Early Indicators of a Ransomware Attack
Here is an interesting fact for you, the average ransomware attack can take anywhere from 60 to 120 days to move from the initial security breach to the delivery of the actual ransomware. Which means, the attack begins anywhere from 2-4 months before you are even aware it is happening. You could have a cybercriminal lurking in your network as you are reading this just waiting for the right moment to unleash their network-encrypting malware.
There are some early indicators for trying to spot a ransomware attack. Encryption of files by ransomware is the last thing that happens, before this a cybercriminal sneaks around investing your network looking for any weakness. One of the most common routes for ransomware hackers to make their way into corporate networks is via Remote Desktop Protocol (RDP) links left open to the internet. To protect your business, you need to understand what your RDP exposure is and you need to have two-factor authentication turned on or only access them through a secure VPN.
Another warning sign could be unexpected software tools appearing on the network. A popular method of gaining control of a PC on a network is by using phishing attack. Once in the network, hackers will explore from there to see what else they can find to attack. One preventive measure you can take here is by training all users to spot phishing emails and to never open anything that looks suspicious.
What is really dangerous is once a cybercriminal has gained access to your network, they will often next try to increase their reach by creating administrator accounts for themselves, for example in Active Directory, and use that access to start disabling security software using applications created to assist with the forced removal of software. Once the attackers have gained administrator powers, they then attempt to spread further across the network, using PowerShell. Your IT Admins need to look for accounts that are created outside of your ticketing system or account management system to catch when this happens.
It is scary to think cybercriminals can be sneaking around in your network. Sometimes they are there for months undetected, as the slower they move, the less chance they have at being caught. They will attempt to disable Active Directory and domain controllers, and corrupt any backups they can find, as well as disabling any software deployment systems that could be used to push patches or updates. Often times they start with trying to encrypt 1 or 2 devices first to make sure their attack is going to work and once they get confirmation, they hit you full strength.
Keep your software patched and up-to-date. Make sure multi-factor or two-factor authentication is running on every application where it is an option. Train your staff on what to click on and how to identify anything that may look suspicious. Call 2W Tech, a technology service provider specializing in solutions for the manufacturing industry, and let our IT Consultants run a full security assessment on your network and help you identify your vulnerabilities. All these are steps you should be taking to keep you and your business safe.