How to Detect Ransomware: Understanding Signs of Infection

With ransomware getting more sophisticated, organizations are under the constant threat of data loss and breaches. According to Statista, an increasing number of organizations have experienced ransomware attacks per year since 2018 and the peak was reached in 2021 at 68.5% of businesses. Additionally, the number of ransomware families detected in 2020 was 34% larger than that of 2019 (versus 127 families in 2020).

In this blog post, we define ransomware and shed light on the main infection channels and ransomware detection techniques. Also, we go over the solutions to identify ransomware, prevent further infection and increase the resilience of your data against ransomware.

Before we start
NAKIVO Backup & Replication delivers ransomware protection for backup data. To learn more about improving your infrastructure cyber resilience, download the white paper on the best practices for ransomware protection. 

What Is Ransomware?

Ransomware is malicious software that is used to break into personal/corporate IT environments and encrypt or lock out data. The goal of ransomware attacks is to extort a ransom from victims in exchange for restoring their access to the encrypted/locked-out data.

How Systems Get Infected with Ransomware: 5 Infection Vectors

To prevent getting your organization’s IT systems infected by ransomware, you should be aware of the most common ways that malware spreads. This way, you can learn which system components are more exposed and vulnerable to ransomware attacks and how to promptly detect ransomware activity in your infrastructure.

The ways that your organization can become a victim of ransomware are countless. However, here are the most prevalent malware infection vectors:

  • Suspicious email messages prompting the recipient to click a link or download an attachment containing malware.
  • Malicious websites built to trick people into browsing their pages and, eventually, becoming infected with ransomware by clicking malicious hyperlinks.
  • Social media are often seen as trustworthy and legitimate platforms, thus making individuals immediately trust them. Generally, malware is spread through malicious applications, advertisements, plug-ins, and links on social media platforms. Those apps, ads, links and browser attachments then convince users to download malicious content, such as ransomware or cryptomining agents.
  • Malvertising is a form of online advertising containing malicious code. You click the link on a seemingly legitimate website, and your computer can automatically get infected with malware.
  • Mobile ransomware executed through mobile apps injected with malicious code. By downloading such apps, you can let malware infect your mobile phone in seconds, and then spread the infection to your computer the next time you connect the two devices.

Ransomware Detection Techniques

To detect ransomware attempting to intrude or already disrupting your IT environment, you can use a set of tools and techniques helping to reveal malicious files and suspicious activities. IT specialists distinguish the following detection technique types:

  • Signature-based
  • Behavior-based
  • Deception

Below we review each ransomware detection technique in detail.

Signature-based detection

Signature-based methods compare a sample hash of a ransomware strain to previously found signatures. This is a common first-step technique for antivirus solutions and security platforms. These check the data fragments packed in an executable file before launching that file. The technique involves detecting ransomware-like code fragments early and blocking the execution of the infected code.

The method is used to build the basic defense of an organization. However, even though they detect known ransomware strains effectively, signature-based methods can fail with new malware. Additionally, hackers invest much effort to update their malware and security neutralization tools, making the detection of signatures more challenging.

There are multiple malware detection software vendors currently competing in the market. Each of them provides a featured set of ransomware detection tools that can be effective to some point. However, according to the report by Sophos, over 50% of ransomware attacks in 2021 were successful, which means that no malware detection system can reveal ransomware with a 100% guarantee.

Behavior-based detection

Behavior-based ransomware detection methods compare historically known behaviors to new ones. Specialists and automatic tools monitor the activities of users and applications inside the environment to catch unusual changes in file systems, unusual traffic, unknown processes and API calls, among other signs.

Check and remember the common behavioral signs of ransomware attack attempts or successful system infection:

  • Spam and phishing emails: Phishing is the most common approach that hackers use to deliver ransomware.
  • Performance reduction: In case your IT infrastructure nodes function slower than expected, make sure to react to a potential ransomware intrusion.
  • Continuous suspicious login activities: When failed login attempts happen regularly and on various accounts from unusual locations and devices, it is very likely that someone is trying to gain unauthorized access to your organization’s IT systems.
  • Unauthorized network scanners detected: When you don’t know who initiated the network scan procedure and for what purpose, you should look into as it could be malicious activity.
  • Potential test attacks: Hackers can initiate a few light attacks on some nodes to check your organization’s protection system resiliency and reaction time before launching a full-scale attack.
  • Security software disabling or removal: None of the protection system disruptions should be ignored because even a short-term malfunction means an open breach for a ransomware infection.
  • Data encryption on some nodes: Successful data encryption on any node in your system indicates a breach in your IT protection that hackers can use in a more serious attack.
  • Known hacking tools detected: In case you notice such apps as Microsoft Process Explorer, MimiKatz, IOBit Uninstaller and PC Hunter in your organization’s environment, you should run a full security review of every node.
  • Unusual activity around Active Directory: There is a known case of hackers using the Remote Desktop Protocol (RDP) to reach the protected AD servers of oil and gas facilities and inject Ryuk ransomware directly into the AD login script.
  • Backup corruption attempts: Backup storage platforms are among the priority targets for cyberattacks. Any suspicious activity around backup storage whether on physical disks or in the cloud may be a sign of a potential or ongoing ransomware attack.

Deception-based detection

Just like hackers regularly try to deceive an organization’s digital threat detection systems, IT security specialists have come up with way to bait bad actors. One of the most common baits is known as a honeypot: a server or area in an organization’s IT environment containing data that appears to be of value to hackers. However, this environment is completely isolated from the site and can be used to monitor and analyze attack tactics.

Evolving threats make companies use every security option available to prevent breaches and data loss, thus combining ransomware detection methods is a common practice. Moreover, a good strategy to detect and proactively fight ransomware attacks is understanding attackers’ tactics and preventing infiltration. Below are some recommendations to identify and prevent attacks.

How to Identify and Prevent an Attack

We recommend that you adopt the following practices to prevent ransomware attacks. We also added tips on reducing data loss risks in case ransomware infiltrates the organization’s environment.

  • Encourage employees to:
    • Learn the most common signs of ransomware and other malware
    • Use strong passwords and update them regularly
    • Examine the links and file attachments before clicking them
    • Understand how phishing works and check email addresses of incoming messages
  • Regularly update your system

You should keep your operating system and critical applications patched and up-to-date. Install updates as soon as they are released. System updates and security patches are generally intended to fix the issues of the past releases and cover the known vulnerabilities of your system.

  • Verify third-party software

Before installing third-party software, verify first that the software vendor is authentic and trustworthy. For this purpose, install whitelisting software (for example, Bit9, Velox, McAfee, Lumension), which can identify whether a new application is safe enough to be installed and run in your system.

  • Regularly scan your infrastructure

Install and use anti-malware software that will notify you of any possible threats, identify potential vulnerabilities, and detect ransomware activities in your infrastructure. Modern anti-ransomware tools enable you to scan your entire system for existing viruses and active malware threats. Moreover, such computer scans can run either on demand or based on a schedule you set up, thus minimizing the management input on your part.

  • Create honeypots

A honeypot is one of the most effective security measures that can be used to confuse cybercriminals and take their attention away from critical files. By setting up a honeypot, you create a fake file repository or a server that looks like a legitimate target to an outsider and appears especially enticing to ransomware attackers. This way, you can not only protect your files and rapidly detect a ransomware attack, but also learn how cybercriminals operate. Then, use that data and experience to improve the protection of your system against future cyberattacks.

  • Restrict access to critical systems and applications

Apply the principle of least privilege when granting employees permissions to systems. The principle involves giving an employee access only to those files and system resources that are required to do their work efficiently. Any action or access that is not necessary for an employee to perform their duties should be prohibited by the admin to avoid accidental infections.

  • Data protection and testing backups

Create and regularly update data backups. Use the 3-2-1 rule to enhance protection and ensure successful ransomware recovery of encrypted data. The rule dictates that you should have 3 copies of your data and that you should store them on 2 different media, with 1 of them stored offsite. After the data is backed up, run tests to verify that your backups are functional and recoverable. Thus, you can prevent failures that otherwise might have happened during the system recovery.

How NAKIVO Can Help Protect Your Data against Ransomware

Today, a ransomware attack that renders an organization’s data unavailable is not just another probability but a matter of time. And the most efficient way to prevent data loss incidents and avoid production downtimes after disruptions caused by successful ransomware attacks is to have valid backups ready for recovery.

Some 93% of companies not implementing backups and disaster recovery plans go out of business within a year after a global data loss disaster. On the other hand, 96% of companies that have a reliable backup and recovery strategy were able to successfully recover from ransomware attacks.

NAKIVO Backup & Replication is a data protection solution that you can use to implement a reliable ransomware protection strategy and increase the organization’s resilience to attacks:

  1. Create reliable and application-consistent backups of your data.
  2. Store backups onsite, send offsite or in the cloud to follow the 3-2-1 rule and avoid a single point of failure.
  3. Enable immutability for backups stored in local Linux-based repositories and/or in the cloud to ensure that your backup data remains unchanged and available even if ransomware hits the backup infrastructure.
  4. Enable encryption of your backup data in flight and at rest. The solution uses the AES-256 encryption standard to prevent third-party access to your backup data.
  5. Use role-based access control (RBAC) to set access rights for employees and improve the safety of backups.
  6. When a ransomware attack strikes and encrypts the original data, use backups for recovery. You can recover full VMs and physical machines as VMs immediately. Use Instant Granular Recovery to restore individual files and application objects to original or custom locations for even shorter downtime.
  7. Use replication, automated failover and disaster recovery orchestration for swift availability of systems and apps.

The NAKIVO solution enables you to control and automate backup and recovery processes from a single pane of glass. Run backups as often as every minute to minimize data loss. With relevant immutable backups at your disposal, you can avoid paying ransom to hackers even after ransomware bypasses your security systems and successfully encrypts the original data. Download the NAKIVO solution Free Edition and start protecting your data and machines today.