Ransomware where is here to stay, and it’s only going to get bigger. In the last few years, we have seen ransomware grow from just being “annoying” to a real threat. It’s not a question if, but when you are going to get confronted with a ransomware attack. In this short post, I would like to explain why doing a RAM capture is so important after a Ransomware attack.
To encrypt your files, ransomware needs to generate an encryption key. This key is generated/stored in memory during the encryption phase and is send to the Command&Control server when it’s done. As soon as the key has been sent to the server the key is supposed to get removed from the memory. However, in some cases, the key stays in the memory and can be used to decrypt the files.
It’s important to secure the contents of the RAM as soon as possible after the attack. The keys will be gone as soon as the system has rebooted. If you encounter a system hit by ransomware I highly recommend you always capture the ram just to be sure.
Want to know how to capture your ram?
Read more: