What is a common indicator of a ransomware attack?

Ransomware attacks have become increasingly common in recent years. Ransomware is a type of malicious software that encrypts files on a device and demands payment in order to decrypt them. These attacks can be devastating for individuals and organizations. Knowing the common indicators of a ransomware attack can help identify when an attack is occurring and potentially prevent some of the damage. This article will provide an overview of ransomware and describe some of the typical signs that a ransomware infection has taken place.

Table of Contents

What is Ransomware?

Ransomware is a form of malware that blocks access to a computer system or data until a ransom is paid. It works by encrypting files so they cannot be accessed without a decryption key. Here are some key facts about ransomware:

Prevents users from accessing their systems and data until a ransom demand is met

Encrypts files, making them inaccessible without the decryption key
Demands payment, usually in cryptocurrency like Bitcoin, in exchange for the key
Can target individuals, businesses, hospitals, and government systems

Attacks have increased dramatically in recent years

Ransomware is considered extortion because it holds systems and data hostage until payment is received. It is deployed through various vectors, like phishing emails, infected websites, and compromised remote desktop protocols. The goal is to infect as many systems as possible and disrupt operations to maximize ransom payments.

Costs and Impacts of Ransomware

Ransomware attacks can be extremely costly and disruptive:

Average ransom payment was $170,404 in 2020
Downtime lasts on average 23 days per attack
U.S. costs estimated at over $7.5 billion in 2019

Loss of irreplaceable data
Reputational harm and loss of customer trust

In addition to the ransom, the downtime, business disruption, and recovery costs related to an attack can be severe. Attacks against critical infrastructure like hospitals can also put lives at risk.

Common Indicators of a Ransomware Attack

There are a number of signs that may indicate ransomware activity on a system. Being aware of these indicators can help identify an attack in progress and potentially limit the damage:

Inaccessible files and data

One of the most obvious indicators of ransomware is finding that files and data are suddenly inaccessible. Users may receive messages that their files are encrypted when trying to open them. Ransom notes with payment demands will often be left on infected systems.

Renamed files

Encrypted files are commonly renamed by ransomware variants. File extensions may be changed to .encrypted, .locked, .crjoker, or other extensions appended to the filenames. This helps attackers identify which files have been encrypted.

Increase in disk activity

Ransomware uses significant disk activity to encrypt files, which can noticeably slow down system performance. Unusually high disk usage observed in task manager or other system monitors can indicate ransomware behavior.

Ransom notes

Most ransomware leaves ransom notes on infected systems with instructions on how to pay the ransom to recover files. Notes are usually left as text files on the desktop, drives, or program splash screens.

Strange network activity

Some ransomware calls out to command and control servers run by the attackers for encryption keys and other instructions. This communication produces unusual connection attempts observed in firewall and other network logs.

Disabled system recovery

To make recovery difficult, some ransomware shuts down System Restore or other recovery options on a system to prevent files from being rolled back. Disabled recovery tools may indicate ransomware is present.

Crashing programs and services

Encryption activity can disrupt legitimate system processes and programs. Apps and services crashing unexpectedly may be caused by ransomware encrypting critical files they require.

Presence of ransomware files

Files used by ransomware can be detected through monitoring carefully for file types commonly used by known ransomware variants. Examples include README_FOR_DECRYPT files, .crypt and .locky extensions, and Tor proxy tools.

Attempts to delete volume shadow copies

Some advanced ransomware like CryptoLocker will attempt to delete an operating system’s volume shadow copies to prevent restore options. Monitoring for deletion of volume shadow copies can provide early warning.

Protecting Against Ransomware

There are several best practices to help defend against ransomware attacks:

Keep all systems patched and up-to-date

Exercise caution with links and attachments
Avoid browsing risky sites and downloads
Use ad blockers to avoid malicious ads

Enable antivirus and anti-malware tools
Train employees through ransomware education
Back up data regularly

Control access through least privilege
Segment networks to limit spread
Disable remote desktop protocol (RDP) if not needed

Applying cybersecurity fundamentals goes a long way toward prevention. Attack surface should also be minimized through measures like limiting administrative rights, using unique strong passwords, and disabling unneeded services.

Responding to Ransomware Attacks

If ransomware is detected, it is important to respond quickly to limit damage:

Disconnect infected systems from networks immediately

Determine the variant if possible and sources of infection
Check for additional infections and secure backups
Report to appropriate parties like leadership and authorities

Eradicate ransomware from any infected systems
Restore encrypted files from clean backups if available
Install OS and software updates before reconnecting systems

Initiate incident response procedures
Conduct a post-incident review to identify and correct any weaknesses

Paying the ransom should be an absolute last resort. There are no guarantees files will be recovered, and it encourages further attacks.

Using Online Backups to Recover from Ransomware

Maintaining regular offline backups is key to recovering files after a ransomware attack without paying the ransom. However, online cloud backups also have benefits:

Accessible from anywhere with an internet connection
Scalable to any amount of data

Automated backup scheduling
Support for file versioning and snapshots
Encryption and access controls for security

The right online backup service will provide build-in security measures like encryption, role-based access controls, and version rollback to assist in ransomware recovery. Backups should be tested regularly to verify recovery readiness.

Should Ransom Be Paid to Recover Data?

There is significant debate regarding whether ransom payments should ever be made. Considerations include:

Paying encourages more attacks and funds criminal enterprises

There are no guarantees files will be recovered
Other recovery options like backups may be available
Ransom demands may increase if victims are known to pay

Payments may violate organizational policies or laws
Funds support other criminal activity
Loss of files may critically impact operations

Data may be irreplaceable with no backup options
Reputational harm and liability from data exposure

In most cases, payment should be a last resort. However, if backups are not available and data loss will significantly harm the organization, payment may be considered. This decision should involve senior leadership, legal counsel, and stakeholders.

Reporting Ransomware Attacks to Authorities

If a ransomware attack occurs, reporting it to the appropriate authorities can help mitigate and prevent future attacks:

Alerts agencies to emerging threats
May lead to arrests or disruption of ransomware networks

Provides data to help combat ransomware
Reporting is often legally required
Can help obtain government assistance with recovery

Warnings can be shared in the business community
Information sharing aids cybercrime prevention

Incidents should be reported to the FBI or Secret Service through local offices or the IC3 complaint site. Reporting assists law enforcement efforts to pursue and prosecute cyber criminals.

Using Threat Intelligence to Detect Ransomware

Threat intelligence provides insights into indicators of compromise associated with ransomware variants based on the MITRE ATT&CK framework tactics and techniques. Examples of threat intelligence data that can help ransomware detection include:

Known malicious IP addresses and domains
Malicious file hashes

Phishing email sender addresses
Subjects and content of phishing emails
Names of malicious files dropped during installation

Processes run during ransomware execution
Directories and registry keys modified
Network connections made to C2 servers

By ingesting quality threat intelligence into security tools like firewalls, SIEMs, and endpoint detection and response (EDR), organizations can block and detect known indicators of ransomware faster. Up-to-date threat intelligence paired with behavior monitoring helps identify zero day and file-less attacks.

Using File Integrity Monitoring to Detect Ransomware

File integrity monitoring (FIM) helps detect ransomware infections by alerting on unauthorized changes to critical files, directories, and configurations. FIM works by creating a baseline of normal state and then sending alerts for potentially malicious changes such as:

Modifications of important executables and configuration files

New startup folder items or scheduled tasks
Service creation or binary replacement
Unexpected privilege escalation attempts

Disabling of security tools
Clearing of event logs
Shadow copy deletion

Mass file type changes detected

By implementing FIM monitoring and policies customized to detect common ransomware behaviors, organizations gain an important layer of protection and detection.

Ransomware Mitigation Using Software Restriction Policies

Software restriction policies (SRPs) can be implemented to block and control applications from executing in ways that enable ransomware infections. Examples include:

Blacklisting file types commonly abused like .exe, .dll, .js, etc.
Whitelisting only authorized apps like office suites and excluding high-risk software
Restricting execution from Temporary folders

Limiting write access to protected folders like Program Files and Windows
Blocking execution from AppData and Downloads
Requiring digital signatures on whitelisted applications

Preventing PowerShell execution from Office applications

SRPs provide important policy enforcement on Windows platforms to reduce attack surface. However, effective implementation requires planning to avoid business disruption. SRPs should be part of a defense-in-depth security strategy.

Isolating Systems Critical to Operations

Isolating critical systems from general business networks can limit ransomware spread:

Air-gapped systems for sensitive data like medical records, PII, and financial information
Unidirectional gateways to allow limited data transfers
Separate VLANs for essential infrastructure like DNS and authentication servers

Restricting direct internet access and enabling proxies
Allowlisting applications and connections
Minimizing unilateral network connections between zones

While adding complexity, properly segmenting networks limits lateral movement and damage if infections occur. This aligns with a Zero Trust approach and least privilege access principles.

Detecting Ransomware with Canary Files

Canary files are hidden files planted across systems that alert if accessed or modified. Since ransomware recursively encrypts files, accessing a canary file signals malicious activity. Canary use cases include:

Creating files with .canary extensions

Generating alerts if canary files change
Strategically placing canary files in each directory
Naming files to blend in with other documents

Scripting restoration of files if changed
Embedding in depth across directories
Tuning for minimal false positives

Canary files provide alerts at early stages of encryption before significant damage. However, maintenance is required to ensure files are restored after alerts.

Leveraging File Backups to Recover from Ransomware

Having recent backups of critical files enables recovery of encrypted data without paying the ransom. Effective backup practices include:

Daily incremental backups combined with weekly fulls

Storing backups offline and detached from networks
Backup verification through test restores
Encrypting backup data

Ensuring versioning with previous points-in-time
Application-consistent snapshots
Prioritizing backups of mission critical data

Creating recovery documentation and testing

While backups require planning, storage, and testing, they provide the best insurance against ransomware preventing business disruption.

User Training to Detect Ransomware Phishing Attempts

Phishing emails are a common ransomware infection vector. User security training helps employees identify and report suspicious messages before they compromise systems, including:

Highlighting ransomware trends, techniques, and impacts
Building awareness around social engineering
Teaching how to identify suspicious links and attachments

Reporting warning signs like urgency and threats
Emphasizing verification procedures like hovering over hyperlinks
Covering cybersafety at work and at home

Ensuring clear escalation procedures
Familiarizing IT staff with remediation steps
Reinforcing training messages through simulated phishing tests

Ongoing user education combined with technology like email filtering maximizes human firewall effectiveness.

Conclusion

Ransomware represents a serious threat to individuals, businesses, and government entities. Recognizing common indicators of compromise is critical to detecting and responding to attacks quickly to limit damage. Implementing layered defenses through technologies like anti-malware, backups, network segmentation, and system policies reduces risk. But user vigilance through education is equally important. Ransomware recovery should focus on leveraging backups before contemplating payments. With the right preparation and training, organizations can manage ransomware risks and impacts effectively.