Five signs you’re about to get hit with ransomware

Sophos’ Managed Threat Response (MTR) unit works extensively with ransomware victims, and as part of its work, it examines the past fortnight of detections to look for signs of intrusion. It has now compiled a list of five pointers that potentially indicate an attacker rooting around inside the network, establishing the lie of the land, and how to get hold of the account access they need to launch a ransomware attack.

Chester Wisniewski, principal research scientist at Sophos, told Computer Weekly that the firm’s MTR team had a clear visibility advantage over the average organisation when it came to analysing ransomware attacks at scale.

“For example,” he said, “after they observed the third WastedLocker attack that they had analysed at a client, they saw patterns of tools being used in a certain order by the criminals staging the attack, before they started ransoming data.

“They were then able to go out across all our customers that are protected using our EDR [Endpoint Detection and Response] product and look at their machines and say ‘here are more people the cyber criminals are in right now, but they haven’t triggered the ransomware yet’.

“We identified their pattern and went and looked for it across our entire client base and found the people who clearly had the same ransomware actor with an initial foothold, before they were able to cause damage”.

Wisniewski added: “That’s really hard for an enterprise to do, because they only have themselves to look at and unless they’ve been hit before, they don’t really know what they’re looking for. Our team is sitting there looking at thousands of clients every day and we can say we’ve seen this before, we know what this is, let’s shut that down right now.”

The key to reading the signs of an impending ransomware incident is understanding that cyber criminals will often use legitimate administrative tools to set the stage for their attack, said Sophos. This makes spotting them quite difficult, and means their activity can easily be overlooked, but they do put up red flags if you are alert to how your own tools are going to be used against you.

“Most famously, Microsoft tools are heavily abused by these guys, because no one’s looking for the good thing being used in a malicious way, if you will,” said Wisniewski. “You take a perfectly good tool that’s meant to help you deploy software and use that same tool to deploy your ransomware, and that seems to be a blind spot for a lot of organisations, certainly one of the ones that stands out most to me.”

Sophos’ five essential tips that may suggest ransomware actors are already inside your system are:

• First, look out for network scanners, especially on servers. Cyber criminals will typically first gain access to one computer to search for information, such as the domain, company name, what admin rights the machine is enabled with, and so on. They will then try to understand what else is on the network and what they can get at, and the easiest way to do this is with a network scanning tool, such as AngryIP or Advanced Port Scanner. If one is found, security leads should check in with IT admin staff to find out whether it is being used legitimately, and if not, an investigation is warranted.
• If an attacker has gained admin rights, they are likely to try to disable your antivirus protections using legitimate commercial apps that are designed to help remove software. These could include Process Hacker, IOBit Installer, GMER or PC Hunter. Security teams should be alert to their appearance on the network.
• Any detection of the open source MimiKatz credential gathering program anywhere on the network should be immediately checked out. Again, MimiKatz does have legitimate uses by professional penetration testers, but is also popular with cyber criminals to use for credential theft.
• Any detection of any behaviour that happens at the same time every day, or in some other repeating pattern, can be an indication that there is something untoward going on, even if you have recently found and removed malicious files from the network. This could mean there is something else happening that you haven’t yet seen.
• Be alert to the possibility of small-scale test attacks on a few computers, which are run to see if the deployment method and ransomware executes or is stopped. If your systems do stop a seemingly inconsequential attack, the cyber criminals will know they have shown their hand and will have to change tactics to try again, giving your security team vital hours to stop something much worse.

Sophos’ wide-ranging report series also looks into the development of more evasive forms of ransomware, the emergence of the post-intrusion or double extortion attack, and offers new research on WastedLocker, thought to be behind the recent downing of Garmin’s systems, among others.