Here’s what to look out for as file-encrypting ransomware attacks can take months of planning by cybercriminal gangs.
According to one estimate, everyday there are as many as 100 businesses making claims to insurers for ransomware attacks. And from the initial security breach to the delivery of the ransomware, on average takes between 60 -120 days. In other words, that means at any time hackers could be hiding in the networks of literally hundreds of company, just waiting to trigger network-encrypting malware.
But are there any early indicators companies can detect before the ransomware attacks happens? And if they discover an attack in progress, what’s the next step?
After all the encryption of files by ransomware is the last thing that happens.
So, there’s time to detect the criminals as they’re spending weeks or months looking around the network, investigating the weak spots.
Firstly, a popular- way criminal gangs can gain access to corporate networks is via Remote Desktop Protocol (RDP) links left open to the internet. Jared Phipps, the VP at security company SentinelOne explains that the cybercriminals double check the company environment to see if your “RDP is exposed”, see if there’s two-factor authentication on those links or have them behind a VPN.”
Since the Coronavirus more staff are working from home and have stayed working from home even if some restrictions have lifted. As a result, to make remote access easier more companies have opened- up RDP links. In other words, giving cybercriminal gangs an opportunity as they see an opening.
So, a first step is scanning your internet-facing systems for open RDP ports.
Secondly, an early indicator could be unexpected software tools appearing on the network. By getting control of one PC on a network via a phishing- email, hackers will explore the network to discover any loopholes they can infiltrate to see what else they can attack. And indeed, a shower of phishing emails can indicate an attack. In order to spot these, staff need training so this can raise the alarm bells.
So, a another step is to check in with your security team if network scanners, such as AngryIP or Advanced Port Scanner are detected on the network.
According to tech security company Sophos these are some of the signs that a ransomware attack could be underway in a recent blog post.
Thirdly, another sign according to Sophos is any detection of MimiKatz, or Microsoft Process Explorer, used in attempts to steal passwords and login details.
Most important to remember is that once the ransomware gang gain entry they’ll try an create admin accounts for themselves ie. Active directory. As a result, the gangs use their new power to start disabling security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter. Certainly, says Sophos “These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.”
So, to stop this from happening, company accounts that are created outside of your ticketing system or account management system, need to continually be looked for.
Because once the hackers have admin access they can spread far and wide across the network using PowerShell.
To clarify, ransomware gangs take their time to take over as much of a company network as possible! That’s why it can take weeks even months for the ransomware demands to be executed. And the slower they go the less they get noticed.
It becomes much harder for security teams to work out how hackers got in, in the first place as many security tools only record traffic on the network for a certain amount of time. By waiting the hackers have worked out the evidence of the attack gets recorded over. Therefore, it’s hard to figure out and investigate as “security tools they have, show-no data on entry,” Phipps said.
In addition, when the attack is getting close to being executed, there are some clear warning signs. The ransomware attackers
- attempt to disable Active Directory
- attempt to disable domain controllers
- corrupt any backups they can find
- disable any software deployment systems that could be used to push patches or updates
And then they execute their attack!
A gang might decide to encrypt a few devices to test out if their plan will work. “This will show their hand, and attackers will know their time is now limited,” says Sophos.
What do you do to stop the attack now the gang is in?
So, the most important thing is to get control of the RDP sessions.
Getting control of the RDP sessions is key as it stops the attackers coming in and cuts off their command-and-control access.
Other steps include:
- forcing a password change across core systems, can be useful if not undermined by hackers who are able to use RDP to get back into the network
- monitor for unexpected admin accounts appearing
- consider monitoring or limiting PowerShell usage
How can you make sure your organisation isn’t an easy target?
- Keep software patching and up to date
(attacks often rely on software flaws to work, but most of these flaws have long been fixed by software companies – you just have to do the update)
- Training staff is key for ransomware attacks that come via email.
(what to look for and not to click on random links. Combine this with strong passwords and two-factor authentication across as many systems as possible. This will help to deter or slow down attackers.)
It’s just a matter of time before the ransomware gangs have tried infiltrating just about every business, as we read every day there are as many as 100 businesses making claims to insurers.
If companies can get better at recognising the warning signs of an impending attack, there’s still time to stop it.
