For many organizations, and individuals, the first sign of a ransomware attack is when a message appears on their computer screen telling them that their data has been encrypted and it will only be unencrypted if a payment, usually in bitcoins, is made to the hackers.
The organization is usually unaware of what else the hackers have been doing on their system including taking a copy of the data before they encrypt it and leave their message.
For many organizations, there is little choice about what to do. They can lose their data or they can pay up. But that last option always comes with issues because the hackers are criminals – so, even if they do take the money, what are the chances that they’ll actually bother unencrypting the data? And the data they’ve stolen? Won’t they still sell that information on the dark web?
There was a time when organizations could simply go to their extensive backups, and restore their data from those. They may lose some of their most recent data – updates that were made between the time the backup was taken and the attack to took place – but it’s probably worth it. Hackers were quick to spot that loophole in their plan and now corrupt backups before encrypting the data and informing the organization.
Many people used to believe that hackers were opportunists insofar as they would gain access to a corporate network and encrypt the data in a matter of hours. Nowadays, sophisticated hackers – often criminal gangs rather than individuals – will spend time maximizing the amount of information they can get their hands on and the damage they can do.
The steps in a cyberattack
Step one is to get someone in an organization to download your software. An innocent-looking email arrives explaining that the recipient has a tax refund due to them. For security reasons, they simply need to click on the link to find the details. Or they are asked to help with the Black Lives Matter campaign – just click on the link to find out more. Or any number of other subjects get unaware employees to click on the link. Sometimes, the malicious code is buried in an innocent-looking attachment. It still has the same result.
Step two is the infection stage. The malware is downloaded and it executes.
Step three is for the malware to dial home to ensure it can talk to the hackers who set it up. It also starts to make changes to the network and increases its security level to those of an admin.
Step four is to scan for data – whether that’s on a local computer, server, or the cloud. This can take some time to complete.
Step five is to corrupt backups. Step six is to upload data to the hackers. This would usually be personally identifiable information such as names and addresses, passwords, social security numbers, credit card numbers, etc. These two steps may occur at the same time.
Step seven is to encrypt your data. And step eight is to send a message saying that a ransomware attack has taken place and you need to pay the ransom.
The first way to prevent ransomware attacks is to ensure that all staff are trained to recognize phishing emails and not click on dubious links or attachments. And then run your own phishing attack on random employees to see how well the message is getting across as a way of raising the awareness of everyone.
Most sites prevent employees from plugging in memory sticks, which might contain malware on them.
Software that prevents staff accessing websites that are known to contain malware can help. Also helpful is software that filters spam emails or other suspicious emails. It’s also possible to stop files that are attached to emails with certain extensions reaching users. If the email isn’t in a user’s inbox, they can’t click on links or attachments and download the malware. Unfortunately, these approaches are never 100 percent efficient.
Keep all your software up to date so that it is not vulnerable to any known security issues. The same applies to hardware. The firmware in laptops can be the target for attacks, so it is important to install any security updates across the PC fleet as quickly as possible.
The good news is that ransomware attacks do leave footprints that can be identified. Although they aren’t conclusive that a ransomware attack is taking place, they are a sign that it might be. One sign might be that there’s a lot of unusual activity on some files. For example, there may be lots of failed file renames resulting from attempts by the malware to access those particular files. There may be unusual activity at unusual times of the day, which is caused by the ransomware encrypting files. Another sign of a hack, that might not be obvious at first, is to see that an admin has been logging on to servers during the night at much the same time for a few nights in a row. While logged in, they’ve been moving between servers using a remote desktop protocol (RDP). Or, you may find that people are reporting their inability to access certain files, which, again, may be caused by the ransomware encrypting or moving the file. And there may be unusual network activity as the malware communicates with the hackers – perhaps sending data to them.
Identify attacks taking place
So, what can be done to identify these signs of an attack? The answer is to continually monitor your system. Try to set up a baseline for what happens on your system so that it becomes easier to identify abnormal activity. Scan for unusual file activity – looking for changes. Log all incoming and outgoing traffic – to see whether the ransomware is dialling home. And always investigate anything out of the ordinary.
There is also the problem that software tools used by the IT security team can be used by hackers. Once a hacker has admin rights, they can use legitimate tools on your system, such as PC Hunter or Process Hacker to disable security software. And if you’re not expecting these kinds of tool to be where you find them, then it can be a sign of a hack in progress.
The presence of network scanning software (eg AngryIP) can also be a sign of an attack taking place. Once the hackers have access to one computer, they will try to gain a full view of the corporate network in order to access all the valuable data (or as much as possible). If no-one in IT knows anything about the scanner software, then it is a clear sign an attack is underway.
Use an intrusion detection system (IDS). This is designed to continually monitor a network for policy violations or any activity that might be considered malicious, and report what it has found. Some can respond to any intrusions. These are usually called intrusion prevention systems (IPS). Whatever you use, keep it up to date. And make sure that it can detect the common exploit kits (EK) used to get ransomware onto a network.
Some sites create a honey trap, an area that appears to be full of rich data pickings to entice the would-be hackers to investigate it further. By monitoring for any activity on that disk, it’s possible to quickly identify that an attack is in progress. Because hackers usually work through the drives in alphabetical order, it makes sense to give it the letter E: or G:.
Lastly, consider buying cyber insurance to help pay for recovering your system after a successful attack. I’m not sure whether the insurance covers the damage to your reputation!
Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.
Find out more about iTech-Ed here.