Ransomware attacks are like earthquakes. They are no fun, and they can cause a lot of damage. As with earthquakes, your first responsibility is to make it through the event. But wouldn’t it feel better to have some advance warning? It turns out that there are some signs of a future ransomware attack. And just like earthquake predictions, the science is still basic. But you would be wise to look for one or more of these signs in your network.
Active Directory Shows Multiple Login Failures
Does your Active Directory show multiple login failures? That can be a sign of a future ransomware attack. Pay special attention to login failures against your Remote Desktop environment. Hackers know that Remote Desktop Services are in use given everyone working from home. This was already a favorite entry point for hackers. Today that is even more true.
Also look for login failures for admin accounts. Hackers want to get to an admin account so they can access more of your network’s data.
Brute Force Attacks Hit the Network
As with attempted logins, look for evidence of brute force attacks against your network. Look for more than just attacks as a sign of a future ransomware attack. For instance, look for unusual copy and paste activity featuring odd file types. This can indicate that hackers are attempting to spread malware throughout the network. Check to see if Windows Syslog files are being encrypted. This can indicate that hackers are trying to cover their tracks. Finally, look at use of the Windows backup command, wbadmin.exe. Hackers may use this command to delete backup files.
Phishing Emails Land with Strange Domains
Are you seeing attempted phishing emails arrive from domains you have not previously seen? Phishing emails from a new (to you) domain can be a sign that someone is targeting your organization. Use this event as an opportunity to remind your users about how to recognize phishing emails.
The Network Starts Making a String of Questions About a Single Machine
Are you seeing questions about a machine such as “Is this a Mac or a PC?” These kinds of otherwise nonsensical questions can be a sign of a future ransomware attack. Look also for unplanned port scanning activity. If an admin account is conducting a port scan outside working hours, contact the person to see if they intended to do this. And BTW, this is why you want admin accounts tied to individuals and not shared across multiple users.
Security Tools Are Being Used in Unusual Places
Hackers will use security tools to disable other security services. If you see activity intended to disable antivirus software, turn off audit logging and the like then you have uninvited visitors to your network.
Unusual Timestamps Appear on VPN Connections
You know your staff are working from home (or some other known location). You know what time zone they are working from. So, if you see VPN usage outside of expected working hours, you have someone trying to breach your network.
Traffic is Suddenly Redirected to Questionable Places on the Dark Web
This is one of those obvious-in-retrospect signs of a future ransomware attack. Are you seeing traffic director to a TOR site? Are you seeing DNS requests going back to known bad sites? If you already have a list of blocked sites, congratulations on being proactive here. If you don’t have such a list, look for unusual changes in traffic flow and investigate the destinations you find. If you have traffic going to a site that seems sketchy, act.
A ransomware attack might seem like a black swan event. It is possible, however, that attackers are conducting some amount of reconnaissance on your network before they launch a ransomware attack. Look for signs of a future ransomware attack and respond before things really start getting bad.