Ransomware: These warning signs may indicate you are under attack.
Ransomware: A file-encrypting attack to recover software can be tracked by the gang for months. That’s what you need to consider.
It’s estimated that there are up to 100 fraudulent claims against insurance companies every day. And since the average attack on a software recovery can take 60 to 120 days from the initial security breach to the actual deployment of the software, hundreds of companies are hiding hackers on their networks. At all times, be prepared to trigger network encryption for malware.
What is the main indicator of a company trying to spot a buy-and-hold attack before it has done too much damage? What should you do if you encounter an attack?
File encryption from ransomware was the last thing that happened. Previously, crooks would scan the internet for vulnerabilities for weeks or more. One of the most common ways for banking research programs to open up access to corporate networks is by using Remote Desktop Protocol (RDP) links that remain open to the Internet.
“Look at your environment and find out how exposed you are to RDP. Make sure to authenticate the connection with two factors or behind a VPN,”
said Jared Pipps, vice president of security firm SentinelOne.
With the coronavirus lockdown, more employees are working from home, so more companies have opened up RDP connections for easier remote access. That opens the gang to ransomware, Phipps says, so scanning your internet system for open RDP ports is the first step.
Another warning sign can be software that appears unexpectedly on the network. Attackers may initially only gain control of one computer on the network – perhaps via a phishing email (in fact, a number of phishing emails can be an indicator of an attack and if staff are trained to detect them, they can represent an early warning). By keeping their fingers on the network, hackers can look from there to see what they can find to attack.
That means using a network scanner like AngryIP or Advanced Port Scanner. If they’re found online, contact your security team. If no one at home admits to using the scanner, it’s time to investigate, according to tech security firm Sophos, which highlighted signs that a ransomware attack could be underway in a recent blog post.
Another red flag is the invention of MimiKatz, one of the most commonly used tools by hackers, along with Microsoft Process Explorer to steal passwords and credentials, Sophos said.
Once they have access to the network, ransomware spreaders often try to extend their reach by creating administrator accounts for themselves, such as in Active Directory, and use this extra power to begin disabling security software. According to Sophos, applications such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter are used to help with the forced removal of software. “These types of trading tools are legitimate, but in the wrong hands the security team and administrators must wonder why they suddenly showed up,” the security firm said.
To prevent this from happening, organizations should look for accounts created outside of your ticketing system or account management system, according to SentinelOne’s Phipps. Once attackers gain administrator rights, they’ll try to spread further across the network using PowerShell.
The entire project can take weeks or even months. That’s partly because the slower they move through a computer network, the harder they are to detect. Many security tools only record traffic to the network for a certain period of time. So when hackers linger, it’s much harder for security teams to figure out how they got into the system.
“It’s like recording flight data: if you wait long enough, the attack will be recorded and there’s no evidence that you understood it,” Pipps said. “It’s hard for people to understand and investigate because all the security tools at their disposal don’t have identifying information.”
There is also strong evidence that the ransomware attack is coming to an end. Attackers are trying to disable Active Directory and domain controllers and possibly backups that they find corrupted, as well as disable any software delivery systems that could be used to click on patches or updates. “And then they will hit you with this attack,” Phipps said.
Sophos also noted that at this point the gang may try to encrypt multiple devices to see if their plan works:
This shows their hands and the attackers know their time is limited.
How to stop the attacker once inside?
The most important thing, according to Phipps, is to control the RDP session, as this will prevent attackers from getting into it and remove their command and control access. Other steps, such as requesting a password change on the base system, can help. However, if attackers can use RDP to get back onto the network, these steps will be disrupted. It's also important to keep an eye out for unexpected administrator accounts. Organizations should consider monitoring or limiting their use of PowerShell.
How to make your organization a harder and therefore less attractive target for search gangs?
Here, it’s important to stay up to date with the latest software. Many on-demand software attacks involve software bugs, but most of these bugs have long been fixed by software vendors – all you have to do is manage the patches. In the case of an email harvesting attack, training staff not to make random connections and combining strong passwords with two-factor authentication on as many systems as possible will also help deter or slow down attackers.
