It was during an incident response test with a client that this topic came up. The scenario was something like this: Ransomware infects several workstations including a critical shared drive on one of the servers.
During the discussion, several members of the incident response team agreed that unplugging the power from the machine(s) with ransomware would be an item in the action plan and then re-image and restore the affected systems.
But then someone said, "what if we don't know where it started from, or if it's completely off our network?"
And that, is where forensics comes into the picture. It's about response before recovery.
The very next day, I read an article by J.F. Rice on Computerworld and I feel this paragraph sums it up nicely:
"I asked about the source of the infection. After all, there’s little point in decrypting the files if the malware is still active. It may end up re-encrypting the files, putting him back to square one. But in their haste to stop the infection, they turned off most of the computers and hadn’t yet determined which one was doing the encrypting. I advised him to bring in a professional forensics malware specialist at this point, which he agreed to. In this situation, you want to be 100% sure you contain the situation."
Make sure that forensics is part of the plan, and include that as part of the discussion in your incident response testing.
Read the full J.F. Rice article here...