One of the biggest challenges we face when it comes to protecting our networks from ransomware attacks is that there are very few warning signs that we can watch out for.
A typical ransomware attack would arrive in the form of an email attachment, and as soon as the attachment is opened, the malicious program will begin encrypting the users’ files.
There are, however, certain vulnerabilities and events we can look out for, that will help us minimize the likelihood of an attack, detect ransomware attacks more easily, or at least prevent the attack from spreading.
As mentioned above, most ransomware attacks arrive in the form of an email attachment. In which case, you need to ensure that you are using a sophisticated email filtering and monitoring solution, which not only flags suspicious emails but also provides information to the administrators about why the email was flagged. For example, if an email has an attachment with a .zip or .exe file extension, the administrator should be alerted, as this is more than likely a malicious attachment.
This can allow them to issue a warning to their employees and advise them to be vigilant. Of course, you cannot monitor an employee’s personal email account; however, you should monitor business email accounts, especially those that are associated with privileged users.
Administrators should also be alerted when an email is sent from a public email domain, such as Gmail.com. Ideally, your solution should be able to detect grammatical mistakes, as many spammers are from non-English-speaking countries.
It should also check for misspelled domain names, suspicious HTML elements such as buttons, and messages/attachments that contain certain keywords, such as invoice, FedEx, financial statement, notification, and so on.
Unpatched Operating Systems
While not directly associated with ransomware, it is crucially important that all software is patched as soon a vulnerability is found. Let’s not forget the WannaCry ransomware attack in May 2017, which infected hundreds of thousands of computers across the globe.
The attack exploited a vulnerability found in the Windows implementation of the Server Message Block (SMB) protocol, even-though a patch was available as much as two months prior to the attack.
To get around this problem, it is a good idea to use an automated patch management solution.
Events That Match A Threshold Condition
These days, most sophisticated real-time auditing solutions are capable of detecting and responding to events that match a pre-defined threshold condition.
They can detect and respond to multiple failed login attempts, which will provide a warning sign to the administrators that they might be under attack. However, in the context of ransomware attacks, they can detect and respond to events where multiple files have been encrypted within a given timeframe.
While this won’t prevent a ransomware attack from being initiated, it can at least prevent the attack from spreading, and mitigate the need to restore a full backup, assuming you have one.
Remote Access Using RDP
Microsoft’s Remote Desktop Protocol (RDP) is used to allow end-users to remotely access files and applications stored on an organization’s server. However, RDP is often used by attackers to deploy ransomware, and it is becoming one of the most popular attack vectors, as increasingly more employees are working from home.
Attackers typically start by scanning the entire Internet for exposed RDP ports using open-source port-scanning tools, such as AngryIP or Advanced Port Scanner. The attacker will then try to gain access to the network using stolen credentials or by trying to brute-force their way in.
Once they have gained access to the network, they will try to disable or disrupt as many security systems as they can, which may include deleting backups, disabling antivirus software, or changing configuration settings.
Finally, they will deliver the payload, or in other words, they will install the ransomware program. Fortunately, there are solutions available that can monitor the status of the RDP service in real-time, as well as detect and respond to multiple failed login attempts (as mentioned above).
Using a real-time auditing solution, you should detect and respond to the deletion of any backups, since there is little reason for anyone to delete a backup. To disable anti-virus software, attackers will likely use software such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter.
As such, you will need to scan your network regularly for these types of applications.
The Presence of Mimikatz
Mimikatz is a commonly used hacking tool that is mostly used for stealing credentials. It works by exploiting Windows Server’s single sign-on (SSO) functionality and was used to carry out the NotPetya and BadRabbit ransomware attacks.
While it is theoretically possible to use endpoint security tools and anti-virus software to detect known variants of Mimikatz, they are not always effective in doing so. Not only that, but since an attacker must have root access to use Mimikatz in the first place, the attacker has already circumvented your perimeter defenses. In which case, the best way to protect yourself from MimiKatz-based ransomware attacks would be to first ensure that admin privileges are only granted to users who really need them.
You will also need to monitor user behavior for unusual activity. This is typically done using machine learning algorithms which learn typical usage patterns, and then fire an alert when these patterns deviate beyond a given threshold. However, as opposed to monitoring regular files and folders, you will need to pay close attention to the Server Message Block (SMB) activity.
Test Ransomware Attacks
In some cases, attackers will carry out test ransomware attacks on a small subset of network devices to see if the ransomware executes successfully. If the deployment fails, for whatever reason, the attackers will try a different approach, and continue until they are successful. Naturally, if you can detect these test attacks in a timely manner, you can prepare yourself accordingly.
Inactive User Accounts
While not directly related to ransomware, it is a good idea to use a real-time auditing solution to automatically detect and manage inactive user accounts. Of course, the discovery of inactive user accounts doesn’t directly imply that you will subject to a ransomware attack, however, attackers often target inactive user accounts to deploy ransomware and other such attacks.
At Lepide, we have developed a Data Security Platform that enables users to automatically detect and react to the potential signs of ransomware attacks. If you’d like to see how it works, schedule a demo with one of our engineers today.