This page is fully or partially automatically translated.

  • Technical contribution
  • Cloud and Mobile Security

Threat Hunting & Response

Is a ransomware attack imminent? With these five signs you have to be careful!

itsa 365: Title of the article and a kind of magnifying glass

A ransomware attack usually seems to come from nowhere. But the experts on Sophos's Managed Threat Response team have a different experience. They have analyzed numerous ransomware attacks and provide five tangible signs of a potentially imminent attack. When working with ransomware victims, Sophos's MTR team analyses the last week or two before an attack is discovered. If one of five indicators is found, it is checked more closely. Each of these indicators is almost certainly an indication that attackers have been snooping around to find out exactly what the network looks like and how they can gain access to accounts to launch a ransomware attack. Attackers often use legitimate administrative tools to set up the setup for an attack. As a result, the following five tools and behaviors can often get lost in the day-to-day business and are easily overlooked. However, for the detection of potential ransomware attacks, they are clearly warning signals that should definitely be examined more closely.

Network scanner (especially on the server).

The blackmailers usually start by gaining access to a computer on which they are looking for information: is it Mac or Windows, what is the domain or company name, what are the admin rights of the computer, etc. In the second step, they investigate which other users are working on the network with which accesses. The easiest way to find out is a network scan. If a corresponding scanner such as AngryIP or Advanced Port Scanner is detected, one should ask the administrators. If none of these scanners is officially used, a closer examination is mandatory.

Tools for disabling antivirus software.

If attackers have admin rights, they will often try to disable installed security software. They are assisted by applications that assist in the forced removal of such software, such as Process Hacker, IOBit Uninstaller, GMER or PC Hunter. These commercial tools are legitimate, but in the wrong hands they are precarious. Security teams and administrators should be alert if these programs suddenly appear in their systems.

The presence of MimiKatz.

Any indication of the appearance of the MimiKatz tool should be investigated. If none of the administrators can vouch for the use of the program, this is a deep red warning flag: MimiKatz is one of the most popular hacking tools for the theft of login data. Attackers also rely on Microsoft Process Explorer (included in Windows Sysinternals), a legitimate tool that can read the local security authentication server LSASS.exe from memory and create a .dmp file. Once exported to their own system, attackers can use MimiKatz to extract user names and passwords.

Patterns of unusual behavior.

Any system attack at the same time or in a repeating pattern is an indicator that something unwanted is still happening somewhere, even if malicious files have been detected and removed. Security teams should therefore ask themselves why this situation returns. It is often a sign that a malicious process is still running that has not yet been identified.

Test attacks.

Occasionally, attackers carry out test attacks on a few computers to check the effectiveness of their attack method or whether security software stops them. If the attack is stopped, the attackers change their tactics and try again. However, hackers then know that their time is limited and that they can quickly be exposed. Therefore, after unsuccessful test attacks, it is often only a matter of hours before a much larger attack occurs.


Sophos Managed Threat Response.

Threat hunting and response is becoming an increasingly important element of an effective IT security strategy, and while the underlying technology, Managed Detection & Response (MDR), has often been the preserve of corporations, Sophos is now bringing this feature to smaller businesses. The resaleable service provides organizations with a 24/7 security team to neutralize even the most sophisticated and sophisticated threats. Building on Intercept X Advanced with Endpoint Detection and Response (EDR), Sophos MTR fuses machine learning with expert analysis to improve threat detection, investigate alerts more thoroughly and take more targeted action to eliminate threats. The MTR feature can be customized with different service levels and response modes to meet the specific needs of each organization. Unlike many MDR services that focus on monitoring and alerts, the new MTR focuses on rapid escalation and threat response based on the organization's preferences.