Ransomware attacks have become increasingly prevalent in recent years, causing widespread damage and significant financial losses to individuals and organisations. One of the biggest challenges faced by network administrators is that ransomware attacks often arrive with little warning, making it difficult to prepare for them. However, there are certain events and vulnerabilities that we can monitor to minimise the likelihood of an attack, detect them more easily, or prevent them from spreading.
Phishing attacks are a common delivery method for ransomware attacks. Emails containing malicious attachments are sent to unsuspecting recipients, who open the attachment, inadvertently initiating the attack. To prevent this, organisations must use advanced email filtering and monitoring solutions that flag suspicious emails and provide information to administrators about why the email was flagged. For example, if an email contains an attachment with a .zip or .exe file extension, the administrator should be alerted as this is likely a malicious attachment. Organisations should also monitor business email accounts, especially those associated with privileged users, to prevent the attack from spreading.
Unpatched Operating Systems
It is crucially important that all software is patched as soon as a vulnerability is found. Attackers often exploit vulnerabilities in unpatched systems to launch their attacks. To avoid this, it is recommended that organisations use an automated patch management solution that can automatically detect and install patches as soon as they are released.
Events that Match a Threshold Conditions
Sophisticated real-time auditing solutions can detect and respond to events that match a pre-defined threshold condition. For example, they can detect and respond to multiple failed login attempts or events where multiple files have been encrypted within a given time frame. While this won’t prevent a ransomware attack from being initiated, it can prevent the attack from spreading and mitigate the need to restore a full backup.
Remote Access Using RDP
Microsoft’s Remote Desktop Protocol (RDP) is often used by attackers to deploy ransomware, especially with more employees working from home. Attackers typically scan the internet for exposed RDP ports using open-source port-scanning tools and try to gain access to the network using stolen credentials or brute force. To prevent this, organisations should use a real-time auditing solution that can monitor the status of the RDP service, detect and respond to multiple failed login attempts, and detect the deletion of any backups.
The Presence of Mimikatz
Mimikatz is a commonly used hacking tool that exploits Windows Server’s single sign-on (SSO) functionality to steal credentials. It was used to carry out the NotPetya and BadRabbit ransomware attacks. Endpoint security tools and anti-virus software may not always detect known variants of Mimikatz. Organisations can protect themselves from Mimikatz-based ransomware attacks by ensuring that admin privileges are only granted to users who need them and monitoring user behaviour for unusual activity using machine learning algorithms that learn typical usage patterns.
Test Ransomware Attacks
Attackers may carry out test ransomware attacks on a small subset of network devices to see if the ransomware executes successfully. If the deployment fails, they will try a different approach. Organisations can detect these test attacks using real-time auditing solutions and prepare accordingly.
Inactive User Accounts
Organisations should use real-time auditing solutions to detect and disable inactive user accounts. These accounts can be used by attackers to gain unauthorised access to the network, which can lead to a ransomware attack. By disabling these accounts, organisations can prevent this from happening.
While there are few warning signs of ransomware attacks, organisations can take proactive measures to minimise the likelihood of an attack, detect them more easily, or prevent them from spreading.
Here’s a quick check-list to keep your systems safe:
- Keep your operating system and software up-to-date It is essential to keep your operating system and software up-to-date to protect your system from ransomware attacks. Software updates are released by vendors to patch known vulnerabilities that could be exploited by hackers. Therefore, if you fail to keep your system and software up-to-date, you may be exposing yourself to ransomware attacks.
- Use a reputable antivirus software Antivirus software helps to detect and prevent ransomware attacks by scanning your system for any suspicious activity. However, it is important to note that not all antivirus software is created equal. Some are more effective than others. Therefore, you should do your research and choose a reputable antivirus software that offers advanced ransomware protection.
- Use a virtual private network (VPN) A virtual private network (VPN) is a secure and encrypted connection that protects your internet traffic from prying eyes. VPNs are particularly useful when accessing the internet from public Wi-Fi networks that may be insecure. A VPN encrypts your internet traffic, making it difficult for hackers to intercept and steal your data, including sensitive information like login credentials.
- Use caution when opening emails and attachments Phishing emails are a common way for hackers to deliver ransomware. They trick you into opening an email attachment that contains the ransomware payload. Therefore, you should use caution when opening emails and attachments, especially if they are from unknown senders. Also, be wary of emails that contain urgent requests, offers that are too good to be true, or grammatical errors.
- Disable macros in Microsoft Office files Macros are small programs that can be embedded in Microsoft Office files. They are used to automate repetitive tasks, such as formatting and calculations. However, macros can also be used to deliver ransomware. Therefore, you should disable macros in Microsoft Office files unless you absolutely need them.
- Backup your data regularly Backup your data regularly to protect yourself against ransomware attacks. If your system is infected with ransomware, you can restore your data from a backup without having to pay the ransom. Make sure you backup your data to an external hard drive or a cloud storage service that is not connected to your network. This will prevent the backup from being infected with ransomware.
Ransomware attacks can cause significant damage to your business and personal life. However, by following the tips outlined in this article, you can reduce the risk of a ransomware attack and protect yourself from the devastating consequences. Remember to keep your system and software up-to-date, use a reputable antivirus software, use a virtual private network (VPN), use caution when opening emails and attachments, disable macros in Microsoft Office files, and backup your data regularly.