Knowing how to detect ransomware is more critical now than ever before.
Ransomware attacks are on the rise. According to recent research, the number of ransomware attacks nearly doubled in the first half of 2021, with the United States being the most targeted country – accounting for roughly 55% of infections.
What is Ransomware and How Does it Work?
Ransomware is a form of malware that encrypts the victim’s data and holds it to ransom. Once the victim’s data has been encrypted, they will be presented with a message informing them that they must pay a ransom, usually in Bitcoin, in order to get access to the decryption key. Recent strains of ransomware use the “double extortion” technique, which involves taking a copy of the victim’s data before initiating the encryption process. The attackers will then threaten to expose the data to the public if the victim refuses to pay the ransom.
Common Ransomware Attacks
The majority of ransomware attacks arrive via email, via some kind of social engineering technique, such as Phishing. The attacker will usually masquerade as a trusted entity in order to trick the victim into downloading a malicious application.
However, there are numerous other ways that infections can happen. For example, in some cases, the victim will be redirected to a malicious website, which prompts them to install the ransomware program. Alternatively, the website may present a fake login screen, which the attacker will use to harvest credentials, and then use those credentials to launch an attack from within the target organization.
Some forms of ransomware are embedded within applications and plug-ins, which the victims install believing them to be trusted. Although less common, there are cases where the ransomware program is stored on a removable drive, which will automatically execute when the victim connects the drive to their device. We are also starting to see an increase in the number of ransomware attacks that use Remote Desktop Protocol (RDP) to execute the script.
Signs of a Ransomware Attack
It takes an estimated forty-three minutes for the average ransomware variant to encrypt 100,000 files. Naturally, different companies will store a different number of files, and so it is difficult to accurately predict how long it will take for a ransomware attack to fully unfold. However, assuming that companies have the right solutions in place, even a small time-window can be enough to stop an attack in its tracks. Of course, in order to prevent a ransomware attack from spreading, there are signs that you will need to look out for, which include;
- A spike in disk activity, as the ransomware script searches for, and encrypts the files on your system.
- Poor system performance, as the script uses up system resources to perform searches and encrypt the files.
- The creation of new accounts, especially privileged accounts.
- Suspicious inbound and outbound network traffic, as the ransomware script communicates with the Command & Control (C&C) Server.
- The installation of unauthorized software, as attackers install various tools, such as Mimikatz, to help them exploit vulnerabilities, and carry out other relevant tasks.
- Security systems are being tampered with, in an attempt to thwart monitoring activities.
- Backups are being tampered with, in an attempt to prevent the victim from restoring their files.
- Ports are being scanned inside your network, thus suggesting that the attackers are trying to move laterally from one system to another.
- Applications are no longer working, as the files, they depend on are being encrypted.
Why You Need Early Ransomware Detection
Naturally, the earlier you identify any type of cyber-attack, the better your chances of preventing it or at least stopping the attack from spreading.
This is especially true for Ransomware, as the damage that can be caused by a ransomware attack can be irreversible.
After all, even if the victim pays the ransom, there’s no guarantee that they will give you the decryption key, and if they extracted copies of your data before initiating the attack, you will never know what they will do with those copies.
In short, the faster you are able to respond to a ransomware attack, the less chance the attacker will have to steal your sensitive data and disrupt your systems.
Common Challenges in Ransomware Detection
One of the reasons why ransomware attacks are successful is because they can penetrate your network via a large number of end-points, and then execute in a covert manner. Below are the most common challenges associated with ransomware detection.
Employees are the weakest link
As with most forms of malware, ransomware attacks typically arrive via some form of social engineering technique, and in most cases, organizations only become aware of the attack once all data has been encrypted. The problem with detecting social engineering attacks is that they are inherently deceitful and tend to prey on unsuspecting victims.
Ransomware attacks spread very quickly
Once the targeted organization has been infected, the ransomware script will try to propagate to as many different systems as possible, thus making it very difficult to contain.
Some strains don’t leave a trace
Over the last five years we’ve seen a proliferation of strains known as “file-less ransomware”, which are even harder to detect than other strains as they do not install any files on the victim’s device. File-less ransomware attacks usually take advantage of Microsoft Windows PowerShell, which gives adversaries access to pretty much everything and anything in a Windows environment.
Tips and Techniques to Detect a Ransomware Attack
Most companies will already utilize software solutions such as anti-virus software, SPAM filters, and sandboxes. However, these days, many strains of ransomware are able to evade such solutions. While there may not be a ‘magic bullet’ when it comes to detecting and preventing ransomware attacks, there are some best practices that organizations should adhere to, which include:
Since employees are the weakest link in this scenario, the obvious first step to take would be to ensure that all employees are able to spot potentially malicious emails, which includes checking for the following:
- Emails that contain suspicious file attachments or links to external sites.
- Emails that are sent from public email domains, such as Gmail, Hotmail, Yahoo!, and so on.
- Emails that are sent from addresses that seem legitimate at first glance, but under closer inspection, are actually fake. A simple example would be something like email@example.com.
- Emails with poor spelling and grammar.
- Emails that create a sense of urgency.
- All employees must also be vigilant when visiting suspicious websites, downloading untrusted applications or using portable drives, which they do not own.
An often overlooked, yet reasonably effective way to prevent ransomware attacks from spreading is a technique referred to as “threshold alerting”. This involves detecting and responding to events that match a pre-defined threshold condition. For example, if X number of files have been encrypted within a given time frame, a custom script can be executed, which may;
- Disable a user account;
- Stop a specific process;
- Change the firewall settings;
- Backup data from critical systems;
- Shut down or isolate a specific endpoint or server.
- Some sophisticated real-time auditing solutions provide template scripts that can be executed in real-time once the threshold condition has been met.
Monitor for Suspicious Network Traffic
Most strains of ransomware use command and control (C&C) servers to communicate with the affected systems, which may include sending commands, storing keys, exfiltrating data, monitoring an organization’s response, and so on. It is a good idea to adopt an Intrusion Prevention System (IPS) to scan for suspicious network traffic and block such communications in real-time.
Honeypots are another effective way to detect ransomware attacks. A honeypot essentially acts as a decoy, by posing as a legitimate file repository. No employees will access the data stored in a honeypot, and so any file activity that takes place in a honeypot must be considered malicious.
Even though setting up honeypots, which can be as simple as creating a bunch of fake folders containing files, is both easy and inexpensive, it is not a technique that is widely adopted.
One of the main issues with honeypots is that there’s no way to guarantee that the ransomware script will fall for them. For example, a technique that is typically employed is to create a folder like aaaHoneyPot, which should ensure that it will be the first folder to be encrypted. The obvious problem with this solution is that the ransomware program may encrypt the files in a different order. Regardless, the use of honeypots combined with threshold alerting could help you detect and respond to ransomware attacks before any real files have been encrypted.
How Lepide Helps in Ransomware Detection
The Lepide Data Security Platform can help to secure your accounts and data – before, during, and after a ransomware attack. To start with, you need to ensure that regular users only have access to the data they need to perform their role.
If access controls are assigned responsibly, were an employee to fall victim to a phishing attack and install the ransomware application, it would only be able to encrypt a relatively small number of files.
The Lepide Data Security Platform will help you discover and classify your critical assets, thus making it easier to assign the appropriate access controls. It will also help you identify which regular users have access to sensitive data.
Once an attack has been initiated, Lepide can help you prevent the attack from spreading by automating a response to events that match a pre-defined threshold condition, such as when an unusually large number of files are being copied to an external server, or encrypted within a given time-frame.
As mentioned above, a custom script can be executed to perform a number of operations that can help to stop the attack in its tracks. It’s also a good idea to use a real-time auditing solution to detect and respond to changes made to your backups (assuming they are stored on the same system), as changes to backups may suggest that an attacker is trying to delete or encrypt them.
You will also need to keep track of any newly created accounts, as attackers often try to use new accounts in order to operate in a stealthy manner.
Following a ransomware attack, you will need to carry out a forensic analysis of the events that took place prior to the attack, to ensure that you are able to prevent the attack from reoccurring and to ensure that the attacker no longer has access to your network.
In addition to closely monitoring privileged accounts, the Lepide Data Security Platform will provide a summary of all events that took place prior to the incident, via a single dashboard, with various options for sorting and searching.