
Recovering Ransomware-encrypted files from packet capture - cws
https://www.extrahop.com/community/blog/2016/recover-ransomware-encrypted-files-from-packet-capture/
======
cws
This approach will likely be most useful for large enterprises that get
attacked, since they're more likely to have a buffered packet capture of
network traffic. This is still incredibly powerful given that most ransomware-
prevention mechanisms are completely useless once the ransomware is already in
your system.

------
tsupasat
I was pretty impressed that the blog post author thought of this. Pretty
classic Eureka moment! I wonder if there's a way for regular people to do this
with something like Packetbeat and tcpdump?

