Ransomware attack alert! The tell-tale signals to look for

clock • 4 min read
Ransomware attack alert! The tell-tale signals to look for

Ransomware attack alert! The tell-tale signals to look for

Patterns of unusual behaviour are the clearest signal of an attack, not programmes or files

It's time to bust the long-standing myth that ransomware attacks occur out of the blue and are just a case of bad luck.

Hackers often spend days or even weeks in your system, poking around, trying to get an idea of what your network looks like and stealing data as they prepare to drop the ransomware that could well topple your business. Cunning hackers have worked hard to evade detection during this reconnaissance period, so well in fact that even cybersecurity tools struggle to flag the problem.

With the benefit of hindsight, looking back at the telemetry records of companies who have been attacked, the Sophos MTR team has been able to build a picture of four warning signs that point to trouble ahead.

To the untrained eye, these signals can be hard to spot - particularly as many attackers use legitimate admin tools - but  as long as you know the kind of things to look out for, you'll often be able to see an attack coming, and that can enable you to stop it happening.

Beware of mini-attacks

One way attackers will test your defences is by launching a quick reconnaissance raid on a small number of machines. The idea is to gauge how effectively their ransomware can be deployed and how sophisticated the security software is that they're up against.

Small-scale test attacks might provide hackers with useful intelligence, but these dry runs are the clearest possible sign that a large-scale ransomware attack is imminent. Once spotted, it then becomes a race against time. There might just be a matter of hours between a test attack and the real thing, so being in a position to respond fast is essential.

Investigate suspicious patterns of behaviour

Another seemingly innocuous development is unusual activity at the same time, every day - even if it doesn't strike you as being particularly serious. For example, an admin using a remote desktop protocol (RDP) to move between servers in your organisation in the middle of the night. While both these behaviours could be legitimate, it's very unusual for an admin to be moving between servers - typically if they were working at night it would be from their endpoint into a specific server they intend to work on.

This is actually a strong sign that you need to do more than just remove the malware picked up on each occasion. This regular pattern of activity could well mean there is something more sinister happening that you haven't yet detected. Further investigations are required immediately.

Are legitimate tools being turned against you?

You should also be on the lookout for security-disabling applications. As tools like this can be totally legitimate, they are often overlooked; but in the hands of a malicious hacker, they can have devastating consequences.

Once attackers have gained admin rights, they may attempt to disable security software using applications created to assist with the forced removal of software. These include Process Hacker, IOBit Uninstaller, GMER and PC Hunter. The presence of these apps doesn't necessarily mean you're under attack, but it does mean it could be a strong possibility. 

Investigate unidentified network scanners

The presence of a network scanner, especially on a server, is something else that could suggest attackers are canvassing your organisation in the run-up to a strike. They typically start by gaining access to one computer to search for information such as the domain, the company name and what admin rights are enabled.

The hackers will then try to find out what else is on the network and how much they can get their hands on. The easiest way to do this is with a network scanning tool, such as AngryIP or Advanced Port Scanner. If you detect one, first check in with the IT admin staff to find out whether the scanner is being used legitimately. If not, it's time to act.

 Never drop your guard

We've given you a few of the main indicators to be aware of, but the key to recognising the signs of an impending ransomware attack are patterns of unusual behaviour - not necessarily unusual programmes or files. These will be the things that trigger your security solutions. It's the unexpected, unexplained and unauthorised use of legitimate tools which should alert you to cybercriminals laying the groundwork for their attack. This can make their preparation hard to detect - but certainly not impossible, especially now you know what to look out for.

Peter Mackenzie is an incident response manager at Sophos

More on Cloud and Infrastructure

Sydney is G-Core Labs' latest location as it builds a worldwide infrastructure network

G-Core Labs launches a public cloud PoP in Sydney

G-Core Labs continues to expand in APAC

clock 13 June 2022 • 2 min read
Using tools from different cloud vendors to enjoy best-of-breed service is becoming more popular, but it adds complexity

IT leaders agree the need for 'cloud-of-clouds'

Multicloud is the future, but management is a concern for IT leaders.

Tom Allen
clock 10 June 2022 • 2 min read
Constuction on Crossrail, which would become the Elizabeth Line, began in 2010

From cables to cloud: How IT changed while building the Elizabeth Line

Over 12 years, IT at the project formerly known as Crossrail went from cables and servers to cloud and wearables. Richard Blanford, CEO at project MSP Fordway, explains how that changed the workflow.

Tom Allen
clock 09 June 2022 • 7 min read