These warning signs could mean you are already under attack. File-encrypting ransomware attacks can take months of planning by gangs. Here’s what to look out for.
There are as many as 100 claims to insurers over ransomware attacks every day, according to one estimate. And as the average ransomware attack can take anywhere from 60 to 120 days to move from the initial security breach to the delivery of the actual ransomware, that means hundreds of companies could have hackers hiding in their networks at any time, getting ready to trigger their network-encrypting malware.
So what are the early indicators for companies that are trying to spot a ransomware attack before they cause too much damage? Any what should they do if they discover an attack in progress?
Encryption of files by ransomware is the last thing that happens; before that, the crooks will spend weeks, or longer, investigating the network to discover weaknesses. One of the most common routes for ransomware gangs to make their way into corporate networks is via Remote Desktop Protocol (RDP) links left open to the internet.
“Look at your environment and understand what your RDP exposure is, and make sure you have two-factor authentication on those links or have them behind a VPN,” said Jared Phipps, VP at security company SentinelOne.
Coronavirus lockdown means that more staff are working from home, and so more companies have opened up RDP links to make remote access easier. This is giving ransomware gangs an opening, Phipps said, so scanning your internet-facing systems for open RDP ports is a first step.
Another warning sign could be unexpected software tools appearing on the network. Attackers may start with control of just one PC on a network – perhaps via a phishing email (indeed, a spate of phishing emails could be an indicator of an attack, and if staff are trained to spot them this could provide an early warning). With this toe-hold in the network, hackers will explore from there to see what else they can find to attack.
That means using network scanners, such as AngryIP or Advanced Port Scanner. If these are detected on the network, it’s time to check in with your security team. If no one internally admits to using the scanner, it is time to investigate, according to tech security company Sophos, which has outlined some of the signs that a ransomware attack could be underway in a recent blog post.
Another red flag is any detection of MimiKatz, which is one of the tools most regularly used by hackers, along with Microsoft Process Explorer, in their attempts to steal passwords and login details, Sophos said.
Once they’ve gained access to the network, ransomware gangs will often next try to increase their reach by creating administrator accounts for themselves, for example in Active Directory, and use that extra power to start disabling security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter, said Sophos. “These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared,” the security firm said.
To stop this happening, companies need to look for accounts that are created outside of your ticketing system or account management system, said SentinelOne’s Phipps. Once the attackers have gained administrator powers, they then attempt to spread further across the network, using PowerShell.
The whole project can take weeks, and maybe even months, for the ransomware gangs to execute. That’s partly because the slower they move through the computer network, the harder they are to spot. And many security tools only record traffic on the network for a certain amount of time, which means if the hackers hold on for a while it becomes much harder for security teams to work out how they got into the system in the first place.
“It’s like a flight data recorder: if you wait long enough, it records over the attack and there’s no evidence they’ve figured that out,” said Phipps. “It makes it harder for people to figure out and do the investigation because all the security tools they have show no data on entry.”
There are also some clear signs that a ransomware attack is getting close to completion. The attackers will attempt to disable Active Directory and domain controllers, and corrupt any backups they can find, as well as disabling any software deployment systems that could be used to push patches or updates. “And then they’ll hit you with the attack,” said Phipps.
Sophos also noted that at this point the gang may attempt to encrypt a few devices just to see if their plan is going to work: “This will show their hand, and attackers will know their time is now limited.”
So how to stop the attackers once they are in? According to Phipps, the most important thing is to get control of the RDP sessions, because that stops the attackers coming in and cuts off their command-and-control access. Other steps, like forcing a password change across core systems, can be useful – but if the hackers are able to use RDP to get back into the network, steps like that will be undermined. It’s also important to monitor for unexpected admin accounts appearing, and firms should consider monitoring or limiting PowerShell usage.
How can you make your organisation a harder, and therefore less attractive, target for ransomware gangs to consider? Keeping software patched and up to date is key here; many ransomware attacks rely on software flaws to work, but most of these flaws have long been fixed by software companies – you just have to administer the patch. For ransomware attacks that come via email, training staff not to click on random links, and combining strong passwords with two-factor authentication across as many systems as possible, will also help to deter or slow down attackers.