Early indicators of a ransomware attack

Early indicators of a ransomware attack

In a previous post, we took a close look at the phases of a ransomware campaign. Knowing that campaigns take time is important, because this means that you can undertake countermeasures to prevent your business from being victimized.

Most ransomware campaign phases have discernable markers or indicators that ought to serve as red flags for your business. Here are some of the most common ones you need to be aware of.

Phase 1: Distribution campaign

Cybercriminals initiate spreading their ransomware, mostly via email.

Phishing indicators to watch out for in emails Mitigation measures you can take
Misspelled/Suspicious links in emails Manually type base URLs in web browsers, then investigate the results
Unexpected email attachments Use a different channel to contact sender and ask if they truly intended to send you a file

Phase 2: Infection

Here’s where we bite the hacker’s bait, usually by downloading bad attachments or clicking on malicious links and ads without thinking twice about what we did. This marks the start of our race against time.

Phase 3: Setting the stage

The hacker establishes a connection between the infected computer and their command and control (C2) server.

Early indicators to watch out for Mitigation measure you can take
Suspicious files and known malware keep coming back despite multiple deletions and reboots Seek the help of an IT specialist in performing any of the actions below as appropriate:

  • Disk image restoration (presuming you have disk images backed up)
  • Reboot and disinfection via another machine that’s clean
  • Reboot via an anti-malware CD or USB thumb drive

Inability to download online anti-malware tools

Phase 4: Scanning and valuation

Cybercriminals “case the joint,” so to speak. That is, they scope out your network and look for data that’s valuable enough to hold for ransom.

Early indicators to watch out for Mitigation measures you can take
Use of network scanning tools like AngryIP and Advanced Port Scanner, especially on servers Have IT admin investigate if anyone in your team used the tools
Creation of new administrator accounts Check if these accounts were outside of your account management or ticketing system
Presence of MimiKatz, an app popularly used by hackers to commit credential theft Verify if anyone in your team is using the app for a legitimate purpose, and only within a secure sandbox virtual environment to prevent compromising legitimate credentials
Use of Microsoft Process Explorer to obtain usernames and passwords from LSASS.exe, a system file responsible for granting/denying access and facilitating password changes Review the logs for Microsoft Process Explorer for such illicit actions
Appearance of legitimate software removal apps, such as GMER, IOBit Installer, PC Hunter, or Process Hacker See if the installation of such apps is warranted
Removal of anti-malware software Verify if such action was authorized

For their convenience, hackers may automate repetitive tasks, so look out for patterns of suspicious behaviour. However, expert hackers cover their tracks by pacing their actions more slowly than the rate at which security programs record over their monitoring data. By doing so, no discernable pattern shows up.

To make their impending attack more likely to succeed, hackers will commit actions that must raise red flags for your security officers. Namely, they will:

  • Try to disable domain controllers, Active Directory, and systems that deploy software patches and updates
  • Corrupt all the backups they can find
  • Launch small test attacks to see if they’ll be impeded or they can commence as planned

Phase 5: Encryption

In this phase, the hacker proceeds to encrypt your data. Locking away data held in the victim’s computer can just take seconds, while doing the same thing for network-based files can take hours.

Since network file encryption takes so long, you may be lucky enough to get wind of it mid-operation. A telltale sign is that the infected computer will be uncharacteristically slow or busy. A visit to the System Monitor may show an unknown process doing a lot of reading and writing to your drive.

A Google search of the name of that process may reveal it to be ransomware. In this case, you’ll want to suspend or pause the operation, disable cloud syncing, and cut the power source of the machine. It's also well worth repeating these steps for all other machines that may be infected.

Phase 6: Ransom is demanded

By now, it’ll be too late for you. You’ll wish you had paid better attention to all the early indicators of a ransomware attack — or at least had someone in your corner who was doing that for you.

Let XBASE provide your business with Exponentially Better™ cybersecurity protection. Schedule a FREE consultation today.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts