The pandemic brought more workers home resulting in more vulnerabilities and bad actors are taking advantage of the situation. As reported by Forbes, cyber attacks increased by 238% during the first four months of the pandemic. Bad actors are increasing in number with more entering networks looking for data to hold ransom. The best way to avoid the wrenching decision of whether to pay ransom or other extortion demands is to never face them in the first place. Below are a few activities that raise a red flag for our security analysts. We recommend investigating if you witness any of these behaviors in your organization:
- Suspicious machine-to-machine communications: Attackers rely on unpatched versions of Microsoft Windows, device mis-configurations and other endpoint vulnerabilities to rapidly exploit many networked machines at once. For example, the “EternalBlue” exploit taking advantage of a Microsoft Server Message Block (SMB) vulnerability propelled high-profile attacks like WannaCry. Patching these known vulnerabilities is a must, but networks should also be monitored for attempts to exploit attack vectors like SMB, hidden in the noise of everyday traffic.
- Anomalous mapping activity: In physical and cybercrime alike, robbers study the victim carefully to learn “where” valuables are stored, “how” they are secured and “what” defenders’ response times look like, once an alarm or getaway is in progress. For ransomware operators, this means gaining entry to a victim’s network and quietly casing connected offices, networked equipment and cloud or back-end infrastructure to determine where to most effectively seed hijacking malware and sabotage back-up mechanisms. This necessary step, often requiring days, affords defenders extra time to spot precursor activity and expel intruders, if telltale reconnaissance signs are spotted quickly.
- Do not stop at detection – understand context: Security products’ frequent detections and alerts do not necessarily show the big picture and attackers’ ultimate goals. For example, if an alert flags the discovery of a software tool associated with creating malicious backdoors, defenders must understand “why” and “where” the program was discovered. Was it simply blocked as a prohibited type of arriving email attachment? Or did the program turn up on a device that is not Internet facing or on infrastructure like a server, instead of a laptop? These important details are the difference in urgent steps for response and escalation.
- Suspicious use of account credentials: Using stolen, but valid login credentials for email, messaging and other applications is a popular intrusion method. Legitimate users’ activity is less likely to draw suspicion and valid credentials based on employee usernames, passwords and contact details can be easily purchased in the cybercrime underground or captured with phishing techniques and social-engineering tricks. For example, Pondurance noted for Dark Reading that topical themes are popular with phishers because urgent-sounding themes are useful for convincing people to click on malicious links and attachments. For example, last year Pondurance noted a large number of phishers using federal stimulus applications as a theme in phishing email. Armed with stolen accounts, ransomware actors can have quiet unfettered access to enormous swaths of network and business systems, particularly if the accounts are those of senior or other privileged users. For this reason it is crucial to monitor real-time account behavior to look for activities inconsistent with norms, roles and working hours.
Want to learn more about stopping ransomware? Check out our whitepaper: Stop the Spread of Ransomware at the Root