Sophos- The realities of ransomware: Five signs you’re about to be attacked
Ransomware attacks are complex and multi-stage. Before deploying malware, attackers typically spend time exploring their victims’ networks and gaining access.
Stop attacks before ransomware can be launched and you’ll save yourself a whole lot of pain. Five signs that an attack may be imminent are:
• Detection of a network scanner, especially on a server
• Detection of tools for disabling antivirus software
• The presence of Mimikatz, a common hacking tool
• Patterns of suspicious behavior
• Test attacks
If you spot any of these red flags, exercise caution and investigate immediately. To learn more, read the below article 5 signs you’re about to be attacked.
SophosLabs Uncut • The realities of ransomware
A manager on the Managed Threat Response team explains what to expect when you’re expecting a ransomware attack
Whenever we work with ransomware victims, we spend some time looking back through our telemetry records that span the previous week or two. These records sometimes include behavioral anomalies that (on their own) may not be inherently malicious, but in the context of an attack that has already taken place, could be taken as an early indicator of a threat actor conducting operations on the victim’s network.
Listen to this article on SoundCloud!
If we see any of these five indicators, in particular, we jump on them straight away. Any of these found during an investigation is almost certainly an indication that attackers have poked around: to get an idea of what the network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack.
Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags.
- A network scanner, especially on a server.
Attackers typically start by gaining access to one machine where they search for information: is this a Mac or Windows, what’s the domain and company name, what kind of admin rights does the computer have, and more. Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If a network scanner, such as AngryIP or Advanced Port Scanner, is detected, question admin staff. If no one cops to using the scanner, it is time to investigate.
A network scanner found among a repository of tools used by Netwalker ransomware
• Tools for disabling antivirus software.
Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter. These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.
• The presence of MimiKatz
Any detection of MimiKatz anywhere should be investigated. If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft. Attackers also use Microsoft Process Explorer, included in Windows Sysinternals, a legitimate tool that can dump LSASS.exe from memory, creating a .dmp file. They can then take this to their own environment and use MimiKatz to safely extract user names and passwords on their own test machine.
Mimikatz and related PowerShell scripts used to launch it, found among a repository of tools used by the Netwalker ransomware threat actors
• Patterns of suspicious behavior
Any detection happening at the same time every day, or in a repeating pattern is often an indication that something else is going on, even if malicious files have been detected and removed. Security teams should ask “why is it coming back?” Incident responders know it normally means that something else malicious has been occurring that hasn’t (as of yet) been identified.
• Test attacks
Occasionally, attackers deploy small test attacks on a few computers in order to see if the deployment method and ransomware executes successfully, or if security software stops it. If the security tools stop the attack, they change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before a much larger attack is launched.
About the Author
Peter Mackenzie
Peter leads the Incident Response Team at Sophos. He works with an expert team of threat hunters to help organizations targeted by cyberthreats to investigate, contain and neutralize attacks. Peter has been with Sophos since 2011 and specialises in ransomware attacks.
