Although people often think of ransomware attacks as one of those things that “just happens,” there are often warning signs a ransomware attack is in progress. In this article, I will share several ransomware indicators you can use to detect an infection on your system.
Automated Ransomware vs. Human-operated Ransomware
As background, it’s important to understand that ransomware generally falls into two categories: automated and human operated.
Automated ransomware infections tend to cause problems for individuals. These types of attacks are purely opportunistic and usually follow a pattern: A user downloads ransomware by clicking on a link or attachment, then the ransomware encrypts the person’s data and does whatever else it is designed to do. Eventually, the ransomware displays a ransom message to the user.
Human-operated ransomware is far more sophisticated. In this case, a ransomware gang will find a way to break into a corporate network. Once in, the gang will spend an extensive amount of time researching the organization’s systems and planning an attack. By the time the gang issues the ransom demand, it will have gained deep knowledge about the organization’s inner workings. I recently heard about a case of human-operated ransomware in which the attackers even knew the details of the victim’s data insurance policy (e.g., premiums, policy benefits, etc.). Weeks or even months may elapse between the initial breach and the issuing of the ransom demand.
Warning Signs of Automated Ransomware
When it comes to automated ransomware, there is often the misperception that a user clicks on a link and is instantly infected. Every ransomware variant is different, but, in most cases, the victim does not receive a ransom demand right away.
The reason for this is that the attacker wants to inflict maximum damage prior to issuing the ransom demand. If the attacker displayed the ransom demand at the start of the attack, the victim could conceivably pull the plug on their computer and stop the attack in its tracks, thus minimizing the damage. That’s why most ransomware attackers try to inflict damage before notifying the user of the infection. It’s a way to coerce the victim to pay.
Again, every ransomware variant is different, yet users can detect signs of ransomware attacks in progress by spotting certain irregularities. The largest sign of an automated ransomware attack is an abnormal spike in disk activity. Remember, the ransomware is going to parse every folder for data to encrypt. Depending on the specifics of the attack, the victim (as well as other people on the network) may also notice that the system becomes less responsive.
Although ransomware attacks once focused solely on the victim’s hard disk, modern ransomware variants will typically also try to encrypt the data on network shares. If the organization uses continuous data protection (CDP) backup technology, the backup server will see a sharp spike in activity. CDP products are designed to back up files (or rather the storage blocks making up the files) any time that they are modified. The malicious encryption process will modify storage blocks, thus causing the CDP backup system to work extra hard to keep up with all those changes.
Warning Signs of Human-operated Ransomware
Human-operated ransomware tends to be much more difficult to spot than automated ransomware. That’s simply because the attacks take place over a period of weeks or months.
As noted above, a primary reason for why these attacks take so long is because the attackers research the organization and its network. However, another reason is because the attackers deliberately move slowly so as to avoid detection. Even so, there are signs of ransomware activity that you can look for.
Once attackers have breached a network, they might create a backdoor. The backdoor will let them to get back into the network whenever they need. That being the case, you should be on the lookout for the creation of new accounts (especially privileged accounts).
You should also be on the lookout for unauthorized software installations. The presence of MimiKatz, Process Explorer, PC Hunter, or other hacking tools is a dead giveaway you’re under attack.
Another sign of ransomware attacks is if systems that normally behave properly suddenly seem glitchy. As explained earlier, an attacker’s goal is to inflict maximum damage and avoid detection for as long as possible. As such, an attacker may try to shut down security-related services or tamper with the backup. If you notice that security-related services keep shutting down for no apparent reason, it’s time to get your security team involved immediately. Similarly, if your backup application that has always been reliable suddenly starts producing lots of errors, you shouldn’t assume it’s simply a malfunction. Attackers will often try to disable or destroy an organization’s backups as a way to force them to pay the ransom.
Of course, any type of hacking-related activity may signal a ransomware attack is underway. Port scans coming from inside of your network and failed attempts to access network shares or infrastructure appliances can all indicate an impending attack.