Serious investigations need to move quickly to prevent losses and to gather volatile evidence. Although it may not always be possible to know where attackers are located, acting without delay can help bring a more rapid resolution. Unfortunately, identifying the attacker is not generally practical, especially in well executed attacks.
We were called quickly after a bank employee discovered a common extortion attack. This was a serious problem because in addition to the victim PCs, shared files were inaccessible. They had been encrypted waiting for the bank to pay the attackers for a decryption key.
Immediately we began producing a forensic image of each of the affected machines. This was a critical step because it allowed us to discover the nature of the attack. Indicators of compromise (fingerprints of the attack) were discovered allowing a check of the network for other victims.
At the same time the bank IT staff (an especially sharp crew) were recovering files from their effective backup system. This saved the day allowing recovery without dealing with the attackers or losing valuable data.