Patterns of unusual behaviour are the clearest signal of an attack, not programmes or files
It's time to bust the long-standing myth that ransomware attacks occur out of the blue and are just a case of bad luck.
Hackers often spend days or even weeks in your system, poking around, trying to get an idea of what your network looks like and stealing data as they prepare to drop the ransomware that could well topple your business. Cunning hackers have worked hard to evade detection during this reconnaissance period, so well in fact that even cybersecurity tools struggle to flag the problem.
With the benefit of hindsight, looking back at the telemetry records of companies who have been attacked, the Sophos MTR team has been able to build a picture of four warning signs that point to trouble ahead.
To the untrained eye, these signals can be hard to spot - particularly as many attackers use legitimate admin tools - but as long as you know the kind of things to look out for, you'll often be able to see an attack coming, and that can enable you to stop it happening.
Beware of mini-attacks
One way attackers will test your defences is by launching a quick reconnaissance raid on a small number of machines. The idea is to gauge how effectively their ransomware can be deployed and how sophisticated the security software is that they're up against.
Small-scale test attacks might provide hackers with useful intelligence, but these dry runs are the clearest possible sign that a large-scale ransomware attack is imminent. Once spotted, it then becomes a race against time. There might just be a matter of hours between a test attack and the real thing, so being in a position to respond fast is essential.
Investigate suspicious patterns of behaviour
Another seemingly innocuous development is unusual activity at the same time, every day - even if it doesn't strike you as being particularly serious. For example, an admin using a remote desktop protocol (RDP) to move between servers in your organisation in the middle of the night. While both these behaviours could be legitimate, it's very unusual for an admin to be moving between servers - typically if they were working at night it would be from their endpoint into a specific server they intend to work on.
This is actually a strong sign that you need to do more than just remove the malware picked up on each occasion. This regular pattern of activity could well mean there is something more sinister happening that you haven't yet detected. Further investigations are required immediately.
Are legitimate tools being turned against you?
You should also be on the lookout for security-disabling applications. As tools like this can be totally legitimate, they are often overlooked; but in the hands of a malicious hacker, they can have devastating consequences.
Once attackers have gained admin rights, they may attempt to disable security software using applications created to assist with the forced removal of software. These include Process Hacker, IOBit Uninstaller, GMER and PC Hunter. The presence of these apps doesn't necessarily mean you're under attack, but it does mean it could be a strong possibility.
Investigate unidentified network scanners
The presence of a network scanner, especially on a server, is something else that could suggest attackers are canvassing your organisation in the run-up to a strike. They typically start by gaining access to one computer to search for information such as the domain, the company name and what admin rights are enabled.
The hackers will then try to find out what else is on the network and how much they can get their hands on. The easiest way to do this is with a network scanning tool, such as AngryIP or Advanced Port Scanner. If you detect one, first check in with the IT admin staff to find out whether the scanner is being used legitimately. If not, it's time to act.
Never drop your guard
We've given you a few of the main indicators to be aware of, but the key to recognising the signs of an impending ransomware attack are patterns of unusual behaviour - not necessarily unusual programmes or files. These will be the things that trigger your security solutions. It's the unexpected, unexplained and unauthorised use of legitimate tools which should alert you to cybercriminals laying the groundwork for their attack. This can make their preparation hard to detect - but certainly not impossible, especially now you know what to look out for.
Peter Mackenzie is an incident response manager at Sophos
