Tools for Ransomware Analysis and Response

In the world of ransomware analysis and incident response, having the right tools at your disposal can make all the difference.

Manual Collection Tools

Several tools are essential for collecting forensic artifacts, each with unique capabilities that make them indispensable for incident response:

• Kroll Artifact Parser & Extractor (KAPE): This tool simplifies the collection of forensic artifacts. It's versatile and can be run locally on machines or deployed across an environment using Group Policy Objects (GPOs) in Active Directory, System Center Configuration Manager (SCCM), or other deployment tools.

• CyLR: Another powerful tool for live response collection. Like KAPE, CyLR can be deployed via GPOs, SCCM, or other methods, making it an excellent choice for comprehensive artifact collection.

• Kansa: A PowerShell-driven tool that uses PowerShell Sessions (PSSessions) for remote execution. It relies on PowerShell Remoting (PSRemoting), which might be disabled in many organizations for security reasons. Enabling PSRemoting should be carefully considered, as it can introduce new vulnerabilities.

Deploying Collection Tools

These tools can be deployed in various ways to ensure they are ready for immediate use when needed:

• Local Execution: Running the tools directly on the machine where the incident occurred.

• Remote Deployment: Using GPOs, SCCM, or other deployment tools to push the tools across the network.

• Mounting Drives: For "dead disk" analysis, where you need to collect artifacts from a drive that is not currently mounted. This can be done by mounting the drive as read-only and running the collection tool.

  
  

For those who do not have a software deployment tool, PDQ Deploy is a recommended option.

Avoiding Memory Stomping

It's crucial to have a collection tool or method in place before an incident occurs to avoid memory stomping, which can overwrite valuable forensic evidence. Pre-installing the tool across devices can help mitigate this risk. Additionally, collecting from shadow copies or using tools like FTK Imager Lite can help bypass issues with locked files.

Learning and Resources

To deepen your understanding of these tools, here are my blogs:

• KAPE: https://www.cyberengage.org/post/kape-a-detailed-exploration

• CyLR: https://www.cyberengage.org/post/ransomware-analysis-a-examiner-s-guide-part1

• Kansa: https://www.cyberengage.org/post/power-of-kansa-a-comprehensive-guide-to-incident-response-and-threat-hunting

Parsing Collected Artifacts

Once artifacts are collected, they need to be parsed. Various tools are available for this purpose, with Eric Zimmerman's suite being a popular choice. However, there are many other tools available, find the best fit for your needs.

The Best Commercial Tool: Magnet AXIOM

For those seeking an easy-to-use, comprehensive forensics tool for ransomware response, I recommend Magnet's AXIOM.

Scaling Artifact Collection:

Collecting artifacts from a single host is straightforward, but when you need to analyze data at scale, it becomes crucial to have efficient tools and methodologies.

Methodologies for Scalable Artifact Collection

1. Secure FTP (SFTP) Servers:

• Purpose: Commonly used to warehouse artifacts collected via deployed tools or scripts. Make sure to enhanced security. Create an account with only write access (no read access) for pushing collections to the server
  

2. KAPE and CyLR:

• Both KAPE and CyLR come with built-in SFTP capabilities, making it easy to push collections to a server within your environment.

Example Commands:

For CyLR:

CyLR.exe -u yourUsername -p yourPassword -s 8.8.8.8:22

For Kape:

Kape.exe --tsource C: --tdest D:\ --target !SANS_Triage -scs[server] --scp[22/port] --scu [User] --scpw[pwd] --vhdx

Leveraging Velociraptor for Advanced Collection

Velociraptor Overview:

• Purpose: An advanced digital forensic and incident response tool that enhances visibility into endpoints.

• Capabilities: Allows remote navigation of file systems, refreshing directories, accessing them live, and performing live parsing on data.

• Advantages: Versatile and powerful, offering more than just collection.

I haven’t delved into Velociraptor yet, but I plan to learn it in the future. Once I have a good grasp of it, I’ll create a detailed blog post to help you understand and use this tool effectively.

Conclusion

Being prepared with the right tools and knowledge is essential for effective ransomware analysis and incident response. By leveraging tools like KAPE, CyLR, and Kansa, and deploying them effectively, you can ensure that your response is swift and thorough.

For more detailed insights and tool reviews, you can visit the Tool Hub page on my website, where I've created a large number of blogs dedicated to these tools.

Akash Patel