How to find out what end user let the ransomware in?

[tmuster2k 22]

Is there a straight forward way to find out what end user clicked on the Phishing email to let the ransomware in ? 

 I know on a smaller network it might be easy to look through emails but on a much larger scale network this may not work. I know I can look at the properties 

of a shared drive that was encrypted but this is not totally accurate since a lot of different users can be accessing this share. 

[tmuster2k 22]

bump

[Marcos 4,693]

Perhaps you could try running ExecutedProgramsList by Nirsoft to see a list of executables that have been run recently.

[EricJ 2]

Hello tmuster2k,

Just adding my 2 cents, however, the best way I've seen to locate the user that was initially infected is to run a scan of all computers and check for detections of 'Ransom-notes' on the systems' local %systemdrive%. ESET should detect Ransom-notes and log these as threats. At that point, it's a matter of reviewing your scan information/logs to look for these detected ransom-notes.

Ransom-notes are typically text files that are placed in the same directory as encrypted documents, they usually have names similar to 'help-decrypt.txt' or 'recover-files.txt'. If you find a computer with detected ransom-notes on the system drive, then it's likely the filecoder infection was run from that computer. If it's a computer with multiple users, check C:\Users directories to see what users have ransom-notes/encrypted files.


Additionally, you can check ownership of these ransom-note files. This method is typically unreliable though. In my experience, the ownership is usually set to a group such as 'users' or 'administrators'. Steps:
- Locate a Ransom-note

- Right-click, select properties.

- Click on "Security" tab

- Click 'Advanced'

- Click owner tab, and you should be able to view the owner of the file

Hopefully this information helps!

 

Regards,

EricJ