RPT Hours Log (RL Hudson Cryptoware Incident)
6-11 	3 hours		onsite		Remove COPPER + SERVER-HOST + Implement workaround so workstations can access internet
6-11	5.5 hours	bench		Image HDDs for COPPER + SERVER-HOST + analyze files to find malware dropper
					Take SHA256 signature for Cylance
6-12	6.5 hours 	bench		Examine files from servers to determine extent of damage- ALL files on CHROME encrypted,
					About 15% of the  file shares on SERVER-HOST encrypted (Mostly in DESIGN and IT shares), user files on COPPER encrpyted,
					Synology NAS boxes wiped (clean), Acronis backups on Ext HDD SERVER-HOST encrypted.
6-13	2 hours		remote		Add signatures to Cylance to assist cleanup of dropper and manually log onto and check RPT workstations 
					and network for remaining malware, perform manual mitigations to block spread. (SMB and PSEXESVC block)
6-14	3 hours		bench		receive decryptor from RLHudson and start decrypting COPPER and SERVERHOST
6-15	6.25 Hours	bench		move VHD files SERVER01-DC, RPTDC2 and RPT-RDS to bench system and begin decryption
					Finish decryption of COPPER and create backup image for offline storage. Run SFC/Dism 
					and windows Update, reinstall antivirus (Cylance). Begin Decryption on CHROME
6-16	1 hour		onsite		reinstall COPPER in building 3
6-16	7.5 hours	bench		Finish decryption SERVER-HOST, run SFC/DISM + Windows Update. Finish decryption of RPT-RDS and RPT-DC2, 
					run SFC + DISM + Windows Update on all and reinstall Antivirus
6-17	12.5 hours	bench/remote	Go threough whole network, Run LIMA app (form RL Hudson's forensics firm) on 4 servers and 36 workstations, 
					check antivirus/teamviewer and verify all workstations are on at least Windows 1909, compile LAMA results 
					and send to RL Hudson forensics firm.
6-18	1 hour		onsite		Troubleshoot internet connectivity loss (COMCAST cable modem hung)
	6.25 hours	bench		Finish Decrypting CHROME and SERVER01-DC files. run Lima utility, SFC/DISM + Windows Updates then image 
					CHROME and SERVER-HOST hard drives for offline backup
6-19	4 hours		onsite		Install SERVER-HOST and CHROME and reconfigure workstations for AD access (DHCP/DNS + Firewall changes)
					Test file share access, shared license access, FANUC application (building 3). Bring up everything except VPN tunnels.
					Run 'Lima' app on 3 more workstations (RPT126, RPT137 and RPT150) and check AV/Teamviewer and Windows Update
6-19	1 hour		remote		monitor network remotely and troubleshoot minor connection issues (CHROME) + forensic firm correspondence.




Software used	6x 	Cylance (on 6 servers)
Hardware Used	1x 	1TB HDD (for COPPER backup image)
		1x 	2TB HDD (for CHROME backup image)





