The point of no doubt is when the malware starts encrypting the victim's hard drive. What is happening in the previous days?
What are the first indicators for IT trying to detect an attack? ransomware before causing major damage? What should you do if you discover an attack that is ongoing?
As mentioned above the encryption of files from ransomware is the last to happen. Before encryption, malicious users will spend weeks searching the network for vulnerabilities. One of the most common routes they use to serve ransomware is to enter corporate networks is through Remote Desktop Protocol (RDP) that are usually left open on the Internet.
The lockdown for the virus sent a lot of company staff to work from home, and so most gave RDP access to facilitate remote work. This gives an opening to the attackers with ransomware, so scanning Internet systems with open RDP ports is a first step.
Before we go on to mention something basic: if you see too many emails it could be an indication of an attack. With this hand in the network, hackers will explore from there to see what else they can find to attack.
Another warning signal could be software tools that appear to be running on the network. Attackers can start by controlling only one computer on a network and will need tools.
So if you see network scanners like AngryIP or Advanced Port Scanner, it's time to check in with someone you know. If no one admits to using the network scanner, you should investigate.
Another red flag is any MimiKatz detection, it is one of the most commonly used tools by hackers along with Microsoft Process Explorer in their attempts to steal passwords and logins.
Once they gain access to the network, attackers with ransomware will try to access an administrator account. This will help them disable security software with applications designed to remove software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter.
These applications are legal, but in the wrong hands they cause damage.
Search for new accounts that have been created. Beware: once intruders gain administrator privileges, they will try to spread to the network using PowerShell.
This can take weeks, and even months, depending on the data you have on your system. Because the slower they go through the network, the harder it is to detect hackers are not in a hurry and try to avoid mistakes that will reveal them.
Many security tools only record network traffic for a period of time, which means that if hackers log in for weeks, it is much more difficult to locate the entry point once it has been deleted from the logs.
There are also some signs that indicate an attack with ransomware is coming to an end. Intruders will try to disable Active Directory, domain controllers, and destroy any backups they may find. They will disable any software development systems that could be used to download updates. Then they knock!
So how do you stop the attackers? The most important thing is to check the RDP sessions. Changing the password on key systems may be helpful, but if hackers can use RDP, such steps will not work. Check for unexpected administrator accounts and limit your use of PowerShell.
Keep your software and operating system up to date. Many attacks ransomware use security vulnerabilities that have been fixed with an update.
For the attacks ransomware coming via email, staff training and your own, strong passwords and two-factor authentication will help prevent or slow down intruders.