Ransomware: stop an ongoing attack

Ransomware attacks are increasing every day. An average ransomware attack can last from 60 to 120 days before its owner understand what is happening.

The point of no doubt is when the malware starts encrypting the victim's hard drive. What is happening in the previous days?
What are the early indicators for IT trying to spot a ransomware attack before it causes a big one? ; What should you do if you discover an attack in progress?Ransomware

As mentioned before των αρχείων από το ransomware είναι το τελευταίο που θα συμβεί. Πριν την κρυπτογράφηση, οι κακόβουλοι χρήστες θα περάσουν εβδομάδες, ερευνώντας το δίκτυο για να ανακαλύψουν αδυναμίες. Μια από τις πιο συνηθισμένες διαδρομές που χρησιμοποιούν για να σερβίρουν ransomware είναι να εισέλθουν σε εταιρικά δίκτυα είναι μέσω Remote Desktop (RDP) that are usually left open on the Internet.

The lockdown for the virus sent a lot of company staff to work from home, and so most gave RDP access to facilitate remote work. This gives an opening to ransomware attackers, so scanning systems on the Internet with open RDP ports is a first step.

Before we go on to mention one basic thing: if you see too many e-mail messages it could be an indication of an attack. With this hand in the network, hackers will explore from there to see what else they can find to attack.

Another warning signal could be software tools that appear to be running on the network. Attackers can start by controlling only one computer on a network and will need tools.
So if you see network scanners like AngryIP or Advanced Port Scanner, it's time to check in with someone you know. If no one admits to using the network scanner, you should investigate.

Another red flag is any detection of MimiKatz, it is one of the most frequently used tools by them along with Microsoft Process Explorer, in their attempts to steal passwords and login information.

Once they gain access to the network, ransomware attackers will attempt to gain access to an administrator account. This will help them disable it with apps built to force uninstall software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter.

These applications are legal, but in the wrong hands they cause damage.

Search for new accounts that have been created. Beware: once intruders gain administrator privileges, they will try to spread to the network using PowerShell.

This can take weeks, and even months, depending on the data you have on your system. Because the slower they go through the network, the harder it is to detect hackers are not in a hurry and try to avoid mistakes that will reveal them.
Many security tools only record network traffic for a period of time, which means that if hackers log in for weeks, it is much more difficult to locate the entry point once it has been deleted from the logs.

There are also some signs that an ransomware attack is coming to an end. Intruders will try to disable Active Directory, domain controllers, and destroy any backups they may find. They will disable any software development systems that could be used to download updates. Then they knock!

So how do you stop the attackers? The most important thing is to check the RDP sessions. Changing the password on key systems may be helpful, but if hackers can use RDP, such steps will not work. Check for unexpected administrator accounts and limit your use of PowerShell.

Keep your software up to date and your system. Many ransomware attacks use security holes that have been patched with an update.

For ransomware attacks that come via email, staff training and yours, strong passwords, etc two-factor authentication, will help deter or slow down attackers.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).