Ransomware Mitigation: Recovering Encrypted Files

Mitigating ransomware attacks involves preventing, detecting, responding to, and recovering from them. Ransomware is malicious software that encrypts or locks files on a victim's system and demands a ransom to restore access. An effective ransomware mitigation strategy minimizes the risk of such attacks, limits the damage they cause, and ensures that data can be recovered without paying a ransom.

Performing ransomware mitigation requires activating the Ransomware Mitigation setting in the Behavioral Scan panel of the Anti-malware Profile. See, Behavioral Scan.

This section will guide you through the straightforward process of recovering encrypted files.

Step 1: Find Anti-Ransomware Events

To find anti-ransomware events

1. In the Endpoint Detection and Response menu bar, click Hunting. 
2. In the Search bar, search by event.detectiontype:Anti-ransomware, and press Enter on your keyboard. Results matching the event are displayed.
   

Step 2: Recover Encrypted Files

To recover encrypted files

1. In the Endpoint Detection and Response menu bar, click Hunting.
2. In the Search bar, search by event.detectiontype:Anti-ransomware, and press Enter on your keyboard. Results matching the event are displayed.
3. In the Remediation Action column, scroll to the file you want to recover.
4. Click Recover Files. In the Recover Files dialog box, click Recover. The recovery operation is queued, and depending on the operation, the status changes to Success or Failed.

File Recovery Alternatives

File recovery alternatives are listed in the following table. 

Tab	Steps
Hunting > Events	Search with event.detectiontype:Anti-ransomware. Open an event. Go to Affected Artifacts. Click Recover.
Detections > Incidents	Search with incident.hasantiransomwaredetection:true. Open an event. Go to Affected Artifacts. Click Recover Files.
Detections > Incidents > Timeline	Search with event.detectiontype:Anti-ransomware. Click Recover Files.
Detections > Alerts	Search with event.detectiontype:Anti-ransomware. Click Recover Files.

About Viewing Event Details

EDR records important security events comprehensively. This detailed information is crucial, as it equips you with a deep understanding of the events' nature and impact, empowering you to investigate and respond effectively.

To view event details

• Click a process in the Object column, the Summary view is displayed.

 This information is also available here: Related Events > View more.

Focus on the information below for anti-ransomware events.

Area	Description
1 - Summary	Check out the latest recovery status! It includes the status of the recovery process, the total number of affected files, the number of files successfully recovered, the number of files that could not be recovered, and their severity score.
2 - Process Details	Analyze the detailed information about the processes involved, such as the process name and full path, SID, username, and more.
3 - Anti-Ransomware Detection	The following information needs your attention: Detection ID: The EPP engine uses this ID to recover files. Affected Artifacts: The number of files that have been encrypted. Processes Involved: The number of processes involved in the attack. This information is captured in the JSON file. Attack Type: A ransomware attack can originate locally or remotely. If the attack type is remote, only process information is displayed. Displaying process information for remote attacks is helpful because it helps identify and analyze the specific processes targeted or exploited by the attacker.
4 - Related Processes JSON	This refers to a structured data format that provides detailed information about processes associated with a particular security event. This information is crucial for understanding the context and behavior of the detected threat and conducting a thorough investigation.
5 - Event	View the event details.

About Viewing Affected Artifacts

Affected artifacts are files impacted by ransomware. Identifying these artifacts is essential for understanding the attack scope and mitigating its effects. Artifacts are based on detection IDs.

The following table explains this view.

Area	Description
1	Status refers to the current state of the impacted file, which could be – Queued | Success | Failed
2	The affected and Recovered File Paths are critical for understanding the specific locations of files that have been compromised and restored during an incident response process, such as a ransomware attack. The "Affected File’s Path" refers to a location where malicious activities have compromised files. The "Recovered File Name" refers to the names of files successfully restored after being compromised. The recovery process might restore the files to their original names and locations or give them new names if necessary.

To view the affected artifacts

1. In the Endpoint Detection and Response menu bar, click Hunting.
2. In the Search bar, search by event.detectiontype:Anti-ransomware, and press Enter on your keyboard. Results matching the event are displayed.
3. Click an event. The Events Details view is displayed.
4. In the View Mode panel, click Affected Artifacts. The Affected Artifacts view is displayed.

About Recovered Files

The Recover Files dialog lists the affected artifacts and event details in separate tabs. This dialog box is a comprehensive tool for managing and monitoring the recovery process of encrypted files.

To view recovered files

1. In the Endpoint Detection and Response menu bar, click Responses and then click the Activity Log tab.
2. From the Action panel, click Recover Files. Alternatively, you can also click Recover Files from the Requested Activity column that are successfully recovered.
3. In the Recover Files dialog, do the following:
   • Click the Affected Artifacts tab to view the file recovery status, including the number of files successfully recovered and the severity of the attack.
   • Click the Event Details tab to view the event details, such as the type of attack and the processes involved.