Ransomware Red Flags: 7 Signs You're About to Get Hit
Caught off guard by a ransomware attack? Security experts say the warning signs were there all along.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt1621afa9e313b2fb/64f0d3d5671a885311fc4704/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
It's every security pro's nightmare: Your company has been hit with ransomware, and every machine and server has been encrypted.
Shocked? Likely, but security experts say the warning signs were there all along. Misdirected DNS requests, bad VPN reboots, and Active Directory login failures should have been setting off alarms that a ransomware attack was in progress.
It doesn't have to be this way. According to Tarik Saleh, a senior security engineer and malware researcher at DomainTools, mitigation efforts begin with evaluating how vulnerable your company is to exploits. For example, are you leaving databases exposed on the public Internet?
"You first have to ask yourself how your business stands in the eyes of the attackers," Saleh says.
And once attackers are in your network, you have anywhere from 48 hours to 12 days before they pull the trigger, says Mike Hamilton, CISO of CI Security.
What key warning signs should you be on the lookout for as you develop a ransomware mitigation plan? Keeping reading.
CI Security's Hamilton advises security teams to monitor Active Directory for login failures. For example, if you see three login failures in a row on RDP servers, that's a surefire sign the network has been attacked. The same holds for administrative login failures. Because companies didn't have time to prepare for COVID-19, and it looks like working from home will go on for the foreseeable future, it's time to develop a safe list of good IP addresses, Hamilton adds.
According to Awake Labs vice president Jason Bevis, who recently published a blog about ransomware warning signs, you should also look for brute-force attacks on RDP systems. Once in the network, attackers typically look for additional passwords. You also need to watch for unusual file-copying activity, especially of .bat, .zip, .txt, and other common files. It's not common for one account to copy files to and from multiple user accounts or devices. There are also situations where the attackers could have compromised administrative accounts and start copying files. The attackers also use these accounts to persist and quickly encrypt the file systems.
All WinSysLog files should be sent to a security information and event management (SIEM) system for analysis because it can detect whether files are being encrypted, Domain Tools' Saleh adds. And in a blog posted earlier this week, Red Canary says to watch for the use of the Windows Backup Administration Tool wbadmin.exe to delete system backups. Other signs of ransomware include manipulation of vssadmin.exe to hinder recovery from backups and processes making hundreds of file modification operations on files with the string readme in them.
Watch for emails that come in with strange domain names that have never been in the company's environment, Awake's Bevis advises. Analysis tools let you look for every new domain that has come through the network in the past seven days. It's possible to filter out known good and bad domains, such as those with a good reputation. These tools can also look at what was downloaded and determine what might seem unusual.
Peter Mackenzie, an incident response manager at Sophos, says attackers typically start by gaining access to one machine, where they search for information and ask questions that everyday users wouldn't normally pose -- for example, "Is this a Mac or Windows machine?" "What's the domain and company name?" "What kind of admin rights does the computer have?"
Next, attackers will want to try to find out what else is on the network and what they can access. In most circumstances, they will try to use a network scanner, such as Angry IP or Advanced Port Scanner. If you detect unusual activity and no one on the admin staff was using the scanner for normal corporate use, Mackenzie says it's time to investigate.
Once attackers have admin rights, they will try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IObit Uninstaller, GMER, and PC Hunter. These types of tools are legitimate, but if a specific tool is showing up on a system for which it's not assigned, then something is wrong.
Any detection of Mimikatz (used in NotPetya) should get investigated, Sophos' Mackenzie adds. If no one on your security team confirms using it, that's a red flag because Mimikatz has become one of the most commonly used hacking tools for credential theft.
Be on the lookout for anomalous time stamps on VPN connections, says Saleh of DomainTools. If the organization has normal levels of traffic between 9 a.m. and 5 p.m. PT, and then all of a sudden there's traffic with IP addresses from Russia or Mozambique at 2 a.m., that should set off warning signs. You also need to figure out what attackers are trying to access. In addition, watch out for bad reboots on VPN concentrators, CI Security's Hamilton says.
Normal network traffic should never get redirected to a TOR site, DomainTools' Saleh says. The average user probably doesn't know what that is in the first place, he says, let alone would have any business on a TOR network. Also watch out for unusual DNS requests. If the requests are heading back to known malware sites, that's potentially a problem and the network could get infected.
Normal network traffic should never get redirected to a TOR site, DomainTools' Saleh says. The average user probably doesn't know what that is in the first place, he says, let alone would have any business on a TOR network. Also watch out for unusual DNS requests. If the requests are heading back to known malware sites, that's potentially a problem and the network could get infected.
It's every security pro's nightmare: Your company has been hit with ransomware, and every machine and server has been encrypted.
Shocked? Likely, but security experts say the warning signs were there all along. Misdirected DNS requests, bad VPN reboots, and Active Directory login failures should have been setting off alarms that a ransomware attack was in progress.
It doesn't have to be this way. According to Tarik Saleh, a senior security engineer and malware researcher at DomainTools, mitigation efforts begin with evaluating how vulnerable your company is to exploits. For example, are you leaving databases exposed on the public Internet?
"You first have to ask yourself how your business stands in the eyes of the attackers," Saleh says.
And once attackers are in your network, you have anywhere from 48 hours to 12 days before they pull the trigger, says Mike Hamilton, CISO of CI Security.
What key warning signs should you be on the lookout for as you develop a ransomware mitigation plan? Keeping reading.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024