Malicious ransomware attacks (Ransomware), which is one of the most popular cyber attacks today, is the nightmare of all institutions and organizations. The fact that threat actors request cryptocurrency by encrypting the systems they have infiltrated causes serious financial and moral damage to institutions and organizations. Threats of the attackers not returning the data or disclosing it publicly against the non-payment of the payment leave the institution or organization in a difficult situation.

It has been determined that many institutions and organizations take the wrong action in this process. It was observed that the data was corrupted as a result of the ways tried to recover the encrypted data and was irreversible even with the correct key. As a result of the wrong communication established with the ransomers, it was seen that irreparable deadlocks were entered and the institution or organization was faced with consequences that would damage its reputation.

Did you know these?

  • • It is known that institutions affected by ransomware attacks lost thousands of dollars during “Downtime”. (Gartner)
  • • The ransomware attack trend is increasing exponentially every year.
  • • During ransomware attacks, backups are also encrypted due to incorrect backup policies.

Ransomware Incident Response Lifecycle

The life cycle applied in ransomware cases is as follows;


The preparation phase is the most important element in the "Ransomware Incident Response" lifecycle. Determining the roles, underlining the contributions of the roles to the process and technology, and determining the actions in emergencies are of vital importance.


In the detection phase, every data in the network is examined. Detected malicious ransomware is reported after the analysis is carried out. Thanks to the 24/7 monitoring, when malicious ransomware is detected, alarms are generated and reported to the relevant units.

Detection processes are carried out with the detection systems created and developed specifically for the institution in the process. The approaches used during the determinations and some sample studies are as follows.

  • • Hash-Based Detection
  • • File Extention Listing (.crypt, .payme .v.s)
  • • C&C Comunication Detection
  • • Process-Based Detection
    • o Master Key Scanning (Public and Private)
    • o Key production for the victim
    • o Encrypt the victim's key
    • • Behavior-Based Detection
    • o SMB Activity Detection
    • o RDP Activity Detection
    • o VNC Activity Detection


Malicious ransomware and ransomware-oriented attempts detected during the analysis phase are examined by cyber security experts. Approaches identified as False-Positive are analyzed and sorted out during this process, and immediate action is taken for other initiatives.

It is aimed to stop the initiatives as a result of the steps taken within the framework of the planned action by communicating with the roles determined during the preparation process.


During the examinations, malicious software is run in quarantine, technical analyzes are made and malicious activities are analyzed and reported. During the relevant notifications, the ransomware infection map is determined. Some examples and approaches to the infection map are as follows.

Infection Map

    • • Phishing – Executables, malicious business documents (Word, Excel)
    • • Exploit Kits – Browser-based vulnerabilities
    • • Targeted/Independent Attacks – RDP Bruteforce, Exploiting known vulnerabilities


The actions taken to restore the systems that are infected or tried to be infected after the interventions to their natural life cycle are extremely important. After the research was carried out, it was determined that 67% of institutions and organizations encountered a similar attempt again after facing such a malware attack.

UITSEC provides 24/7 support to conduct the necessary work before or after a possible Ransomware attack with experienced consultants, analysts, and experts with both offensive and defensive competencies as well as operations center services.