How to Detect Ransomware: 12 Monitoring & Alerting Opportunities to Automate

How to Detect Ransomware Blog Banner

It’s crazy to think that this May marked five years since the WannaCry outbreak helped make ransomware a household name. In some ways, it feels like a lifetime ago (or longer). Ex: Compared to the jaw-dropping figures cited in today’s reports, some of the ransomware-related stats from 2017 come off as quaint.

Much has obviously changed, and with billions of dollars in play, saying that today’s ransomware operations have matured and evolved is a massive understatement.

As security researcher Kevin Beaumont puts it in a blog post everyone should read:

 

“One ransomware group receiving a $40m payment for attacking a cybersecurity insurance company gives the attackers more budget to launch cyberattack than most medium to large organizations have to defend against attacks in total. And that’s just one attack, from one group, that barely made the news radar of most people.”

— Kevin Beaumont, “The Hard Truth about Ransomware”

 

It’s a sobering assessment, but before we go longing for the “simpler” days of 2017, it’s also worth considering that, for as much as we’ve seen things change these past five years, there’s also quite a lot that hasn’t.

Yes, the cybercrime ecosystem has exploded around ransomware, and ok sure, attack groups have amassed huge war chests for buying zero-days and launching bug bounty programs. But the truth is, despite all this, the majority are still operating in low-hanging fruit mode. Why get all sophisticated and fancy when you can still catch a lot of folks sleeping with the basics?

Yes, prevention is hard for today’s organizations, but then again it’s always been, and I’m not entirely convinced it’s exponentially harder today than it was five years ago. The truth is, strong fundamentals and basic endpoint hardening can take SMBs a long way.

But this post is about detection, right? Well, the same point applies. Most orgs are still going to need dedicated resources (in-house or outsourced) to deploy and actively monitor the detection opportunities we’re going to cover here, but that the barrier to entry isn’t necessarily as high as some security vendors may have you to believe.

Case in point: The following are 12 good, basic ransomware detection ideas that can get you results without costing a fortune.

Let’s get into them.

How to detect ransomware

For starters, let’s agree that running around trying to detect ransomware activity post-execution (ransomware executables actively running and encrypting data) is a losing race. Some of the most prolific ransomware variants can encrypt 100,000 files in less than five minutes.

Attempts to spot and react to sudden mass changes in file names, etc. will often be too little, too late.

AV / EDR is obviously designed to block ransomware executables, but detection/block rates aren’t perfect, and even if they do manage to block an executable it doesn’t address the issue that attackers have gained access. If they fail once, they’ll try again.

It’s also routine for attackers to leverage tools and playbooks designed for gaining elevated privileges so they can disable security tools (and backups).

For that reason, the best time to detect and disrupt attacks is early on, ideally when you’re dealing with often automated attempts to land and establish beach heads on your systems. Nipping attacks in the bud is far easier than grappling with the next stage, when you’re dealing with an actual human hacker who is operating with a tried and true playbook and numerous tools designed to help them quickly map your network and own it completely.

 

So when we talk about detecting ransomware, the better question might be, “How do we detect the early warning signs of a compromise that could quickly lead to ransomware?”

 

And the emphasis is very much on “quickly.” Reports show that, from initial access, ransomware can be deployed anywhere from days to even just hours later. See The DFIR Report’s breakdowns of “IcedID to XingLocker ransomware in 24 hours” and “Netwalker Ransomware in 1 Hour.”

With so little time to identify the threat and react, it’s critical to have tools and experienced professionals actively monitoring systems and ready to respond (ideally leveraging automation).

What are the signs of ransomware and good detection opportunities?

The good news is that even though there are a ton of attack groups and variants out there, the majority still rely on common playbooks and tools. Thanks to the work of researchers like the ones at The DFIR Report and elsewhere, defenders can learn the most common TTPs and build detection mechanisms accordingly.

The following is a list of detection opportunities mapped to common ransomware attack patterns (huge tip of the hat to The DFIR Report’s 2021 Year in Review). It’s by no means a comprehensive list, but it should provide you with some great direction for getting started.

If you’re using an endpoint management solution or RMM like NinjaOne then you can create monitoring and alerting conditions for many of these detections that you can then easily roll out to endpoints, saving you and your team manual work. You can also build out automated actions that you want alerts to trigger, such as automatically reinstalling/restarting AV/EDR processes if they’re identified as missing/disabled.

If you want to take all this a step further, the folks at The DFIR Report have also shared a boatload of extremely useful Sigma rules that you can utilize with Chainsaw, a free open-source tool from F-Secure Labs that offers a fast way of combing through event logs and detecting suspicious signs of an attack.

Types of ransomware tactics and how to detect them — detection opportunities by attack stage

Initial access

1) Reports of suspicious emails from end users: They don’t get the headlines that zero-day vulnerabilities do, but run-of-the-mill malicious emails designed to trick users into downloading and executing malware continue to be one of the most common initial attack vectors. Why? Because they still work.

  • How to detect suspicious emails: It’s important for organizations to provide employees with security awareness training, but also create a culture where they’re actively encouraged and rewarded for reporting suspicious emails AND potential mistakes without fear of being punished.

2) Suspicious RDP connections: Exposed RDP is another attack vector that some IT and security folks may roll their eyes at, but continues to be one of the leading points of initial compromise for ransomware incidents.

  • How to detect suspicious RDP connections: This post from NCCGroup walks through how to capture low-noise log events related to attempted and successful RDP sessions. In addition, this script from PowerShell expert Kelvin Tegelaar takes things further by documenting whether a variety of remote access tools are installed (Remote Desktop, Teamviewer, Connectwise ScreenConnect, and others) and logging when there’s been a successful connection.

 

Persistence

1) Suspicious scheduled task creation: One of the most common ways attackers gain persistence on a system.

2) Unexpected remote access software: Another tactic gaining traction has been for attackers to install third-party software such as AnyDesk (the most popular by far), Atera, TeamViewer, and Splashtop.

  • How to detect unexpected remote access software: These are popular tools among MSPs, but if you’re NOT leveraging some or any of these, it’s a good idea to regularly monitor for and flag on their presence. Again, Kelvin’s script can be used for this (see the comment from Luke Whitlock for a modification that monitors for AnyDesk).

In addition, you can also monitor Windows Event ID 7045. 

 

Privilege escalation / credential access

1) Extracting credentials from the Windows local security authority subsystem (LSASS): While there are other ways for attackers to scrape credentials, this is by far one of the most common.

  • How to detect LSASS abuse: One good way to monitor or block attempts to steal credentials from LSASS is to leverage Microsoft’s Attack Surface Reduction (ASR) rules (Windows 10 build 1709 / Windows Server build 1809 or higher required).Side note: Other ASR rules are also great for blocking a variety of common attempts to execute malicious code and gain initial access (ex: blocking Office programs from creating child processes, blocking JavaScript or VBScript from launching downloaded executable content, etc.). See this post from Palantir’s security team sharing their assessment of ASR rule impact and recommended settings.Many EDR tools also provide similar blocking and detection capabilities to protect LSASS.

 

Defense evasion

1) Disabling / uninstalling antivirus and other security tools: Why bother tip-toeing past security tools when you can simply turn them off?

 

Discovery

1) Unexpected use of port scan and network discovery tools: Once a beachhead has been established, attackers need to look around to see where they’ve landed and identify the best opportunities for lateral movement. Many will leverage built-in Windows utilities like nltest.exe, ipconfig, whoami, etc. as well as ADFind. Others will use port-scanning tools like Advanced IP Scanner.

  • How to detect suspicious port scanners and reconnaissance tools: As with remote access tools, if you’re not regularly using these tools then you can test monitoring for them and creating alerts as well as automation rules to proactively block them.

 

Lateral movement

1) Suspected Cobalt Strike usage: Cobalt Strike is “adversary simulation software” that’s unfortunately become as popular with attackers as it was for its intended audience of penetration testers. It makes a wide range of post-exploit tactics incredibly easy to execute, and routinely shows up as an abused tool in ransomware incidents.

2) Unexpected remote access software: See the remote access section under “Persistence” above.

3) Suspicious remote access connections: Could include use of RDP, SMB, VNC, and more.

  • How to detect suspicious remote access connections: See this list of monitoring ideas from MITRE (ex: network connection creation, network share access, etc.) and drill down into the subtechniques for specifics around the abuse of RDP, SMB, VNC, SSH, etc.

4) Suspicious use of PsExec: PsExec is another built-in Microsoft tool that attackers have taken to abusing. It allows you to remotely execute commands or scripts as SYSTEM.

 

Data exfiltration

1) Suspicious outbound connections and spikes in traffic: In order to gain more leverage over victims, it’s becoming increasingly common for attackers to not only encrypt data, but exfiltrate it first. That gives them the additional threat of selling the data or posting it live.

  • How to detect data exfiltration: Indicators of potential data exfiltration can include major spikes in outbound traffic, unexpected connections to public IP addresses, uncommonly used ports, high volumes of DNS queries, suspicious source file extensions (.rar, .7z, .zip, etc.), and more. Network monitoring and firewall rules can provide heavy lifting here. For more ideas, see the “Exfiltration” section from MITRE ATT&CK.

2) Abuse of built-in and open source file-transfer tools: Attackers love using otherwise legitimate tools that can help them blend in. For data exfiltration, that includes Microsoft BITS, curl.exe, Rclone, Mega (MegaSync and MegaCmd), and more.

  • How to detect suspicious file-transfer use: While attackers can go to the trouble of renaming these programs, some simply don’t, so blocking and/or monitoring for and alerting on their use is a good starting point. For more advanced/granular detection ideas, see the following: detecting Rclone, detecting Mega and Rclone, and MITRE ATT&CK ID T1197.

 

Add a layer of ransomware detection that’s manageable and scalable

Actively monitoring and alerting on these kinds of activities can be a challenge for organizations without a skilled and trained dedicated resource. In many cases, partnering with the right outsourced experts can be the way to go.

For more examples of automations IT teams can leverage with Ninja, see “What Should You Be Monitoring with Your RMM? 28 Recommendations.”

NinjaOne also partners with Bitdefender to provide an integrated anti-ransomware solution as part of its Unified IT Management (UITO) platform. By including Ninja + Bitdefender GravityZone + Ninja Data Protection the NinjaOne Protect package helps prevent, detect, and respond to ransomware attacks, potentially mitigating the impact of ransomware on your business.

Sign up for a free trial of NinjaOne Protect today.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).