Ransomware is the new nightmare for IT departments, security management, and in general, companies that suddenly find themselves faced with the fact that each of their computers and servers is encrypted.
According to the research unit at Rhyno Cybersecurity,
there are clear indications that companies are about to fall victim to ransomware.
Many of these indications have been there all along.
These include bad DNS requests, targeted and failed VPN reboots, as well as login failures, which in theory should trigger alarms that an attack could be in progress.
In any case, mitigation and protection efforts should start with assessing the company’s vulnerabilities; however, this must be done quickly. Once the attackers are on a network, IT practitioners have between 4 hours and 12 days before the damage is done.
What should IT or cybersecurity personnel consider?
- Unusual time on VPN connections: IT staff should look for anomalous time signals on VPN connections. If the organization has normal traffic levels between 9 a.m. and 5 p.m. and then suddenly there is traffic with IP addresses from other countries like Russia or Mozambique at 2 a.m., then these are signals that attackers are trying to access.
- Traffic is suddenly redirected to places on the Dark Web: Normal network traffic should never be redirected to a TOR site. The average user probably does not know what it is, much less would have a business on a TOR network. Beware of unusual DNS requests. If the requests return to known malware sites, the network could become infected.
- Security tools used in environments they were not assigned to: Once attackers have administrator rights, they will attempt to disable security software using applications created to help with the forced removal of software, such as Process Hacker, IObit Uninstaller, GMER, and PC Hunter. These tools are legitimate, but if a specific tool shows up on a system for which it is not assigned, something is wrong.
- Unusual questions: Attackers often start by gaining access to a machine, seeking information and asking questions that everyday users would not normally ask. For example, is this a Mac or a Windows machine? What is the domain and name of the company? What kind of administrator rights does the computer have? The attackers then try to find out what else is on the network and what they can access. They will try to use a network scanner in most circumstances, such as Angry IP or Advanced Port Scanner. If you spot unusual activity and no one on the management staff was using the scanner for normal corporate use, it’s time to investigate.
- Increase in phishing emails with strange domains: IT and Cybersecurity staff should be on the lookout for emails that come with strange domain names. Analysis tools allow you to find every new domain passed through the network in the last few weeks. It is possible to filter known good and bad domains based on reputation. These tools can also see what was downloaded and determine what may seem unusual.
- Brute force attacks: It is important to look for brute force attacks on RDP systems. Once on the network, attackers often search for additional passwords. You should also be on the lookout for unusual file copy activity, especially .bat, .zip, .txt, and other common files. It is not common for one account to copy files to and from multiple user accounts or devices. There are also situations where attackers have compromised administrative accounts and begin copying files. Attackers also use these accounts to preserve and encrypt file systems quickly.
- Active Directory Login Errors: IT departments should monitor Active Directory for login errors. For example, three login failures in a row on RDP servers are a sign that the network could be compromised. It is a good time to develop a safe list of good IP addresses, especially since more employees are now working from home due to COVID 19 pandemic.
How Can Ransomware Be Prevented?
Several defensive steps can be taken to prevent ransomware. These steps are, of course, good security practices in general, so following them can improve your cybersecurity defenses against all types of attacks:
- Keep your operating system patched and up to date to ensure attackers have fewer vulnerabilities to exploit.
- Do not install software or restrict installation only for users with administrative privileges unless you know what it is and what it does.
- Install next-generation antivirus software that detects malicious programs such as ransomware as they arrive and prevents unauthorized applications from running.
- And, very importantly, back up your files frequently and automatically as well as provide redundancy. This won’t stop a ransomware attack, but it can make the damage done by one much less significant.
Ransomware can be devastating to small and midsize businesses, and recovery efforts can be both difficult and costly. Although organizations are discouraged from paying a ransom, some sophisticated forms of ransomware can never be recovered without paying.
About Rhyno Cybersecurity
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.