1. Suspicious emailsLike most cyberattacks, a ransomware attack usually starts with a social engineering scam. A phishing email containing a malicious attachment or a link to a malicious website is the most likely culprit. More sophisticated phishing attempts are often quite convincing, and may appear as though they come from a legitimate company and that any attached file is safe to download. While your spam filters and antivirus scanners should block most of these attempts, you can’t take them for granted. Never download an attachment you weren’t expecting, especially if the file is an executable program.
2. Disabled antivirus softwareMost ransomware is easily detected by a reputable and up-to-date anti-malware scanner. To work around this, attackers may first attempt to gain elevated access to your systems so they can disable your security software. Again, they will likely use a social engineering scam in an attempt to dupe an unsuspecting employee into granting them access rights. If your antivirus software has been mysteriously deactivated, chances are, an attack is imminent.
3. Network scannersMore sophisticated cybercriminals may first try to gain access to a poorly protected endpoint to search for information that can assist them in their next steps. This may expose things like which admin rights are in place on which systems. To find vulnerabilities, attackers may use network scanning software like Advanced Port Scanner or AngryIP. Administrators should constantly be on the lookout for network scanners, particularly on servers, and find out whether or not they’re being used legitimately.
4. Simulated attacksAnother common tactic hackers use is running small-scale attacks or simulations to seek out larger vulnerabilities in your network and endpoints. With ransomware, the usual goal is to find out which deployment methods are most likely to work and infect as many connected systems as possible. That’s why you should always look out for seemingly minor and inconsequential attacks. This can buy your security team valuable hours to prevent something far worse from happening.
5. Unfamiliar login attemptsWhile most attackers rely on social engineering to spread ransomware, others take a sneakier approach by trying to log in to your systems directly. This may involve logging in to in-house servers and workstations or remote assets like online storage accounts. You should always look out for failed login attempts, particularly on Remote Desktop Protocol (RDP) servers. You can view these login attempts in Active Directory.
What are the next steps?If you detect a potential ransomware threat or any other kind of attack, you should immediately disconnect the affected devices from your network. This will stop the attack from getting worse by spreading to shared network resources like storage area networks. Also, disconnect any external devices that might also be compromised, and quarantine them until the security team has had time to conduct a thorough investigation. Online Computers provides managed security services that keep you safe from ransomware and other threats. Contact us today to schedule a consultation.
Ensure a productive remote workforce!
Enter your name and email address on the respective fields on the right to receive our FREE guide to ensuring your staff's productivity while working remotely.