Red Flags That Your Environment Is Ripe for a Ransomware Attack
Ransomware doesn’t just happen. Devices and networks are hit with ransomware because there is a failure somewhere in the system. And when the ransomware attack does occur, you’ll know it. By that point, it will be too late.
“If a ransomware attack has been successful, the indications of this activity will likely be prompt; users will be unable to access their data, services will be disrupted or inoperable, and business partners will also likely be reporting difficulties in conducting regular operations,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, in an email interview.
“Of course,” Morgan added, “these alarm bells will likely ring at the same time as the ransom note that the attackers will leave in the wake of their attack.” To be perfectly clear, no system is completely ransomware-proof. No security system will catch everything and even if it did, humans will still make mistakes that could give ransomware a free pass to your data.
Red Flag Warnings Within Your Environment
However, there are some red flags that indicate a ransomware attack is about to be launched within your infrastructure.
“The most obvious sign is someone noticing files being encrypted and a ransom note popping up on the screen,” said Mike Parkin, senior technical engineer with Vulcan Cyber, via email commentary. “When the attack hits server-side files, someone who accesses the files will often notice the issue.”
What security teams will also notice is an increase in phishing emails, particularly emails with domains not detected previously within the organization. Cybercriminals are test-running your environment with the phishing push. Another major sign that your system has been compromised by a ransomware attack: Security alerts are triggered, according to Bud Broomhead, CEO at Viakoo.
Those red flags that are difficult to miss, but Broomhead pointed out there are more subtle signs to keep an eye out for, which include higher memory utilization, out-of-band network traffic and control of camera devices.
Red Flags That You Are at Risk of a Ransomware Attack
Even if your environment is currently ransomware-free, there are signs that you are at high risk for a possible attack. According to Broomhead, some signs that your data and network are at a high level of risk for ransomware include:
• Lack of training, especially on how to detect phishing emails
• Exceptions or blind spots on security controls (especially systems managed outside of IT, like IoT devices)
• Use of flat networks (once breached, cybercriminals have access to the full network). Use of segmented networks is always a best practice.
• Not having backups of data (and not testing those backups to make sure everything can be restored)
Like all cybercriminals, ransomware gangs will go for the easy win. They know that humans are the weakest link to your cybersecurity program. So they will use a variety of methods to target victims, with a significant majority leveraging weaknesses in remote services or by tricking employees through social engineering.
Ransomware actors are also drawn to networks with a large attack surface. Large corporations have always offered a lot of opportunities to find an entrance into the network, which is why they’re prime targets. But don’t discount the way remote work has increased the threat surface for SMBs.
“Employees should be fully aware of what constitutes a safe working practice, including web browsing and only downloading approved software,” said Morgan. For example, shadow IT, or non-approved software, should be discouraged and corporate devices should also only be used for work purposes.”
How to Respond to Red Flags
Organizations need to rely on defense-in-depth. “User education is a required first step to make users part of the defense rather than the attack surface and have that backed up by appropriate endpoint defenses to deal with malware infections before they can take hold,” advised Parkin.
Basic security steps like multifactor authentication can go a long way to mitigate the threat of compromised credentials that could lead to a ransomware attack, and a well-designed backup program is vital to help recover from a ransomware attack.
“With the shift to hybrid attacks, where threat actors are exfiltrating data and using that for extortion in addition to encrypting it,” Parkin added, “Organizations need to take active steps to look for and prevent unauthorized data exfiltration.”
Your organization’s security system—and its weaknesses—are waving the red flags you need to warn you that a ransomware attack is imminent. You need to be looking for those red flags and take action to address them before the damage is done.
