5 Quick Tips To Hunt Down Ransomware With LANGuardian
How To Hunt Down Ransomware With LANGuardian
When infected by Ransomware there is usually an initial infection vector with something like a user clicking on an attachment in an email, an infected advertisement on a site or something pushing the Angler Exploit kit for example that will then pull down the Cryptowall payload to the machine.
If you have been infected by Ransomware use the search page up the top left in order to either:
- Enter the IP of the infected machine in the forensic search https://x.x.x.x/main.cgi
- Enter the name of the file into the ‘Filename’ field that has been modified on your machine e.g. HELP_DECRYPT.txt to see if it has spread and to where, also located on the search page https://x.x.x.x/main.cgi
- Run the All Events::By Signature report – https://x.x.x.x/netmon/view.cgi?id=&rid=52
- Run the All Events::By Destination report https://x.x.x.x/netmon/view.cgi?id=&rid=106 putting the infected machine IP in the destination filter field.
- Check for any websites or IP addresses visited during the time period of the initial infection and you should see communication between the C&C. Confirm the website or IP is malicious by checking it with Virustotal’s URL adviser. It’s also a good way to see if anybody else has been infected by running a website search for the specific domain over the last 24 hours for example.
Following the steps above you should be able hunt down Ransomware and find out when and where the initial infection came from.