kyjonin

Scenario: Waifu University's cyber team has called you after their IT teams reported a number of servers with files that aren't opening and have a strange extension . On your scoping call, the victim also said they had identified a ransom note stating their data has been stolen . When asked about any earlier signs, the victim mentioned some strange, failed login activity early in March 2024 in their Entra ID , but it wasn't of concern at the time . Ransomware typically avoids system files to not cause crashes in the system, which also happens to be where a lot of forensic evidence is! You have been provided triage images of the hosts and log exports from the relevant systems. The Waifu University team took triage collections from the affected hosts using the account WAIFU\kscanlan6 at approximately 2024-03-07 05:00:00 UTC . Consider activity after this point related to the response. I've tried to make a point here to avoid directly giving the answers, they may b...