Organizations need to monitor for common signs of imminent ransomware attacks, according to Peter Mackenzie from Sophos. In an article for the Saudi Gazette, Mackenzie outlines five technical indicators that often precede a ransomware attack. These are signs that attackers are already in your network and are moving laterally or staging the ransomware before executing it.
These incidents usually begin after the attacker compromises a single device on your network, usually via a phishing email or a technical vulnerability like an exposed RDP port.
“Attacks typically start when an attacker gains control of one machine they can use as a foothold, from which they begin to profile the target organization: is this a Mac or Windows workstation; what’s the domain and company name; what kind of admin rights does the computer have,” Mackenzie writes. “Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If you detect a network scanner, such as AngryIP or Advanced Port Scanner, query the admin staff to make sure they weren't responsible for leaving it there. If no one recalls using the scanner, it's time to investigate.”
Organizations should also monitor for legitimate software that can be abused by attackers.
“Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, or PC Hunter,” Mackenzie says. “These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.”
The presence of the password-extraction tool Mimikatz on a machine is a serious indicator that an attacker is in your network. Security teams should also be watching for suspicious patterns of behavior that don’t have a clear explanation.
“Any detection happening at the same time every day, or in a repeating or regular pattern or tempo, is often an indication that something else is going on, even if malicious files have been detected and removed,” Mackenzie says. “Security teams should ask ‘why is it coming back?’”
Finally, you should watch for small test attacks, which may indicate the hackers are close to executing their primary attack.
Of course, the easiest way to prevent a ransomware attack is to stop the hackers from entering your network in the first place. New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to recognize phishing emails and other social engineering attacks.
The Saudi Gazette has the story.