Professional Documents
Culture Documents
Ransomware Job Aid
Ransomware Job Aid
Detect
Page 1 of 47
Detect
Page 2 of 47
Analyze
Review the event history in CloudTrail to determine who created the suspicious
bucket.
Page 3 of 47
Analyze
Review the event history in CloudTrail to determine who created the suspicious
bucket.
Page 4 of 47
Analyze
Review the event history in CloudTrail to determine who created the suspicious
bucket.
Page 5 of 47
Analyze
Use CloudTrail to investigate the events performed by the user who created the
suspicious bucket.
Page 6 of 47
Analyze
Use CloudTrail to investigate the events performed by the user who created the
suspicious bucket.
Page 7 of 47
Contain
Disable the compromised user’s console access and deactivate the user’s access key.
Page 8 of 47
Contain
Disable the compromised user’s console access and deactivate the user’s access key.
Page 9 of 47
Contain
Disable the compromised user’s console access and deactivate the user’s access key.
Page 10 of 47
Contain
Disable the compromised user’s console access and deactivate the user’s access key.
Page 11 of 47
Contain
Disable the compromised user’s console access and deactivate the user’s access key.
Page 12 of 47
Analyze
Page 13 of 47
Analyze
Page 14 of 47
Analyze
Use Athena to determine the location of the sensitive file that the ransomware group
claimed they took.
Page 15 of 47
Analyze
Use Athena to determine the location of the sensitive file that the ransomware group
claimed they took.
Page 16 of 47
Analyze
Use Athena to determine the IAM user that deleted the sensitive file.
Page 17 of 47
Contain
Disable the user’s console access, and deactivate the user’s access key.
Page 18 of 47
Contain
Disable the user’s console access, and deactivate the user’s access key.
Page 19 of 47
Contain
Disable the user’s console access, and deactivate the user’s access key.
Page 20 of 47
Contain
Disable the user’s console access, and deactivate the user’s access key.
Page 21 of 47
Step 8: A confirmation pop-up displays. Choose
Deactivate.
Page 22 of 47
Analyze
Use Athena to review other events performed by the second IAM user we discovered.
Page 23 of 47
Analyze
Use Athena to review other events performed by the second IAM user we discovered.
Page 24 of 47
Step 5: We can reduce the number of results by
eliminating these two API calls from our query. In
Athena, on the Editor tab, enter SELECT, * FROM
“irworkingshopgluedatabase”.”irworkshopglue
tablecloudtrail” where useridentity.username =
‘tdir-workshop-jstile-dev’ and eventname !=
‘DeleteObject’ and eventname != ‘GetObject’
and then choose Run again.
Page 25 of 47
Step 7: Let’s analyze the last seven API calls and focus on
the time they occurred.
Page 26 of 47
Analyze
Use Athena to review other events performed by the second IAM user we discovered.
Page 27 of 47
Analyze
Use Athena to review other events performed by the second IAM user we discovered.
Page 28 of 47
Analyze
Use Athena to review other events performed by the second IAM user we discovered.
Page 29 of 47
Analyze
Page 30 of 47
Analyze
Page 31 of 47
Analyze
Page 32 of 47
Contain
Page 33 of 47
Contain
Page 34 of 47
Contain
z
z
Page 35 of 47
Contain
Page 36 of 47
Eradicate
Use Amazon S3 console to remove the ransom note and delete the new bucket.
Page 37 of 47
Eradicate
Use Amazon S3 console to remove the ransom note and delete the new bucket.
Page 38 of 47
Eradicate
Use Amazon S3 console to remove the ransom note and delete the new bucket.
Page 39 of 47
Eradicate
Use Amazon S3 console to remove the ransom note and delete the new bucket.
Page 40 of 47
Eradicate
Use Amazon S3 console to remove the ransom note and delete the new bucket.
Page 41 of 47
Recover
Page 42 of 47
Recover
Page 43 of 47
Recover
Page 44 of 47
Recover
Page 45 of 47
Recover
Page 46 of 47
Recover
Step 12: You can now review the files in the folders.
Page 47 of 47