Ransomware poses one of the biggest security concerns for organizations today. It is malicious software that encrypts files located on an infected system or network rendering them inaccessible. The legitimate users of these systems are eventually locked out and a fee is typically requested by the attackers before they can regain access to the encrypted files and network. These ransomware attacks often cause major disruption to business operations leaving victims with few choices to regain access to their encrypted network. They either restore from backups if available or pay the ransom demanded by the attackers in order to ensure business continuity.
While ransomware attacks often appear to occur quickly and without warning, the average ransomware attack can take between two months to four months to progress from the initial security breach to the actual triggering of the data encrypting malware. Researchers at the Sophos’ Managed Threat Response (MTR) unit, who work extensively with ransomware victims, have revealed that there are indeed a series of warning signs and indicators organizations can use to determine if cybercriminals are rooting around within the enterprise network potentially preparing to launch a ransomware attack. They state that given some practice, organizations can learn to spot these warning signs in time.
The indicators that may suggest ransomware actors are already within your environment are:
- The first indicator to look out for is network scanners, particularly on servers. The threat actors will typically start the attack by compromising one device on the network where they will begin gathering information like the company name, the domain, and what the admin rights enabled on the device. They then move onto discovering what else resides on the network and how they can access them using network scanning tools. If one such tool is found on the enterprise network without legitimate use within the environment, an investigation should be launched.
- Another indicator is the sudden appearance of tools used to disable antivirus software. After gaining admin rights, the attackers will often try to disable the antivirus protections installed in the environment using commercially available applications designed to assist with the forced removal of software.
- The presence of MimiKatz is another warning sign that should be looking into promptly. Although the tool has legitimate use by professional penetration testers, it is also very popular with cybercriminals for credential theft. Microsoft Process Explorer can also be used to dump LSASS.exe from memory. The .dmp file created can be moved to the attackers’ test machine where MimiKatz can be used to safely extract user names and passwords.
- Patterns of suspicious behavior can be another indication of something untoward is going on. Are there any events or behaviors that happen at the same time every day or in some discernable pattern? Do they persist even after malicious files have been found and removed? This could mean there is something else occurring that has not yet to been identified.
- Security teams should also be on the watch for small-scale test attacks. The attackers occasionally deploy the malware to a few computers to see if the ransomware is successfully deployed and executed or is stopped. If the security tools stop the test attack, the attackers will know they have shown their hand but will have to change their tactics. This gives the security team vital hours to prevent the much larger attack from being launched.
Organizations must realize that threat actors often use legitimate administrative tools to set the stage for their attacks. This understanding is key to recognizing the signs of an impending ransomware incident. This is because although these legitimate tools make it quite difficult to spot the attackers, resulting in their activities being overlooked easily, they do put up red flags when organizations are alert to how their own tools can be used against them.