There’s a common misperception that ransomware attacks happen overnight. That is, once an organization’s network is infected, their data is immediately locked up and held for ransom by cybercriminals.
This is not the case, because hackers first have to obtain the following information:
- Where their malware landed
- How the network is set up
- Where data is stored
- How valuable the data is
- What backup and cybersecurity systems their target has
- What admin rights their target has, and which ones are unsecured and can be exploited
To use the parlance of crooks, the hackers have to “case the joint” before carrying out their heist. Their preparations can take a few weeks or entire months — that is more than enough time for the target to wise up and detect the signs of the ransomware attack, which include the following:
Markers of phishing emails
Ransomware infections often begin with people clicking on malicious links in their emails or downloading malware-laced attachments. These emails appear to come from colleagues, superiors, banks, and government agencies — people and organizations they’re familiar with. However, recipients must be wary of the following:
- Links with domains that aren’t spelled right
Sometimes, you can spot misspellings easily. But there are instances when doing so may be difficult because some letters look the same in certain fonts, like the capital letter “I” and the lowercase “l”. This allows hackers to imitate links for sites that have either of the letters in their domain name, like PayPal.com.
As a general rule, do not click on any link provided in an email. Type the URL directly into the web browser as you remember it, or just search for the sender’s website online and navigate it from there.
- Unexpected attachments
There are instances when harmless-looking emails from one of your contacts come with files that you didn’t ask for or are out of the ordinary. These files may be carrying ransomware, so you’ll want to verify with the sender first if they indeed meant to give you the attachment. Remember to call or use another medium to reach them, such as a verified phone help line, because the email account may already be in the hands of the hacker.
Myth: Once an organization’s network is infected with ransomware, their data is immediately locked up by cybercriminals.
Suspicious files and malware keep coming back
Files that reappear despite multiple deletions and reboots is a sign that a hacker intends to keep their foothold in your network. And when you try to add to your antivirus arsenal by downloading web-based cybersecurity apps, somehow you are prevented from doing so. This is a clear sign that you need to seek the help of an IT specialist to remove the malware for you.
Network scanning tools
To scope out your network, hackers will use tools such as Advanced Port Scanner and AngryIP. These tools are legitimate, but be on the lookout for scans that are unscheduled or are done by admins who aren’t in charge of network scanning.
New admin accounts and fishy apps
Administrator accounts are created outside of your ticketing or account management system. Holders of these accounts then proceed to install credential-stealing apps like MimiKatz and legitimate program removal apps like PC Hunter. The stolen credentials are used to log in to more machines and spread the ransomware infection. Software removal apps, on the other hand, are used to remove anti-malware software — yet another red flag for your IT team.
Precursors to the ransomware campaign’s endgame
To help ensure a successful campaign, cybercriminals will often show their hand by:
- Attempting to disable system controls such as those for deploying software updates and security patches
- Deleting every backup they chance upon
- Testing your defenses with a small attack
If you fail to catch any of these ransomware warning signs, then company data may end up being locked away. If that happens, your organization will suffer downtime, a tarnished reputation, lost customers, and penalties from regulatory bodies.
Thankfully, your organization doesn’t have to be alone in guarding against ransomware. Drop us a line today to learn how our cybersecurity specialists at Umbrella can help.