Ransomware is a type of malware that encrypts files on a device and demands payment in order to decrypt them. It has become an increasingly common threat in recent years. If you suspect your computer or network may be infected with ransomware, there are steps you can take to check for signs of infection and prevent further damage.
Look for suspicious files
One of the first signs of a potential ransomware infection is the appearance of strange, random files on your system. Ransomware will often save encrypted files with extensions like .crypto, .locky, .zzzzz, .xor, .crypt, or .encrypted. If you see files like “myfile.doc.crypt” or “encrypted.jpg.locky” that you don’t remember creating, it could indicate ransomware.
You may also see files containing random characters like “73h8sd.ruwe” or “ek43f9p.diaz.” Ransomware tends to rename encrypted files with long strings of nonsense characters to make them inaccessible to users.
Keep an eye out for unexpected executable files as well, like “.exe” or “.vbs.” These could be components of the ransomware dropped onto your system.
Check for encryption notifications
Many strains of ransomware will create “readme” files after encrypting data. These files contain information about which ransomware infected the system and instructions for how to pay the ransom to get an encryption key. If you see any strange text, html, or ransom notes appear on your desktop or folders, it’s a telltale sign of ransomware.
You may also get pop-up notifications alerting you that your files have been encrypted. The ransom message will typically ask for payment in cryptocurrency and provide an untraceable email address for further communication.
Look for activity in task manager
Opening up Windows Task Manager can reveal suspicious processes running in the background. Ransomware often uses high amounts of CPU power and disk usage to encrypt files. If you notice unfamiliar processes like “encfiles.exe” or spikes in activity even when you aren’t actively using your computer, it could point to malware.
Keep an eye out for processes originating from unfamiliar locations. Legitimate Windows processes will be located in places like “C:\Windows,” while ransomware often installs itself in other directories.
Check if files open
One of the main ways ransomware cripples a system is by encrypting users’ personal files so they can’t access them. Try opening different types of files like documents, photos, videos and databases to see if you can view the contents.
Encrypted files will display garbled, incomprehensible data or may not open at all. If your files were accessible previously but you now get errors trying to open them, it’s a strong sign of ransomware at work.
Look for missing files
In some cases, ransomware doesn’t encrypt files – it deletes or overwrites them instead. Check locations where you store important data like My Documents or the desktop for missing files. If critical files have mysteriously vanished, you could be dealing with destructive ransomware designed to make backup and recovery impossible.
Be on the lookout for entire folders that have disappeared from their normal locations. For example, if your “Family Photos” folder is suddenly gone from Documents, it may have been deleted or moved by ransomware.
Scan with antivirus software
Antivirus software can often detect known strains of ransomware before or during encryption. Run a full system scan to check for signs of malware. The antivirus may be able to identify the ransomware based on behavior patterns or known signatures.
Cloud-aware antivirus tools that leverage threat data from across customer bases have an advantage in discovering new ransomware strains. Make sure any local antivirus software you use has cloud capabilities built in.
Keep your antivirus updated with the latest definitions to detect new ransomware variants. Schedule regular scans to catch malware early before it has a chance to spread.
Check file extensions
Ransomware commonly targets user documents and media by changing the file extensions during encryption. For example, a file named “budget.xlsx” may become “budget.xlsx.encrypted.” You can often tell which extensions have been affected by doing a search for common media formats.
Some things to look for include “.jpg.encrypted” (images), “.mp4.crypt” (video), “.doc.locky” (Word docs), “.pdf.crypt” (PDFs), and “.vbs.xyz” (scripts). If you see your own files with double extensions like these, ransomware could be responsible.
Check network shares
Ransomware often seeks out network shares and mapped drives to encrypt files. If you keep important data on shared storage, check for signs of encryption across mapped and unmapped drives. Open folders and try accessing a sample of files stored there.
If network shares are accessible but files are corrupted or inaccessible, the storage may be compromised. This can indicate a wider ransomware infection impacting your organization at scale.
Test system restore
Windows has a built-in System Restore feature that can roll back ransomware changes for greater recoverability. Try restoring your computer to a restore point before the infection to see if files revert to their original state.
If System Restore is successful, you can keep the restored copy offline to prevent reinfection while cleaning the live system. Just be aware that some sophisticated ransomware strains disable Windows System Restore to prevent this kind of remediation.
Check for encryption in the registry
Sophisticated ransomware threats may encrypt the Windows registry keys related to files and folders. This prevents the operating system from properly associating file extensions like JPG or DOC with their appropriate applications.
Look for registry keys like HKLM\Software\Classes containing random characters to identify this kind of attack. You can often correct these changes by restoring from a registry backup or resetting file associations.
Review scheduled tasks
Ransomware commonly creates scheduled tasks to persist on infected systems. Review the task scheduler under Control Panel > System and Security > Administrative Tools for anything suspicious.
Look for unfamiliar scheduled tasks set to run on startup or on a recurring basis. Malware often uses names like “Windows Defender” or “System Update” to hide these tasks in plain sight.
Check browser settings
Some forms of ransomware hijack web browsers by modifying settings like the homepage and default search engine. Check your browser settings to see if any unwanted changes have been made.
Watch out for new toolbars, plugins, or unwanted extensions that could point to a browser-based ransomware infection designed to steal data.
Monitor the network
Monitor network traffic for signs of the ransomware communicating with command and control servers. Unusual spikes in traffic or strange connections could indicate malware phoning home.
Use an intrusion detection system to watch for suspicious DNS requests, packet destinations, and other red flag network behavior associated with ransomware strains.
Check security logs
Dig into Windows event logs and other security logs from firewalls or intrusion detection systems for activity tied to ransomware execution. Successful logins, process execution, and file activities may reveal ransomware behaviors.
Logs from services like PowerShell, WMI, and RDP are common targets. Make sure logging is enabled across these components to aid in detection.
Look for service disruptions
Ransomware that successfully targets public-facing apps or infrastructure may cause service disruptions for users. Watch for problems with public-facing websites, databases, load balancers and other IT assets accessible over the network.
If services start failing with no explanation, check for ransomware disrupting components like web servers, databases, or network devices.
Examine user reports
Your users are your first line of defense against ransomware outbreaks. Listen to any reports from employees about system problems, access issues, or suspicious behavior. Prompt user notification can alert IT staff to begin remediation sooner.
Document any cases of users suddenly being unable to open files or access systems. Even one or two reports could be the canary in the coal mine signaling a broader attack.
Analyze file properties
Inspecting file properties may reveal subtle changes made by ransomware during encryption. Compare properties like file size, creation date, and modification date against previous values.
Unexpected changes to these timestamps or unexplained filesize increases can indicate malicious encryption. Make sure to check both individual files and folder properties across the system.
Scan with dedicated decryption tools
Security companies often release free ransomware scanning tools that can identify and reverse specific strains after they emerge. Lookup decryption tools for known ransomware families infecting your industry to potentially unlock files.
Decryption tools should be used in addition to traditional antivirus scans to uncover ransomware missed by standard signatures. However, they can only decrypt files if the ransomware strain has had its method cracked.
Check backup integrity
One sign of a sophisticated ransomware attack is compromised backups. Check that files in your backup haven’t been corrupted or deleted before attempting to recover from any incident.
Spot checking backup integrity can reveal if ransomware has penetrated this layer of protection. Maintain offline backups immune from network-based ransomware accessing and encrypting data.
How to prevent ransomware
In addition to rapid detection, organizations need layered defenses to prevent ransomware from taking hold in the first place:
Keep systems patched and updated
Patch operating systems, software, and firmware regularly to eliminate vulnerabilities ransomware can exploit to gain access.
Exercise caution with email
Advise employees to avoid opening attachments from unknown senders, as phishing is a common ransomware attack vector.
Enable macros cautiously
Only enable macros in documents from trusted sources. Macros are sometimes used to download ransomware onto systems.
Install reputable antivirus
Protect endpoints and servers with antivirus software from trustworthy vendors like Symantec, Malwarebytes, and Kaspersky.
Segment the network
Prevent ransomware from spreading by isolating critical systems, backups, databases, and file shares on separate network segments.
Disable RDP if not needed
Disable Remote Desktop Protocol if it is not required. Ransomware often brute forces RDP to gain network access.
Enforce least privilege
Only give users the minimal permissions required to do their jobs to limit damage if credentials are compromised.
Educate users
Conduct security awareness training to teach employees how to identify social engineering attacks and unsafe usage.
Take offline backups
Maintain recent backups offline and immune from the network to retain access to data if encryption occurs.
Disable SMBv1 and WannaCry
The WannaCry ransomworm leveraged vulnerabilities in SMBv1 to spread. Disable SMBv1 where possible.
Conclusion
Ransomware can be tricky to detect due to evolving tactics that help it fly under the radar. Watch for the indicators covered here like suspicious files, encryption notifications, and encryption across network shares and connected drives.
Combine ransomware scans using antivirus software with monitoring for unusual network traffic, system changes, and service disruptions. The sooner you can catch ransomware, the better chance you have of stopping data loss.
Implement layered defenses to prevent ransomware from gaining a foothold. Security awareness training, least privilege policies, patching, backups, and segmentation all help limit the blast radius of attacks. With vigilance and proper precautions, you can minimize the business impact of ransomware.