Ransomware attacks have become increasingly common in recent years. Ransomware is a type of malicious software that encrypts files on a device and demands payment in order to decrypt them. These attacks can be devastating for individuals and organizations. Knowing the common indicators of a ransomware attack can help identify when an attack is occurring and potentially prevent some of the damage. This article will provide an overview of ransomware and describe some of the typical signs that a ransomware infection has taken place.
What is Ransomware?
Ransomware is a form of malware that blocks access to a computer system or data until a ransom is paid. It works by encrypting files so they cannot be accessed without a decryption key. Here are some key facts about ransomware:
- Prevents users from accessing their systems and data until a ransom demand is met
- Encrypts files, making them inaccessible without the decryption key
- Demands payment, usually in cryptocurrency like Bitcoin, in exchange for the key
- Can target individuals, businesses, hospitals, and government systems
- Attacks have increased dramatically in recent years
Ransomware is considered extortion because it holds systems and data hostage until payment is received. It is deployed through various vectors, like phishing emails, infected websites, and compromised remote desktop protocols. The goal is to infect as many systems as possible and disrupt operations to maximize ransom payments.
Costs and Impacts of Ransomware
Ransomware attacks can be extremely costly and disruptive:
- Average ransom payment was $170,404 in 2020
- Downtime lasts on average 23 days per attack
- U.S. costs estimated at over $7.5 billion in 2019
- Loss of irreplaceable data
- Reputational harm and loss of customer trust
In addition to the ransom, the downtime, business disruption, and recovery costs related to an attack can be severe. Attacks against critical infrastructure like hospitals can also put lives at risk.
Common Indicators of a Ransomware Attack
There are a number of signs that may indicate ransomware activity on a system. Being aware of these indicators can help identify an attack in progress and potentially limit the damage:
Inaccessible files and data
One of the most obvious indicators of ransomware is finding that files and data are suddenly inaccessible. Users may receive messages that their files are encrypted when trying to open them. Ransom notes with payment demands will often be left on infected systems.
Encrypted files are commonly renamed by ransomware variants. File extensions may be changed to .encrypted, .locked, .crjoker, or other extensions appended to the filenames. This helps attackers identify which files have been encrypted.
Increase in disk activity
Ransomware uses significant disk activity to encrypt files, which can noticeably slow down system performance. Unusually high disk usage observed in task manager or other system monitors can indicate ransomware behavior.
Most ransomware leaves ransom notes on infected systems with instructions on how to pay the ransom to recover files. Notes are usually left as text files on the desktop, drives, or program splash screens.
Strange network activity
Some ransomware calls out to command and control servers run by the attackers for encryption keys and other instructions. This communication produces unusual connection attempts observed in firewall and other network logs.
Disabled system recovery
To make recovery difficult, some ransomware shuts down System Restore or other recovery options on a system to prevent files from being rolled back. Disabled recovery tools may indicate ransomware is present.
Crashing programs and services
Encryption activity can disrupt legitimate system processes and programs. Apps and services crashing unexpectedly may be caused by ransomware encrypting critical files they require.
Presence of ransomware files
Files used by ransomware can be detected through monitoring carefully for file types commonly used by known ransomware variants. Examples include README_FOR_DECRYPT files, .crypt and .locky extensions, and Tor proxy tools.
Attempts to delete volume shadow copies
Some advanced ransomware like CryptoLocker will attempt to delete an operating system’s volume shadow copies to prevent restore options. Monitoring for deletion of volume shadow copies can provide early warning.
Protecting Against Ransomware
There are several best practices to help defend against ransomware attacks:
- Keep all systems patched and up-to-date
- Exercise caution with links and attachments
- Avoid browsing risky sites and downloads
- Use ad blockers to avoid malicious ads
- Enable antivirus and anti-malware tools
- Train employees through ransomware education
- Back up data regularly
- Control access through least privilege
- Segment networks to limit spread
- Disable remote desktop protocol (RDP) if not needed
Applying cybersecurity fundamentals goes a long way toward prevention. Attack surface should also be minimized through measures like limiting administrative rights, using unique strong passwords, and disabling unneeded services.
Responding to Ransomware Attacks
If ransomware is detected, it is important to respond quickly to limit damage:
- Disconnect infected systems from networks immediately
- Determine the variant if possible and sources of infection
- Check for additional infections and secure backups
- Report to appropriate parties like leadership and authorities
- Eradicate ransomware from any infected systems
- Restore encrypted files from clean backups if available
- Install OS and software updates before reconnecting systems
- Initiate incident response procedures
- Conduct a post-incident review to identify and correct any weaknesses
Paying the ransom should be an absolute last resort. There are no guarantees files will be recovered, and it encourages further attacks.
Using Online Backups to Recover from Ransomware
Maintaining regular offline backups is key to recovering files after a ransomware attack without paying the ransom. However, online cloud backups also have benefits:
- Accessible from anywhere with an internet connection
- Scalable to any amount of data
- Automated backup scheduling
- Support for file versioning and snapshots
- Encryption and access controls for security
The right online backup service will provide build-in security measures like encryption, role-based access controls, and version rollback to assist in ransomware recovery. Backups should be tested regularly to verify recovery readiness.
Should Ransom Be Paid to Recover Data?
There is significant debate regarding whether ransom payments should ever be made. Considerations include:
- Paying encourages more attacks and funds criminal enterprises
- There are no guarantees files will be recovered
- Other recovery options like backups may be available
- Ransom demands may increase if victims are known to pay
- Payments may violate organizational policies or laws
- Funds support other criminal activity
- Loss of files may critically impact operations
- Data may be irreplaceable with no backup options
- Reputational harm and liability from data exposure
In most cases, payment should be a last resort. However, if backups are not available and data loss will significantly harm the organization, payment may be considered. This decision should involve senior leadership, legal counsel, and stakeholders.
Reporting Ransomware Attacks to Authorities
If a ransomware attack occurs, reporting it to the appropriate authorities can help mitigate and prevent future attacks:
- Alerts agencies to emerging threats
- May lead to arrests or disruption of ransomware networks
- Provides data to help combat ransomware
- Reporting is often legally required
- Can help obtain government assistance with recovery
- Warnings can be shared in the business community
- Information sharing aids cybercrime prevention
Incidents should be reported to the FBI or Secret Service through local offices or the IC3 complaint site. Reporting assists law enforcement efforts to pursue and prosecute cyber criminals.
Using Threat Intelligence to Detect Ransomware
Threat intelligence provides insights into indicators of compromise associated with ransomware variants based on the MITRE ATT&CK framework tactics and techniques. Examples of threat intelligence data that can help ransomware detection include:
- Known malicious IP addresses and domains
- Malicious file hashes
- Phishing email sender addresses
- Subjects and content of phishing emails
- Names of malicious files dropped during installation
- Processes run during ransomware execution
- Directories and registry keys modified
- Network connections made to C2 servers
By ingesting quality threat intelligence into security tools like firewalls, SIEMs, and endpoint detection and response (EDR), organizations can block and detect known indicators of ransomware faster. Up-to-date threat intelligence paired with behavior monitoring helps identify zero day and file-less attacks.
Using File Integrity Monitoring to Detect Ransomware
File integrity monitoring (FIM) helps detect ransomware infections by alerting on unauthorized changes to critical files, directories, and configurations. FIM works by creating a baseline of normal state and then sending alerts for potentially malicious changes such as:
- Modifications of important executables and configuration files
- New startup folder items or scheduled tasks
- Service creation or binary replacement
- Unexpected privilege escalation attempts
- Disabling of security tools
- Clearing of event logs
- Shadow copy deletion
- Mass file type changes detected
By implementing FIM monitoring and policies customized to detect common ransomware behaviors, organizations gain an important layer of protection and detection.
Ransomware Mitigation Using Software Restriction Policies
Software restriction policies (SRPs) can be implemented to block and control applications from executing in ways that enable ransomware infections. Examples include:
- Blacklisting file types commonly abused like .exe, .dll, .js, etc.
- Whitelisting only authorized apps like office suites and excluding high-risk software
- Restricting execution from Temporary folders
- Limiting write access to protected folders like Program Files and Windows
- Blocking execution from AppData and Downloads
- Requiring digital signatures on whitelisted applications
- Preventing PowerShell execution from Office applications
SRPs provide important policy enforcement on Windows platforms to reduce attack surface. However, effective implementation requires planning to avoid business disruption. SRPs should be part of a defense-in-depth security strategy.
Isolating Systems Critical to Operations
Isolating critical systems from general business networks can limit ransomware spread:
- Air-gapped systems for sensitive data like medical records, PII, and financial information
- Unidirectional gateways to allow limited data transfers
- Separate VLANs for essential infrastructure like DNS and authentication servers
- Restricting direct internet access and enabling proxies
- Allowlisting applications and connections
- Minimizing unilateral network connections between zones
While adding complexity, properly segmenting networks limits lateral movement and damage if infections occur. This aligns with a Zero Trust approach and least privilege access principles.
Detecting Ransomware with Canary Files
Canary files are hidden files planted across systems that alert if accessed or modified. Since ransomware recursively encrypts files, accessing a canary file signals malicious activity. Canary use cases include:
- Creating files with .canary extensions
- Generating alerts if canary files change
- Strategically placing canary files in each directory
- Naming files to blend in with other documents
- Scripting restoration of files if changed
- Embedding in depth across directories
- Tuning for minimal false positives
Canary files provide alerts at early stages of encryption before significant damage. However, maintenance is required to ensure files are restored after alerts.
Leveraging File Backups to Recover from Ransomware
Having recent backups of critical files enables recovery of encrypted data without paying the ransom. Effective backup practices include:
- Daily incremental backups combined with weekly fulls
- Storing backups offline and detached from networks
- Backup verification through test restores
- Encrypting backup data
- Ensuring versioning with previous points-in-time
- Application-consistent snapshots
- Prioritizing backups of mission critical data
- Creating recovery documentation and testing
While backups require planning, storage, and testing, they provide the best insurance against ransomware preventing business disruption.
User Training to Detect Ransomware Phishing Attempts
Phishing emails are a common ransomware infection vector. User security training helps employees identify and report suspicious messages before they compromise systems, including:
- Highlighting ransomware trends, techniques, and impacts
- Building awareness around social engineering
- Teaching how to identify suspicious links and attachments
- Reporting warning signs like urgency and threats
- Emphasizing verification procedures like hovering over hyperlinks
- Covering cybersafety at work and at home
- Ensuring clear escalation procedures
- Familiarizing IT staff with remediation steps
- Reinforcing training messages through simulated phishing tests
Ongoing user education combined with technology like email filtering maximizes human firewall effectiveness.
Ransomware represents a serious threat to individuals, businesses, and government entities. Recognizing common indicators of compromise is critical to detecting and responding to attacks quickly to limit damage. Implementing layered defenses through technologies like anti-malware, backups, network segmentation, and system policies reduces risk. But user vigilance through education is equally important. Ransomware recovery should focus on leveraging backups before contemplating payments. With the right preparation and training, organizations can manage ransomware risks and impacts effectively.