Ransomware: stop an ongoing attack

Attacks are increasing daily. An average ransomware attack can last anywhere from 60 to 120 days before the device owner realizes what's going on.

The point of no doubt is when the malware starts encrypting the victim's hard drive. What is happening in the previous days?
What are the first indicators for IT trying to detect a ransomware attack before it causes major damage? What should you do if you discover an attack that is ongoing?Ransomware

As we mentioned above the encryption of from ransomware is the last that will happen. Before encryption, malicious users would spend weeks probing the network to discover weaknesses. One of the most common routes they use to serve ransomware is to enter corporate networks via Remote Desktop Protocol (RDP) which are usually left open to the Internet.

The lockdown for the virus sent a lot of company staff to work from home, and so most gave RDP access to facilitate remote work. This gives an opening to ransomware attackers, so scanning systems on the Internet with open RDP ports is a first step.

Before we go on to mention one basic thing: if you see too many e-mail messages it could be an indication of an attack. With this hand in the network, hackers will explore from there to see what else they can find to attack.

Another warning signal could be software tools that appear to be running on the network. Attackers can start by controlling only one computer on a network and will need tools.
So if you see network scanners like AngryIP or the Port Scanner, it's time to check in with someone who knows. If no one admits to using the network scanner, you should investigate.

Another red flag is any MimiKatz detection, it is one of the most commonly used tools by hackers along with Microsoft Process Explorer in their attempts to steal passwords and logins.

Μόλις αποκτήσουν πρόσβαση στο δίκτυο, οι επιτιθέμενοι με το ransomware θα προσπαθήσουν να αποκτήσουν πρόσβαση σε κάποιο λογαριασμό διαχειριστή. Αυτό θα τους βοηθήσει να απενεργοποιήσουν το λογισμικό ασφαλείας με εφαρμογές που έχουν δημιουργηθεί για την αναγκαστική κατάργηση λογισμικού, όπως το Process Hacker, το IOBit Uninstaller, το GMER και το PC .

These applications are legal, but in the wrong hands they cause damage.

Search for new accounts that have been created. Beware: once intruders gain administrator privileges, they will try to spread to the network using PowerShell.

This can take weeks, and even months, depending on the data you have on your system. Because the slower they go through the network, the harder it is to detect hackers are not in a hurry and try to avoid mistakes that will reveal them.
Many security tools only record network traffic for a period of time, which means that if hackers log in for weeks, it is much more difficult to locate the entry point once it has been deleted from the logs.

There are also some signs that an ransomware attack is coming to an end. Intruders will try to disable Active Directory, domain controllers, and destroy any backups they may find. They will disable any software development systems that could be used to download updates. Then they knock!

So how do you stop the attackers? The most important thing is to check the RDP sessions. Changing the password on key systems may be helpful, but if hackers can use RDP, such steps will not work. Check for unexpected administrator accounts and limit your use of PowerShell.

Keep your software and operating system up to date. Many ransomware attacks use security holes that have been patched with some .

For ransomware attacks coming via email, training your staff and yourself, strong passwords and two-factor authentication will help prevent or slow down intruders.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).