Looking for software development? We've movedGrassFed.dev

Ransomware Alert Root Cause

A forensic investigation traced alarming endpoint detections to legitimate backup activity and cleared critical databases for cloud migration.

Ransomware Alert Root Cause

Industries

Accounting

Services

Digital Forensics

About the project

An accounting firm faced endpoint alerts that appeared to show ransomware activity on systems holding critical tax and accounting data. Its security platform quarantined the affected devices, but the firm needed to know whether a real compromise had occurred and whether client information had been exposed.

Key databases were also scheduled for cloud migration, which raised the stakes. Before moving them, the firm needed reliable evidence that the data had not been maliciously changed. The investigation had to preserve the evidence, explain the detections, and provide a sound basis for deciding whether migration could proceed.

What we did

  • We created full forensic disk images of the relevant systems and captured live memory from devices that had remained powered on. Hash verification and controlled evidence handling preserved the integrity of the source data. We also collected endpoint telemetry so file, process, and alert activity could be reviewed together.
  • Because the planned cloud move depended on trusted data, we reviewed the databases early in the investigation. YARA scans, file carving, multi-engine malware checks, timestamp analysis, and reviews of surrounding files tested for malicious content or unauthorized changes. Items that initially drew attention were examined individually and determined to be benign.
  • We correlated endpoint logs with file-creation activity and traced the alerts to vendor-signed backup components. Hashes, digital signatures, and reputation checks showed that the binaries were authentic and unaltered. Behavioral monitoring then isolated a component that created temporary filenames in a predictable sequence.
  • We reverse-engineered the responsible code and recreated its filename logic with a Python script. The reproduced sequence matched the events captured in the logs and explained why ordinary backup activity generated filenames resembling known ransomware indicators. This technical validation ruled out tampering with the backup components.
  • The combined evidence established that the endpoint protection had reacted to benign filename generation, not malicious encryption. The investigation found no ransomware infection, data exfiltration, or other signs of compromise. The reviewed databases were cleared for cloud migration, giving the firm a documented basis to move forward.

Technologies Used

CISCO Secure Endpoint

CISCO Secure Endpoint

Acronis Cyber Protect logo

Acronis Cyber Protect

FTK Imager

FTK Imager

MAGNET Forensic RAM Capture

MAGNET Forensic RAM Capture

Volatility

Volatility

Ghidra

Ghidra

Microsoft Windows logo

Microsoft Windows

YARA

YARA

Virus Total

Virus Total

Python

Python

Browse more projects

Connected Vessel Risk Review

Connected Vessel Risk Review

Account-to-Server Takeover Test

Account-to-Server Takeover Test

Contact Us