The pandemic brought more workers home, resulting in more vulnerabilities, and bad actors are taking advantage of the situation. As reported by Forbes, cyberattacks increased by 238% during the first four months of the pandemic. Bad actors are increasing in number with more entering networks looking for data to hold ransom. The best way to avoid the wrenching decision of whether to pay ransom or other extortion demands is to never face them in the first place. Below are a few activities that raise a red flag for our security analysts. We recommend investigating if you witness any of these behaviors in your organization:
- Suspicious machine-to-machine communications. Attackers rely on unpatched versions of Microsoft Windows, device misconfigurations, and other endpoint vulnerabilities to rapidly exploit many networked machines at once. For example, the EternalBlue exploit taking advantage of a Microsoft Server Message Block (SMB) vulnerability propelled high-profile attacks like WannaCry. Patching these known vulnerabilities is a must, but networks should also be monitored for attempts to exploit attack vectors, such as SMB, hidden in the noise of everyday traffic.
- Anomalous mapping activity. In physical crime and cybercrime alike, robbers study the victim carefully to learn where valuables are stored, how they are secured, and what defenders’ response times look like once an alarm or getaway is in progress. For ransomware operators, this means gaining entry to a victim’s network and quietly casing connected offices, networked equipment, and cloud or back-end infrastructure to determine where to most effectively seed hijacking malware and sabotage backup mechanisms. This necessary step, often requiring days, affords defenders extra time to spot precursor activity and expel intruders, if telltale reconnaissance signs are spotted quickly.
- Do not stop at detection – understand context. Security products’ frequent detections and alerts do not necessarily show the big picture and attackers’ ultimate goals. For example, if an alert flags the discovery of a software tool associated with creating malicious backdoors, defenders must understand why and where the program was discovered. Was it simply blocked as a prohibited type of arriving email attachment? Or did the program turn up on a device that is not internet-facing or on infrastructure like a server instead of a laptop? These important details are the difference in urgent steps for response and escalation.
- Suspicious use of account credentials. Using stolen but valid login credentials for email, messaging, and other applications is a popular intrusion method. Legitimate user activity is less likely to draw suspicion, and valid credentials based on employee usernames, passwords, and contact details can be easily purchased in the cybercrime underground or captured with phishing techniques and social engineering tricks. For example, Pondurance noted for Dark Reading that topical themes are popular with phishers because urgent-sounding messages are useful for convincing people to click on malicious links and attachments. For example, last year, Pondurance noted a large number of phishers using federal coronavirus relief applications as a theme in phishing emails. Armed with stolen accounts, ransomware actors can have quiet, unfettered access to enormous swaths of network and business systems, particularly if the accounts are those of seniors or other privileged users. For this reason, it is crucial to monitor real-time account behavior to look for activities inconsistent with norms, roles, and working hours.
Want to learn more about stopping ransomware? Check out our whitepaper Stop the Spread of Ransomware at the Root