Security Market Segment LS
Tuesday, 11 August 2020 10:18

Sophos expert lists signs that could indicate a ransomware attack is on the way Featured

By
Sophos expert lists signs that could indicate a ransomware attack is on the way Image by Pete Linforth from Pixabay

Ransomware attacks are generally assumed to hit like a thief at night, often occurring on the weekends when security staff are thinking of anything but work.

But Sophos incident response team leader Peter Mackenzie says there are behavioural anomalies present in telemetry records before an attack that, while not malicious on their own, could be early indicators of an attacker sizing up the company for a ransomware attack.

This discussion, titled Five signs you're about to be attacked, was the third in a series of five articles about ransomware issued by Sophos; iTWire covered the first article last week and the second on Monday.

Mackenzie cited the following five indicators that he said warranted a second look:

  • A network scanner, especially on a server;
  • Tools for disabling anti-virus software;
  • The presence of Mimikatz, an open-source application that allows users to view and save authentication credentials like Kerberos tickets;
  • Patterns of suspicious behaviour; and
  • Test attacks.

"If we see any of these five indicators, in particular, we jump on them straight away," he said. "Any of these found during an investigation is almost certainly an indication that attackers have poked around to get an idea of what the network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack.

"Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags."

He said anyone who was looking at a prospective target usually began by gaining access to one machine on the company's network where they searched for information. "[What they look for is information like] is this a Mac or Windows system, what’s the domain and company name, what kind of admin rights does the computer have, and more," Mackenzie said.

"Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If a network scanner, such as AngryIP or Advanced Port Scanner, is detected, question admin staff. If no one admits using the scanner, then it is time to investigate."

He said any indication that software used to disable anti-virus software was present on a system should be viewed with suspicion.

"Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter," Mackenzie said.

"These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared."

The presence of Mimikatz was a red flag that had to be investigated, if nobody in an admin team was using it. "Any detection of Mimikatz anywhere should be investigated. If no one on an admin team can vouch for using Mimikatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft," he explained.

"Attackers also use Microsoft Process Explorer, included in Windows Sysinternals, a legitimate tool that can dump LSASS.exe from memory, creating a .dmp file. They can then take this to their own environment and use Mimikatz to safely extract user names and passwords on their own test machine."

Mackenzie said another indicator of a possible future attack was when any detection took place at the same time every day, even if the malicious files found were detected and removed.

He said this was often an indication that something was going on. "Security teams should ask 'why is it coming back?' Incident responders know it normally means that something else malicious has been occurring that hasn’t (as of yet) been identified."

And, finally, he said attackers occasionally carried out small test attacks on a few machines to see if their deployment methods were working as expected and whether ransomware executed successfully or was stopped by security software on the target machines.

"If the security tools stop the attack, they [attackers] change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before a much larger attack is launched," Mackenzie said.

Read 2185 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




ELASTICON SYDNEY 2024 LATEST ADVANCEMENTS IN GENERATIVE AI

On 20 February, keynote addresses from NAB, Canva, AWS, and Google Cloud, among others, will feature at ElasticON Sydney 2024.

This event will explore the latest advancements in generative AI

The one-day conference, hosted by leading search analytics company Elastic, will include networking drinks, hands-on labs, technical sessions and a stellar line-up of keynote speakers from finance, technology, and government e=sectors.

ElasticON Sydney 2024 promises to be an enriching experience with a comprehensive exploration of the latest developments in security, observability, generative AI and their real world applications

Don't miss out on this opportunity to network and find answers for what's next from your industry peers and leaders


Register for ElasticON Sydney 2024

REGISTER HERE!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments