This first example is a case where users may attempt to access a shared folder and find encrypted files in that location. It presents the most potential risk to the organization. In this case, there is an infected computer somewhere on the network and the infected user is utilizing it to access network shares. The ransomware, operating with the user’s permission level at this point, goes through the network share and all the files to which the user has access, encrypting them as it runs through the folder. In a larger organization, the number of files the user can access can be extensive, exposing several hundred thousand of files to encryption, theft, or both. A large network share could take days for the ransomware to encrypt but the process can nonetheless begin and run for some time before it is identified. This phase can be detrimental and harder to detect, especially since the victim computer doesn’t yet display a ransom message. To contain initial infection, it is extremely important and time sensitive to find the infected computer(s) through which the ransomware encryption activity is taking place. Narrowing down the infected user(s) is most commonly achieved by looking at file ownership permissions on the files that have been encrypted. It’s also possible to examine the ownership permissions of new files that were created in each folder notifying users that the files have been encrypted. The new files will commonly inherit the user’s permissions that the ransomware was executing under, showing the file owner’s name as the user account that initially became infected with the ransomware.
Once users are identified, their devices and access should be disabled to halt the encryption process in the shared location.