Ransomware is a big threat to modern organizations of any size. Unfortunately, small- and medium-sized businesses (SMBs) may not have enough financial resources to fully protect themselves from attack.
But this doesn't mean that SMBs cannot do anything to secure their networks. They can elevate their security through proper staff training and scalable solutions from managed IT security providers. Ransomware operators will leave telltale signs of their presence in a network, so it’s crucial to teach your users to recognize these signs and report them to your IT provider. With your team and your IT provider working diligently together, you can significantly reduce your company’s risk for ransomware attacks.
Here are some signs of ransomware your team should look out for:
1. Suspicious emails
Phishing is the most common way ransomware attackers get into a computer system. Attackers use social engineering via email to fool employees and business leaders alike into clicking legitimate-looking links that discreetly install an array of malicious software into their system. Ransomware links install network scanners, credential sniffers like MimiKatz, and encryption software.
Two of your most critical defenses are good internet hygiene and continuous organizational training. All users of your network should know to avoid visiting sketchy websites and should have sufficient training to recognize fake emails and other social engineering attempts.
2. Network scanners
Reconnaissance is a crucial step in all ransomware attacks. All ransomware operators take time to scan a network for entry and exit points, the types of data it contains, and the types of protections it has. Intrusion detection systems will typically filter out most malignant network scans, but many ransomware operators these days avoid detection through spoofed source addresses and altered scan rates.
Network scanners are legitimate tools that your IT team or provider may use, so always verify if they are the ones running a scan. A reputable cloud-based security information and event management (SIEM) provider is an ace against this stage of a ransomware attack. SIEM providers will equip your system with powerful search and alert tools that can detect scanners and other illicit software before they can do any real damage.
3. Traces of MimiKatz
MimiKatz is an open source application that is used to view and save authentication credentials like username and password sets. MimiKatz was originally developed as a proof of concept to prove to Microsoft that their authentication conventions were vulnerable to attack. Today, MimiKatz is a popular tool for both white hat and black hat hackers.
A MimiKatz-based attack is usually characterized by spikes in Server message block (SMB) activity. It might be impossible for a small in-house IT team to stay on top of these attacks 24/7, so most IT providers use AI and machine learning to constantly scan networks for such spikes. As a precaution, your business should make sure to provide only the minimum amount of privileges each employee needs for their roles. This helps prevent ransomware operators from rooting between your company’s users to seek out chains of authority that they can exploit for access.
4. A dry run of small attacks
No two systems are completely identical, so many ransomware attackers will first establish a proof of concept of their attack strategy. They do this by simulating a small attack on one or two computers in the system as a way of checking that they are correct about their assessments of the vulnerabilities in your network’s endpoints.
Your users should know that ransomware attackers go big with their attacks. So if one computer starts acting weird or one folder becomes harmlessly encrypted, your staff should never assume that that was the worst of the attack. It could simply be a dry run of a bigger attack to come, and you should put your IT team or provider on full alert.
5. Sudden uninstallation of security programs
Once a ransomware operator gains access to computer administrator privileges, they will typically disable security software and other system protections you may have. Users may suddenly receive a prompt on the system tray of their taskbar that their Windows Defender was disabled and their antivirus software was shut off. If this occurs, your employees should know to quickly alert your IT team or provider so that experts can take steps to prevent encryption. Reporting times are crucial, as cybercriminals can encrypt your data as soon as they are done disabling and uninstalling your security tools.
Ransomware can seem like a daunting threat, but they can be kept at bay with proper tools and thorough training. This is why Washington DC and Charlotte businesses go with OutsourceIT’s managed intrusion detection and 24/7 security operations center services. We’ll make sure your network is fully armored up, inside-out. Contact us today to learn more.