Asking around: the easiest ransomware attack signals to miss

Ransomware victims may feel like they missed the early warning signs: a malware download here, a social-engineering call there.

But if you didn’t see a red-flag signal during a scan of the network, you’re not alone: Almost 7,500 organizations around the world were hit by ransomware last year—and there are lots of ways into even the most hardened systems.

During a recent IT Brew event, an attendee asked: “What do early signs of intrusion actually look like in practice? What are the signals that teams most commonly miss before it escalates?”

We posed the question to security pros, who shared the entry points you might be missing.

The responses below were from separate interviews and have been edited for length and clarity.

Malware

Nick Biasini, head of outreach at threat-intel research org Cisco Talos: The hardest thing with ransomware is you don’t know when the infection is going to start, so you can’t do things like discount an infostealer infection or a remote access Trojan infection…what starts as a bad guy sending out some random commodity malware can very quickly turn into a ransomware incident.

Data

Leeann Nicolo, director of Coalition Incident Response for cyber insurance provider Coalition: Often in ransomware, before the encryption or the data exfiltration, we are seeing data access. On the firewall, we are seeing indicators of data going up: data being taken from a network or [accessed] on the network. We’re seeing mass file-access by a user account, oftentimes in the middle of the night or at weird hours.

Legitimate IT tools

Nick Hyatt, principal threat intelligence analyst at cybersecurity consultancy GuidePoint Security: A lot of ransomware groups will use PowerShell and especially encoded PowerShell commands, especially during that initial access phase, and then implant tools…So, if you have a user account that’s been compromised, and that account has credentials for the domain or administrative credentials, and maybe it’s an IT person, and they’re running an encoded PowerShell command, then that just blends in with the traffic. And so that’s what a lot of these ransomware groups try to do: They blend in beneath the surface and “live off the land” until they can detonate this ransomware…We’ve also seen them use legitimate tools, especially remote management tools.

Access

Nicolo: There has to be access; there has to be a login to something, and that is often missed. So, logging into the network, via a VPN, or logging into the cloud; that could be on Microsoft 365—that’s usually the first kind of indicator…Identity anomalies [often include] multi-factor authentication enrollment. So, on Microsoft 365 we’ll see a device enrollment or a mailbox rule set up. Those are kind of laying the groundwork for what is to come.

Perimeter devices

Hyatt: After that initial access, you’re probably going to see things like increased scanning against perimeter devices, especially if there are certain firewalls or certain tools that are vulnerable to attacks. There are certain groups that really love to attack certain technologies. You’ll see increased scanning around there. You’ll see increased activity, maybe brute force account attacks—people trying passwords against multiple accounts trying to get in.

Anything odd

Nicolo: Basically if there’s anything that you are doing in your day-to-day that causes you to pause or take a second to think…Don’t proceed with business as usual. Because likely, when we unravel this in forensics, there usually is somebody along the chain that says, “Oh, I do remember that weird email, or I did see that IP, or I did get that phone call.”

“I think the early signs are rarely a smoking gun…They’re usually the small correlated anomalies in identity, perimeter, payments. And it’s the job for modern-day defenders to connect those dots.