Knowing how to detect ransomware is more critical now than ever before.
Ransomware attacks are on the rise. According to recent research, the number of ransomware attacks nearly doubled in the first half of 2021, with the United States being the most targeted country – accounting for roughly 55% of infections.
What is Ransomware?
Ransomware is a form of malware that, once executed, will encrypt the victim’s files, databases, or applications, and hold them to ransom. Once infected, the victim will be presented with a message informing them that they can have their files decrypted on the provision that they pay the ransom – usually in Bitcoin. Recent strains of ransomware use a “triple extortion” technique, which involves taking a copy of the victim’s data before initiating the encryption process. The attackers will then threaten to expose the data to the public if the victim refuses to pay the ransom.
Why is it So Hard to Detect Ransomware?
Firstly, as with most forms of malware, ransomware attacks typically arrive via some form of social engineering technique, and in most cases, organizations only become aware of the attack once all data has been encrypted.
The problem with detecting social engineering attacks is that they are inherently deceitful and tend to prey on unsuspecting victims. Secondly, ransomware attacks are designed to spread very quickly.
Once the targeted organization has been infected, the ransomware script will try to propagate to as many different systems as possible, thus making it very difficult to contain.
If that’s not enough, over the last five years we’ve seen a proliferation of strains known as “file-less ransomware”, which are even harder to detect as they do not install any files on the victim’s device. File-less ransomware attacks usually take advantage of Microsoft Windows PowerShell, which gives adversaries access to pretty much everything and anything in a Windows environment.
What are the Most Common Ways to Get Infected by Ransomware?
As mentioned already, the majority of ransomware attacks arrive via some kind of social engineering technique, such as Phishing. The attacker will usually masquerade as a trusted entity in order to trick the victim into downloading a malicious application.
However, there are numerous other ways that infections can happen. For example, in some cases, the victim will be redirected to a malicious website, which prompts them to install the ransomware program. Alternatively, the website may present a fake login screen, which the attacker will use to harvest credentials, and then use those credentials to launch an attack from within the target organization.
Some forms of ransomware are embedded within applications and plug-ins, which the victims install believing them to be trusted. Although less common, there are cases where the ransomware program is stored on a removable drive, which will automatically execute when the victim connects the drive to their device. Finally, we are starting to see an increase in the number of ransomware attacks that use Remote Desktop Protocol (RDP) to execute the script.
Best Practices for Detecting Ransomware
Most companies will already utilize software solutions such as anti-virus software, SPAM filters, and sandboxes. However, these days, many strains of ransomware are able to evade such solutions. While there may not be a ‘magic bullet’ when it comes to detecting and preventing ransomware attacks, there are some best practices that organizations should adhere to, which include:
Since employees are the weakest link in this scenario, the obvious first step to take would be to ensure that all employees are able to spot potentially malicious emails, which includes checking for the following:
- Emails that contain suspicious file attachments or links to external sites.
- Emails that are sent from public email domains, such as Gmail, Hotmail, Yahoo!, and so on.
- Emails that are sent from addresses that seem legitimate at first glance, but under closer inspection, are actually fake. A simple example would be something like email@example.com.
- Emails with poor spelling and grammar.
- Emails that create a sense of urgency.
All employees must also be vigilant when visiting suspicious websites, downloading untrusted applications or using portable drives, which they do not own.
An often overlooked, yet reasonably effective way to prevent ransomware attacks from spreading is a technique referred to as “threshold alerting”. This involves detecting and responding to events that match a pre-defined threshold condition. For example, if X number of files have been encrypted within a given time frame, a custom script can be executed, which may;
- Disable a user account;
- Stop a specific process;
- Change the firewall settings;
- Backup data from critical systems;
- Shut down or isolate a specific endpoint or server.
Some sophisticated real-time auditing solutions provide template scripts that can be executed in real-time once the threshold condition has been met.
Monitor for Suspicious Network Traffic
Most strains of ransomware use command and control (C&C) servers to communicate with the affected systems, which may include sending commands, storing keys, exfiltrating data, monitoring an organization’s response, and so on. It is a good idea to adopt an Intrusion Prevention System (IPS) to scan for suspicious network traffic and block such communications in real-time.
Honeypots are another effective way to detect ransomware attacks. A honeypot essentially acts as a decoy, by posing as a legitimate file repository. No employees will access the data stored in a honeypot, and so any file activity that takes place in a honeypot must be considered malicious.
Even though setting up honeypots, which can be as simple as creating a bunch of fake folders containing files, is both easy and inexpensive, it is not a technique that is widely adopted.
One of the main issues with honeypots is that there’s no way to guarantee that the ransomware script will fall for them. For example, a technique that is typically employed is to create a folder like aaaHoneyPot, which should ensure that it will be the first folder to be encrypted. The obvious problem with this solution is that the ransomware program may encrypt the files in a different order.
Regardless, the use of honeypots combined with threshold alerting, could help you detect and respond to ransomware attacks before any real files have been encrypted.