There are as many as 100 claims on insurers about ransomware attacks every day, according to one estimate. And because the average attack of ransomware anywhere can take from 60 to 120 days to move from the initial security breach to the delivery of the actual ransomware, that means hundreds of companies can hide hackers at any time in their networks, ready create around their network coding malware.
So what are the early indicators for companies trying to find a ransomware attack before they cause too much damage? If so, what should they do if they discover an attack is underway?
Encryption of files by ransomware is the last thing that happens; for that matter, the villains will spend weeks, or longer, researching the network to discover weaknesses. One of the most common routes for bans of ransomware to make its way into corporate networks is through Remote Desktop Protocol (RDP) links open to the Internet.
TO LOOK: VPN: Choosing a Provider and Troubleshooting Tips (Free PDF) (TechRepublic)
“Look at your environment and understand what your RDP exposure is, and make sure you have two-factor authentication on those links or have them behind a VPN,” said Jared Phipps, VP at security firm SentinelOne.
Coronavirus Lockon means more staff working from home, so more companies have opened up RDP links to make remote access easier. This is giving ransomware bands an opening, Phipps said, so setting up your Internet-facing systems for open RDP ports is a first step.
Another warning sign could be unexpected software tools appearing on the network. Attackers can start by controlling only one PC on a network – often via a phishing email (indeed, a dash of phishing emails can be an indicator of an attack, and if staff are trained to spot them), this can provide an early warning). With this toe-hold in the network, hackers will investigate from there to see what else they can find to attack. That means you are using network scanners, such as AngryIP or Advanced Port Scanner. Once these are discovered on the network, it’s time to check in with your security team. If no one acknowledges the use of the scanner, it’s time to investigate, said Sophos, who outlined some of the signs that a ransomware attack could be underway in a recent blog post. Another red flag is any detection of MimiKatz, which is one of the most commonly used tools used by hackers, along with Microsoft Process Explorer, in their attempts to steal passwords and credentials.
Once they have access to the network, ransomware bans will often try to increase their reach by creating administrator accounts for themselves, for example in Active Directory, and using that extra power to disable security software with applications created to help with the forced removal of software such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter, Sophos said. “These types of commercial tools are legitimate, but in the wrong hands, security teams and admins have to question why they suddenly appeared,” the security company said.
To stop this from happening, companies need to look for accounts created outside of your ticketing or account management system, Phipps of SentinelOne said. Once the attackers have gained administrative powers, they try to spread further across the network, using PowerShell.
The whole project can run for weeks, and maybe even months, for the ransomware bands. This is in part because the slower they move through the computer network, the harder they are to spot. And many security tools only record traffic on the network for a certain amount of time, which means that if the hackers hold on for a while, it becomes much harder for security teams to figure out how they got into the system in the first place.
“It’s like a flight data recorder: if you wait long enough, it records the attack and there’s no evidence that they invented it,” Phipps said. “It makes it harder for people to find out and do the research because all the security tools they have do not show entry data.”
There are also some clear signs that an attack of ransomware is nearing completion. The attackers will try to disable Active Directory and domain controllers, and corrupt backups they can find, as well as disable any software deployment systems that could be used to print patches or updates. “And then they’ll hit you with the attack,” Phipps said.
Sophos also notes that at this point the gang may be trying to encrypt a few devices to see if their plan will work: “This will show their hand, and attackers will know their time is limited now.”
TO LOOK: Ransomware: How to click on one email left an entire company in big trouble
So how can the attackers stop once they are? According to Phipps, the most important thing is to gain control over the RDP sessions, because that stops the attackers inside and cuts off their command and control access. Other steps, such as forcing a password change on core systems, may be useful – but if hackers can use RDP to get back into the network, steps like that will be undertaken. It is also important to check for unexpected admin accounts that appear, and companies should check or restrict PowerShell usage.
How can you make your organization a harder, and therefore less attractive, target for ransomware bans to consider? Software patch and keeping up to date is key here; many ransomware attacks rely on software patches to work, but most of these flaws have long been fixed by software companies – you just need to manage the patch. For e-mail attacks on ransomware, training staff not to click on random links, and combining strong passwords with two-factor authentication across as many systems as possible, will also help limit or slow down attackers .
