Ransomware: Detecting the source

What is the best way of quickly identifying the source of a ransomware attack before further damage is caused?

Managing the risk ransomware poses is a challenge for IT security teams in business of all sizes. One of the great threats ransomware poses is the encryption of file shares that users have access to and the associated potential for enormous data loss and business interruption. IT security teams often identify ransomware when it is in the process of encrypting these shares and need to identify the source rapidly in order to prevent further damage, or ensure that the process does not repeat when backups are restored.

But what is the best way to identify the “patient zero” system in such cases? MWR’s Investigations & Incident Response team are often asked this very question and so we have prepared the following information to help teams identify and contain these incidents as early as possible.


Firstly, when Ransomware encrypts a file, it usually takes ownership of it, or creates a ransom note. The most effective way to identify the source of the attack quickly is to identify the file owner’s domain user account from which the ransomware is being deployed, and look for the computers on the network that are using that account.

From there, two options are available for rapid containment:

  • Revoke the user account’s access to shares; and
  • Physically isolate the infected computer from the network

To identify the owner, open the file properties of the file that identify the owner:

RF properties

Alternatively, PowerShell can be used to identify the owner as well using GET-ACL against one of the encrypted files or ransom notes:

GET-ACL .\ransom.txt | Select Owner

From time to time, challenges such as the security identifier (SID) not resolving to a username arise. There are a number of methods to resolve user SIDs to user names as follows:

 -        WMI (through command line):

wmic useraccount where sid='S-1-5-21-123456789-123456789-1234567890-1234’ get name

-        PowerShell – domain environment:

$uSid = [ADSI]"LDAP://<SID=$strSID>"
echo $uSid

Once the username has been obtained, the actual computer that the user account is currently logged in from must be found (Remote Server Administration Tools for Windows must be installed with the Active Directory Module for Windows PowerShell enabled).

NOTE: Searching in this manner may take a large amount of time depending on the size of your domain.

$Computers = Get-ADComputer -Filter {Enabled -eq 'true'}
ForEach ($comp in $Computers) {
    $Computer = $comp.Name
     Write-Host "Querying $Computer"
     $csvTmp = quser /server:$Computer | ForEach { (($_.trim() -replace "\s+",","))}
         $queryResults = (($csvTmp -split '\n')[0] + '-2' | Out-String).trim() + "`n" + ($csvTmp | Select -Skip 1 | Out-String).trim() | ConvertFrom-Csv
    ForEach ($queryResult in $queryResults) {
        $User = $queryResult.USERNAME
         If (($User -match "[a-z]") -and ($User -ne $NULL)) {
            Write-Host $Computer logged in by $User on session type $sessionType
            $SessionList = $SessionList + "`n`n" + $Computer + " logged in by " + $User
$SessionList | findstr "USERNAME"

From here, network administrators should be able to assist in identifying the physical host based on the network architecture, subnet and through querying network infrastructure devices.

In addition to the above, if the attack is currently ongoing, there are other options to look for active sessions and open files in Windows Server environments.

-        Active user sessions:

Computer Management -> System Tools -> Shared Folders -> Sessions

-        Open files:

Users with shared files that are currently opened:

Computer Management -> System Tools -> Shared Folders -> Open Files

Ransomware Prevention & Response

With ransomware becoming more prevalent every day, the requirement for protection as well as a comprehensive response plan for these types of incidents is of the utmost importance. Determining the origin of the ransomware infection and isolating the source or revoking the affected user’s access to shares may stop the encryption that is already underway, but this requires a rapid response and during every second that patient zero is being tracked down, business critical data are being encrypted for ransom.

The advice here also does not take in to account cases where a more targeted and manual approach is used by an attacker, which is a trend that MWR is seeing becoming increasingly more common recently: Attackers perform reconnaissance within the estate, move laterally across the network, destroy online backups and focus encryption of high-value targets within the domain, using multiple points of origin simultaneously to speed up the encryption process and thereby reducing the amount of time available to respond and contain the incident. In cases like these, more in-depth investigation is required to determine the origin of the attack and contain live attackers on the network.

As ransomware attacks develop to become more of a substantial threat to enterprise environments, more appropriate security controls need to be in place to aid in protecting organizations from this threat. While identifying the source of an attack is critical to ensuring that no further damage is done, having set-up a defense and response solution in the first place to stop ransomware in its tracks is obviously an advantage.

With this in mind, MWR has developed an anti-ransomware agent, RansomFlare, which uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system. When an attack is identified, RansomFlare immediately intervenes to protect the data and the endpoint by stopping the ransomware in its tracks, in addition to alerting your security team with flexible communication options to meet your needs. Additionally, RansomFlare is supplied with remote response functionality that allows for the MWR Incident Response team to gather forensic artefacts to support the investigation and intervene with containment in the field.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.