Ransomware attack alert! The tell-tale signals to look for

clock • 4 min read

Patterns of unusual behaviour are the clearest signal of an attack, not programmes or files

It's time to bust the long-standing myth that ransomware attacks occur out of the blue and are just a case of bad luck.

Hackers often spend days or even weeks in your system, poking around, trying to get an idea of what your network looks like and stealing data as they prepare to drop the ransomware that could well topple your business. Cunning hackers have worked hard to evade detection during this reconnaissance period, so well in fact that even cybersecurity tools struggle to flag the problem.

With the benefit of hindsight, looking back at the telemetry records of companies who have been attacked, the Sophos MTR team has been able to build a picture of four warning signs that point to trouble ahead.

To the untrained eye, these signals can be hard to spot - particularly as many attackers use legitimate admin tools - but  as long as you know the kind of things to look out for, you'll often be able to see an attack coming, and that can enable you to stop it happening.

Beware of mini-attacks

One way attackers will test your defences is by launching a quick reconnaissance raid on a small number of machines. The idea is to gauge how effectively their ransomware can be deployed and how sophisticated the security software is that they're up against.

Small-scale test attacks might provide hackers with useful intelligence, but these dry runs are the clearest possible sign that a large-scale ransomware attack is imminent. Once spotted, it then becomes a race against time. There might just be a matter of hours between a test attack and the real thing, so being in a position to respond fast is essential.

Investigate suspicious patterns of behaviour

Another seemingly innocuous development is unusual activity at the same time, every day - even if it doesn't strike you as being particularly serious. For example, an admin using a remote desktop protocol (RDP) to move between servers in your organisation in the middle of the night. While both these behaviours could be legitimate, it's very unusual for an admin to be moving between servers - typically if they were working at night it would be from their endpoint into a specific server they intend to work on.

This is actually a strong sign that you need to do more than just remove the malware picked up on each occasion. This regular pattern of activity could well mean there is something more sinister happening that you haven't yet detected. Further investigations are required immediately.

Are legitimate tools being turned against you?

You should also be on the lookout for security-disabling applications. As tools like this can be totally legitimate, they are often overlooked; but in the hands of a malicious hacker, they can have devastating consequences.

Once attackers have gained admin rights, they may attempt to disable security software using applications created to assist with the forced removal of software. These include Process Hacker, IOBit Uninstaller, GMER and PC Hunter. The presence of these apps doesn't necessarily mean you're under attack, but it does mean it could be a strong possibility. 

Investigate unidentified network scanners

The presence of a network scanner, especially on a server, is something else that could suggest attackers are canvassing your organisation in the run-up to a strike. They typically start by gaining access to one computer to search for information such as the domain, the company name and what admin rights are enabled.

The hackers will then try to find out what else is on the network and how much they can get their hands on. The easiest way to do this is with a network scanning tool, such as AngryIP or Advanced Port Scanner. If you detect one, first check in with the IT admin staff to find out whether the scanner is being used legitimately. If not, it's time to act.

 Never drop your guard

We've given you a few of the main indicators to be aware of, but the key to recognising the signs of an impending ransomware attack are patterns of unusual behaviour - not necessarily unusual programmes or files. These will be the things that trigger your security solutions. It's the unexpected, unexplained and unauthorised use of legitimate tools which should alert you to cybercriminals laying the groundwork for their attack. This can make their preparation hard to detect - but certainly not impossible, especially now you know what to look out for.

Peter Mackenzie is an incident response manager at Sophos

Related Topics

You may also like
UK business falling short on cybersecurity warns government report

Threats and Risks

UK business falling short on cybersecurity warns government report

A staggering 78% of businesses lack a formal incident response plan

clock 10 April 2024 • 3 min read
IT Essentials: No honour among thieves

Security

IT Essentials: No honour among thieves

The criminal with a conscience doesn't exist

clock 08 April 2024 • 3 min read
Leicester Council confirms ransomware attack

Hacking

Leicester Council confirms ransomware attack

Hackers are now publishing stolen data

clock 05 April 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Security

Met police disrupt LabHost scam-as-a-service website
Security

Met police disrupt LabHost scam-as-a-service website

Dozens arrested globally and thousands sent warnings

Penny Horwood
Penny Horwood
clock 18 April 2024 • 3 min read
Last chance to register for Cybersecurity Festival 2024
Security

Last chance to register for Cybersecurity Festival 2024

Book your free place today

Computing Staff
clock 18 April 2024 • 2 min read
Interview: Illumio, Security Excellence Awards finalist
Security

Interview: Illumio, Security Excellence Awards finalist

'We are one team, delivering one platform, on one mission to ensure that organisations can realise a future without any high-profile breaches'

Computing Staff
clock 17 April 2024 • 5 min read