Ransomware attacks are increasing daily. An average ransomware attack can take 60 to 120 days before the device owner realizes what is happening.
The point of no doubt is when the malware starts encrypting the victim's hard drive. What is happening in the previous days?
What are the first indicators for IT trying to detect a ransomware attack before it causes major damage? What should you do if you discover an attack that is ongoing?
As mentioned above, encrypting files from ransomware is the last thing that will happen. Before encryption, malicious users will spend weeks searching the network for vulnerabilities. One of the most common ways they use to serve ransomware is to enter corporate networks through Remote Desktop Protocol (RDP) which are usually left open on the Internet.
The lockdown for the virus sent a lot of company staff to work from home, and so most gave RDP access to facilitate remote work. This gives an opening to ransomware attackers, so scanning systems on the Internet with open RDP ports is a first step.
Before we go on to mention one basic thing: if you see too many e-mail messages it could be an indication of an attack. With this hand in the network, hackers will explore from there to see what else they can find to attack.
Another warning signal could be software tools that appear to be running on the network. Attackers can start by controlling only one computer on a network and will need tools.
So if you see network scanners like AngryIP or Advanced Port Scanner, it's time to check in with someone you know. If no one admits to using the network scanner, you should investigate.
Another red flag is any MimiKatz detection, it is one of the most commonly used tools by hackers along with Microsoft Process Explorer in their attempts to steal passwords and logins.
Once they have access to the network, ransomware attackers will try to gain access to an administrator account. This will help them disable security software with applications designed to remove software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter.
These applications are legal, but in the wrong hands they cause damage.
Search for new accounts that have been created. Beware: once intruders gain administrator privileges, they will try to spread to the network using PowerShell.
This can take weeks, and even months, depending on the data you have on your system. Because the slower they go through the network, the harder it is to detect hackers are not in a hurry and try to avoid mistakes that will reveal them.
Many security tools only record network traffic for a period of time, which means that if hackers log in for weeks, it is much more difficult to locate the entry point once it has been deleted from the logs.
There are also some signs that an ransomware attack is coming to an end. Intruders will try to disable Active Directory, domain controllers, and destroy any backups they may find. They will disable any software development systems that could be used to download updates. Then they knock!
So how do you stop the attackers? The most important thing is to check the RDP sessions. Changing the password on key systems may be helpful, but if hackers can use RDP, such steps will not work. Check for unexpected administrator accounts and limit your use of PowerShell.
Keep your software and operating system up to date. Many ransomware attacks use security vulnerabilities that have been fixed with an update.
For ransomware attacks coming via email, training your staff and yourself, strong passwords and two-factor authentication will help prevent or slow down intruders.