If you’re unfortunate enough to be the victim of a ransomware attack, you know how damaging and disruptive it can be to your business operations.
Ransomware is a type of malware that encrypts files and systems and demands payment (often in the form of cryptocurrency) in order to decrypt them. Once a computer is infected, a window will pop up, asking the user to pay a fine. Oftentimes threat actors will disguise themselves as a government agency or some other authority and claim that the system is locked down for security reasons.
Get started with Blumira FREE SIEM to protect against ransomware:
Ransomware is far more destructive than other cyberattacks, said Patrick Garrity, VP of Operations at Blumira. It often results in the business — or part of the business — getting shut down completely.
The obvious repercussion of ransomware is the financial component of the ransom itself, but that’s only half the battle. Businesses need to restore their systems and strengthen cybersecurity measures. There’s also the loss of productivity associated with downed systems and the attention required to remediate. Without paying ransom, the average cost of a ransomware attack is $732,520, according to a 2020 Sophos Report.
“The reality is that ransomware works in many cases,” Garrity said. “Businesses often pay the fine to simply become operational again.”
However, paying the ransom doesn’t always result in restored operations — plus, it can fuel criminal activity and result in hefty compliance violation fees. In fact, paying the ransom results can double the cost of the ransomware attack; the average cost for a company that paid the ransom was $1,448,458, according to the same Sophos Report.
No matter which way you dice it, getting hit with a ransomware is a security team’s worst nightmare.
To learn more about the cost of ransomware, download our Security Advisor Series: Cost of Ransomware vs. Cloud SIEM.
Many businesses lack the visibility, tools, or staffing resources needed to detect and prevent ransomware. Some ransomware attacks are a long con; attackers work on a ransomware project for weeks or even months, moving slowly throughout the network to gain access to critical systems and accounts. Newer ransomware attacks can take as little as 12 hours as attackers use more sophisticated techniques, so it’s important to be alert and act quickly.
“Ransomware isn’t something where you press a button and people are magically infected,” Garrity said. “There’s intent going on before that from an attacker perspective.”
There are a series of warning signs to alert you that cybercriminals are in your network and are planning to launch a ransomware attack. If you can spot these indicators and detect an attack in its early stages, you can regain control and prevent real damage. It takes the right tools and some knowledge of what to look out for.
Watch out for these six warning signs of a ransomware attack.
Phishing is one of the most common ways that a ransomware attack begins. Hackers will send social engineering emails, appearing as though the sender is from a legitimate company, with a malicious attachment or link. Once users click on that attachment, it gives hackers a toe-hold in the network and they’ll begin moving laterally.
End user training can give employees the knowledge and awareness to detect a phishing scam. If they do, they can provide an early warning.
Be wary of scanners that pop up on your network that are unfamiliar or have no use in your company — especially if these network scanners are on servers.
Cybercriminals will often start a ransomware attack by gaining access to one computer. From there, they’ll do some digging into your network and find out the domain rights of that computer, and what else they can gain access to. One way for a cybercriminal to do this is by installing a network scanning tool like Advanced Port Scanner or AngryIP.
Of course, a network scanner can be a legitimate tool. Check with the rest of your IT team to see if anyone is using a network scanner — if they’re not, then it might be time to raise the red flag.
Around the same time that a hacker would install network scanning software, they will also likely attempt to infiltrate your company’s Active Directory (AD) and gain domain access through tools such as BloodHound and AD Find.
BloodHound, for example, uses an ingestor called SharpHound, which comes in the form of command-line .exe or PowerShell script. Its goal is to collect information about AD users, groups, and computers, and map pathways to escalate privileges to domain administrator.
Infamous ransomware variants such as Ryuk used Microsoft Remote Desktop Protocol (RDP) to hack into AD servers and then insert the ransomware into the AD logon script. This infected everyone that logged into that AD server.
The presence of MimiKatz should always be a red flag; it’s one of the most commonly used hacker tools. MimiKatz is an open source credential gathering tool that cybercriminals use to steal passwords and login information. It’s often used in conjunction with Microsoft Process Explorer, a legitimate tool that can dump LSASS.exe, a Windows process that is responsible for enforcing the security system. Penetration testing (or ethical hacking) can ensure that attackers can’t gain access to your systems using MimiKatz.
Some hackers use more subtle approaches to credential stealing that are harder to identify than MimiKatz. For example, Cobalt Strike is a platform that uses multiple methods to evade detection from antivirus software and sometimes mimics common tools such as Gmail and Bing, and leaves few traces on an infected system while collecting credentials.
A cloud SIEM like Blumira’s can detect tools on your network, including MimiKatz and Cobalt Strike, and give you instructions on what to do next to prevent an attack.
Once an attacker gains administrative privileges, their next step is usually to remove or disable security software like antivirus protections. They will often do this by using legitimate software removal applications like IOBit Uninstaller, GMER, PC Hunter, and Process Hacker.
A logging solution will detect the existence of these tools on the network. If you detect these tools, you should question why they have suddenly appeared. However, it’s important to note that software removal programs are a later warning sign of ransomware; they often indicate that hackers have admin-level privileges. If you detect software removal, you must act quickly — within 15 minutes or less — to prevent ransomware from executing.
Hackers will often run simulations of the ransomware attack through small-scale dry runs, aiming to find any vulnerabilities within your network or endpoints. They’ll attack a small amount of network devices to test whether they were able to successfully deploy ransomware. If not, they’ll try a different approach.
Security software, like a SIEM or endpoint detection and response tools, can catch these smaller attacks before they lead to something much worse.
The reality is that many organizations don’t have the visibility required to spot these warning signs. That, combined with alert fatigue and too-complex security tools, can result in missing the telltale signs of a ransomware attack.
Blumira’s detection and response solution has several built-in detections to alert security staff of malicious activity on the network, in addition to playbooks that will guide you through quick remediation.
Unlike a traditional SIEM, Blumira can deploy within hours, not days or weeks. Start a free trial and see what Blumira can do.