How to Know if You’ve Been Infected by Ransomware

Detecting ransomware activity has become increasingly difficult because adversaries are constantly evolving their tools, tactics and techniques. For example, threat actors are using new programming languages like Rust to help avoid detection by security software and exfiltrating data (instead of encrypting it) so they can threaten organizations that use backups. That said, there are some obvious and not-so-obvious signs that can help determine if your organization is actively experiencing a ransomware infection:

1. A Ransom Message: One of the most obvious signs an organization has been compromised is the obvious extortion message displayed on a screen. Such messages are usually accompanied by payment instructions with a deadline for making the payment.

2. Rogue Executables: If there is a file running on your system that you don’t understand or have not noticed before, then it should be investigated immediately.

3. Encrypted Files: If you are suddenly unable to access certain files on your hard drive or cloud-based storage (such as Google Drive, OneDrive or Dropbox), then this could be a sign that you have a ransomware infection.

4. Unexplained Elevated Group Membership: If all of a sudden new accounts are being added to your administrator or domain administrative group, then such unexplained users or elevated group memberships should be looked into immediately.

5. Unusual Network Connections and Traffic: One should have a good understanding of what is normal network traffic in their environment. If you’ve got workstations that are connecting to some server in Russia or China or are noticing unusually high traffic volume, then this could spell bad news.

6. Sudden Service Stoppages: When ransomware actors copy your emails or databases, they may run scripts that will stop those services. They then copy the data out of those database services or emails and then restart them. Any unexplained service stoppage is cause for investigation.

7. Large File Archives: A full 86% of ransomware infections now exfiltrate data. If the attacker’s intent is stealing data, they will likely dump the batch into an archive file, a ZIP file, an ARQ file or similar. Watch out for large and unusual file archives that are being uploaded on a file server.

Tools That Can Help Detect Ransomware

While firewalls, VPNs and signature-based antivirus programs are not great at detecting ransomware, endpoint detection and response (EDR) tools are said to be a more effective tool for ransomware detection. But EDR isn’t foolproof. Some ransomware programs are designed to bypass EDR. In a Windows environment, there are a few other tools that can be used to detect ransomware, such as a program called Process Explorer, which will let you see a complete list of programs that are currently running. There’s also an option to hook up Process Explorer to Google’s VirusTotal.com so that it can submit the hashes of all the running programs (not the whole programs); VirusTotal will then evaluate whether any of the included antivirus engines think that the malware sample is something to be worried about.

Another Windows system utility called Autoruns will show what programs run automatically when a computer powers up. This links to VirusTotal as well. Windows Defender Application Control is yet another tool that helps admins create lists of which programs are allowed to run and what should be denied. If you put it in audit-only mode, then it can alert you when there is an unexplained executable, such as a ransomware program, on your system.

An Infection is Detected. Now What?

If you’ve got a ransomware notice on your screen, make sure it’s not just fake scareware. There are a lot of scareware programs that will act like ransomware and then attempt extortion. If it’s legitimate ransomware, don’t click on any links in the message nor send a message because if you do, it informs the attacker that you’ve been exploited and initiates a timer or a countdown. Next, determine whether your system is just encrypting files or erasing them. If it’s wiper malware, you would want to turn off any impacted machines quickly. Check if the malware has infected one machine or if it has gone beyond one location. If it’s one machine, it is limited in scope, but if it’s more than one, then you must declare it a ransomware event. This means you must initiate your incident response plan and notify team members (IT teams, senior management, legal and communication teams, insurance carrier and other relevant stakeholders).

Disable the network and all internet connections to prevent the ransomware from spreading to other machines. It’s recommended that one practice disabling and re-enabling networking ports ahead of time. Determine the real scope of the exploitation. What did they do? How did they get in? What types of files did they encrypt or exfiltrate?

Once you have your facts, determine your response. Are you going to pay the ransom or not? Most organizations refuse to pay, however, some businesses feel they must pay because the recovery process is more expensive than the ransom payment. Next, repair and rebuild the environment by reinstalling all applications and ensuring that data are clean.

Adding insult to injury, a majority of ransomware victims experience repeat attacks because they focus on treating symptoms and not root causes. Most ransomware attacks (69%) begin with an email, while other principal root causes include basic vulnerabilities like unpatched systems and credential theft. To prevent future attacks, organizations must focus on plugging root causes using a combination of people, processes and technology. This means coaching users to recognize social engineering scams. Have clear policies and procedures in place that outline the do’s and don’ts as well as responsibility and accountability toward cybersecurity. Leverage robust cybersecurity tools that help detect and mitigate the risk of ransomware.

Avatar photo

Stu Sjouwerman

Stu Sjouwerman is founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with over 30,000 customers and more than 20 million users. He was co-founder of Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Stu is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

stu-sjouwerman has 8 posts and counting.See all posts by stu-sjouwerman