According to researchers, every day there are over 100 claims to insurers over cyber-attacks, particularly ransomware. The average ransomware attack can take anywhere from 60 to 120 days to move from the initial attack to delivery of the actual ransomware which means that thousands of organizations potentially have attackers currently hiding ransomware in their networks; getting prepped to set-off their ransomware attack.
So, the question remains, what are the early signs for companies that are looking out for ransomware attacks before they cause the real damage? And what should they do if they come across an attack in progress?
Look out for Open RDP
File encryption by ransomware is the last step of the ransomware attack. Prior to that, the hackers will spend plenty of their time, weeks or longer, understanding the network to determine where the vulnerabilities and weaknesses lie, if any. And one of the most common courses for hackers to weed their way into organizations networks is RDP (Remote Desktop Protocol) links left open to the internet.
Security experts recommend looking carefully at your environment to thoroughly comprehend what your RDP exposure is, and to ensure that you have 2FA on those links or keep them behind a secure VPN. With the Covid-19 pandemic, more employees are working remotely, hence more companies have opened their RDP links to help smooth out work-from-home access. Unfortunately, this is also giving hackers the opportunity to access networks. Therefore, experts advise scanning of internet-facing systems for any open RDP ports on a regular basis as part of a comprehensive cyber security program.
Unexpected Software Tools
Another warning sign could be unforeseen software tools on your network. Ransomware attackers may begin with control of one PC on a network, possibly via a phishing email- a series of phishing emails could be the early sign of an attack, and if your employees are trained to identify them that could offer early detection.
With this tiny foothold in the network, hackers begin exploring from the initial breach to check what else and where else they can attack your network.
This calls for using network scanners. If any vulnerabilities are discovered on the network, it’s high time to probe with your IT security team.
Check for these tools in your network
Another warning is any sign of tools like Microsoft Process explorer- known for their attempts to steal login credentials and passwords, and MimiKatz- a tool used by ransomware hackers. Once these tools gain access to your network, the hackers will frequently try to boost their reach by creating admin accounts for themselves, and use that reach to disable any security software using applications developed to aid with the enforced abolition of software.
In addition, there are also some hints that a ransomware attack is getting close to completion. The attacker’s gang will strive to disable domain controllers, active directory and corrupt any backups they discover. They will also go to the extent of disabling any software development systems that are generally used to push updates or patches. When all this is done, they will hit you with the ransomware attack.
How to make your organization less attractive for attackers?
So how do we stop the hackers once they enter the network? Experts suggest the most important task is to get hold of the RDP sessions, as that is the way to stop attackers coming in and disables their command and control access. Or else, you could also force password change across core systems. It is crucial to look out for any suspicious or new admin account appearing in your network.
Experts also suggest keeping your software updated and patched; ransomware attacks are highly dependent on software vulnerabilities to get started. Training your employees to avoid clicking on any random, fishy emails, while adding strong passwords with 2FA across every system will aid to deter attackers.
For more such news and updates from the Security world, visit excellimatrix.com