Summary
In this chapter, we've investigated two very common techniques used by ransomware affiliates to obtain initial access – abusing external remote services and phishing.
As you can see, various artifacts can be used to reconstruct malicious activities, from volatile memory to Windows event log files. Also, we can use various means of data collection and limit collected data based on a case. This is very important, especially if we need to collect and analyze data from multiple hosts simultaneously.
Of course, initial access is only the beginning of a human-operated ransomware attack, so there are a lot of things incident responders need to be able to uncover.
In the next chapter, we'll focus on various post-exploitation activities, such as reconnaissance and credential access.
