Ransomware: Detecting the source

Paul Pratley
7 min read

What’s the best way of quickly identifying the source of a ransomware attack before further damage is caused? Find out in this article.

Managing the risk ransomware poses is a challenge for IT security teams in businesses of all sizes. One of the great threats ransomware poses is the encryption of file shares that users have access to – not to mention the associated potential for enormous data loss and business interruption.

IT security teams often identify ransomware when it’s in the process of encrypting these shares. Particularly when they need to identify the source rapidly to prevent further damage, or make sure the process doesn’t repeat when backups are restored.

But what’s the best way to identify the “patient zero” system in such cases? Our Investigations and Incident Response team are often asked this very question and so we’ve prepared the following information to help teams identify and contain these incidents as early as possible.


Firstly, when Ransomware encrypts a file, it usually takes ownership of it or creates a ransom note. The most effective way to identify the source of the attack quickly is identifying the file owner’s domain user account from which the ransomware is being deployed. You can then look for the computers on the network that are using that account.

From there, two options are available for rapid containment:

1.   Revoke the user account’s access to shares

2.   Physically isolate the infected computer from the network

To identify the owner, open the file properties of the file that identify the owner:

ransom properties

Alternatively, PowerShell can be used to identify the owner, as well using GET-ACL against one of the encrypted files or ransom notes:

GET-ACL .\ransom.txt | Select Owner

From time to time, challenges such as the security identifier (SID) not resolving to a username arise. There are a number of methods to resolve user SIDs to user names as follows:

 -        WMI (through command line):

wmic useraccount where sid='S-1-5-21-123456789-123456789-1234567890-1234’ get name

-        PowerShell – domain environment:


$uSid = [ADSI]"LDAP://<SID=$strSID>"

echo $uSid

Once the username’s been obtained, the actual computer the user account is currently logged in from must be found. Remote Server Administration Tools for Windows must be installed with the Active Directory Module for Windows PowerShell enabled.

NOTE: Searching in this manner may take a large amount of time depending on the size of your domain.

$Computers = Get-ADComputer -Filter {Enabled -eq 'true'}

ForEach ($comp in $Computers) {

    $Computer = $comp.Name

     Write-Host "Querying $Computer"

     $csvTmp = quser /server:$Computer | ForEach { (($_.trim() -replace "\s+",","))}

         $queryResults = (($csvTmp -split '\n')[0] + '-2' | Out-String).trim() + "`n" + ($csvTmp | Select -Skip 1 | Out-String).trim() | ConvertFrom-Csv

    ForEach ($queryResult in $queryResults) {

        $User = $queryResult.USERNAME

         If (($User -match "[a-z]") -and ($User -ne $NULL)) {

            Write-Host $Computer logged in by $User on session type $sessionType

            $SessionList = $SessionList + "`n`n" + $Computer + " logged in by " + $User




$SessionList | findstr "USERNAME"

From here, network administrators should be able to assist in identifying the physical host based on the network architecture, subnet, and through querying network infrastructure devices.

In addition to the above, if the attack is currently ongoing, there are other options to look for active sessions and open files in Windows Server environments.

-        Active user sessions:

Computer Management -> System Tools -> Shared Folders -> Sessions

-        Open files:

Users with shared files that are currently opened:

Computer Management -> System Tools -> Shared Folders -> Open Files

Ransomware Prevention and Response

With ransomware becoming more common, the requirement for protection and a comprehensive response plan is of the utmost importance.

Determining the origin of the ransomware infection and isolating the source or revoking the affected user’s access to shares may stop the encryption that’s already underway. However, this requires a rapid response and while patient zero’s being tracked down, business critical data’s being encrypted for ransom.

The advice doesn’t take into account cases where a more targeted and manual approach is used by an attacker, which is a trend we’re seeing becoming increasingly more common recently.

Attackers will:

  • Perform reconnaissance within the estate
  • Move laterally across the network
  • Destroy online backups
  • Focus encryption of high-value targets within the domain

This is all done using multiple points of origin simultaneously to speed up the encryption process, reducing the time available to respond and contain the incident. In cases like these, more in-depth investigation is required to determine the origin of the attack and contain live attackers on the network.

As ransomware attacks develop to become more of a substantial threat to enterprise environments, more appropriate security controls need to be in place to help protect organizations from this threat. While identifying the source of an attack is critical to making sure no further damage is done, having set-up a defense and response solution in the first place to stop ransomware in its tracks is obviously an advantage.

With this in mind, we’ve developed an anti-ransomware agent, RansomFlare. It uses a combination of machine learning and behavioral analysis to identify ransomware as soon as it runs on a computer system.

When an attack is identified, RansomFlare immediately intervenes to protect the data and the endpoint by stopping the ransomware in its tracks, while alerting your security team with flexible communication options to meet your needs.

Additionally, RansomFlare is supplied with remote response functionality that allows for our Incident Response team to gather forensic artefacts to support the investigation and intervene with containment in the field.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs