Ransomware Attacks Happen Long Before The Ransom Is Posted
Ransomware is an increasing problem globally, costing billions annually with the price tag only increasing. While a ransom message popping up on the screen, followed by the realization that your files are locked, can be surprising, it definitely isn’t an immediate result of being hacked. Attacks start festering in a system long before a monetary demand is presented.
Like a dormant volcano, hackers lie in wait for what can be months prior to deploying their end result. The criminals crawl through slowly, monitoring and learning your patterns; copying files and changing permissions. This deliberate violation of your privacy is all to make sure that when they release their malice, it’s an airtight plan you’re helpless to correct.
There are ways, however, to spot this activity before it can be fully deployed. An astute administrator, knowing what to look for, can catch an attack long before it permeates the entire network.
Early Warning Signs
Once files are locked and encrypted, you know the criminals have been in your system for awhile. We’ve mentioned before that phishing scams and Remote Desktop Protocol (RDP) attacks are the favorite methods of hackers.
Scanning RDP ports is the first step in keeping the attackers at bay. Knowing the names, locations, and IPs of authorized users can alert an administrator to someone accessing the system who shouldn’t be there.
But if everything looks above board, there could still be someone lurking in your system. A phishing attack, for example, could lead to an authorized user becoming compromised. Red flags for this type of invasion can be the appearance of unexpected software tools on the network.
They’re In
MimiKatz, a tool regularly used by hackers, and Microsoft Process Explorer, are two such tools. While Process Explorer is a perfectly legitimate tool, MimiKatz is used almost exclusively by hackers. An unexpected appearance of either of these should be regarded as a warning that someone may be infiltrating your system.
Once in, a hacker will begin to open avenues by creating administrator accounts for themselves. This will allow greater permissions and the ability to begin to gather sensitive information. It also allows the hackers the ability to disable security software. (PC Matic has a feature built in that stops users, even admins, from being able to delete the software from the machine as a way to thwart this.)
The discovery of a disabling of Active Directory and the domain controllers, and any corruption of backup files, can mean that the process is nearly complete. It’s still possible to stop an attack during this time, but you’re so far along in the process that you’d need to act quickly.
If your systems are monitored regularly, it’s completely possible to spot these invasions before they lead to the encryption and deletion of data. Since this process can take weeks or even months to complete, the ability to catch a thief increases when you know where to look.
Prevention
Prevention is a life saver. Patch updates should be kept up-to-date. Education for employees on spotting a phishing attacks is key. Finally, a state of the art antivirus product will keep your systems monitored and locked down.
Cybercriminals are getting more advanced, there’s no way back from that. Together, though, we can stop them in their tracks. Stay educated, and, as always, stay safe out there.
