The realities of ransomware: Five signs you’re about to be attacked

December 22, 2020
Peter Mackenzie
Peter Mackenzie

By Peter Mackenzie

Whenever we work with ransomware victims, we spend some time looking back through our telemetry records that span the previous week or two. The telemetry sometimes records behavioral anomalies that (on their own) may not be inherently malicious, but in the context of an attack that has already taken place, could be taken as an early indicator of a threat actor conducting operations on the victim’s network.

If we see any of these five indicators, in particular, we jump on them straight away. Any of these found during an investigation is almost certainly an indication that attackers have poked around on the network prior to the attack: to get an idea of the network layout, and to learn how they can get the accounts and access they need to launch a ransomware attack.

Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags.

A network scanner, especially on a server

Attacks typically start when an attacker gains control of one machine they can use as a foothold, from which they begin to profile the target organization: is this a Mac or Windows workstation; what’s the domain and company name; what kind of admin rights does the computer have. Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If you detect a network scanner, such as AngryIP or Advanced Port Scanner, query the admin staff to make sure they weren't responsible for leaving it there. If no one recalls using the scanner, it's time to investigate.

Tools for disabling antivirus software

Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, or PC Hunter. These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.

The presence of MimiKatz

Any detection of the password extraction tool MimiKatz anywhere should be investigated. If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft. Attackers also use Microsoft's Process Explorer, one of the Windows Sysinternals tools, that can dump LSASS.exe from memory, creating a .dmp file. They can then extract the passwords right on the foothold machine, or take the memory dump to their environment and use MimiKatz to safely extract user names and passwords on their own machine.

Patterns of suspicious behavior

Any detection happening at the same time every day, or in a repeating or regular pattern or tempo, is often an indication that something else is going on, even if malicious files have been detected and removed. Security teams should ask “why is it coming back?” Incident responders know it normally means that something else malicious has been occurring that hasn’t (as yet) been identified.

Test attacks

Occasionally, attackers deploy small test attacks on a few computers in order to see if the deployment method and ransomware executes successfully, or if security tools stop it. If the security tools block the attack, they change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before they launch a much larger attack.

Sophos’ next-gen cybersecurity solutions to stop Ransomware

Sophos offers layered IT security for defending against the latest ransomware. Sophos not only provides best protection at every point, but also provides threat intelligence sharing between all these security points with synchronized security.

Sophos XG Firewall prevents attacks from getting onto a network. In the event ransomware does happen to get onto a network, Sophos XG Firewall can automatically stop ransomware dead in its

tracks thanks to integration with Sophos Intercept X.

Sophos Intercept X Advanced with EDR includes anti-ransomware technology that detects malicious encryption processes and shuts them down before they can spread across network.

The Sophos Managed Threat Response (MTR) service adds human expertise to an organization’s layered security strategy. An elite team of threat hunters proactively look for and validate potential threats, and then take action to disrupt, contain and neutralize attacks.

— The writer is incident response manager, Sophos

December 22, 2020
14 hours ago

e& enterprise opens Contact and Customer Experience Centre in KSA

22 hours ago

Building a culture of compliance and ethics

day ago

Launching Xiaomi 14 Series in Saudi Arabia