Kidnappers do their homework before snatching their victims to be sure that they have enough ransom money to be worth the time and risk. Until today, I hadn’t thought about scammers doing their homework before launching a ransomware attack. An article in Sophos News by Peter Mackenzie, The Realities of Ransomware: Five Signs You’re About to be Attacked, opened my eyes that system kidnappers usually leave a trail that can be detected.
I encourage you to read Mr. Mackenzie’s article and take action to protect your systems from being held for ransom. He shares valuable tips from his own professional experience, including tools and methods. https://bit.ly/2PFuhnX
Here is a quick list of evidence of an existing or immanent ransomware attack that could be detected by a cybersecurity professional:
- Unusual Behavioral
A periodic scan of your network’s file history can detect repeating patterns or other indicators of malicious activity on your systems. It could be nothing to worry about, but anything that looks unusual is probably worth checking out. Even if malware has been detected and removed, scammers could still be conducting harmful operations on your network.
- Scanner Snooping
Scammers often gain access your systems by using phishing or social engineering schemes with authorized users. They especially love to capture credentials for users with administrative rights because it gives them more access. Once in, they can install a network scanner to find files with valuable information, such as bank accounts and tax IDs. A scanner can be detected and removed if you know how to do it.
- Neutralized Security
Scammers that manage to compromise admin rights often try to disable your security software to swing open the door to your systems even wider. Several tools are available to force the removal of your security software. These tools have legitimate purposes, but they can be used by criminals to leave your systems vulnerable.
- Embedded Tools
In addition to installing a scanner, scammers can embed keystroke readers to capture logon credentials. Capturing keystrokes allows access to your systems, some of which could store financial and confidential identity information. Other tools can be used to extract data and lists of usernames and passwords for use or sale.
Turns out, ransomware attackers do their homework just like kidnappers looking for a rich victim to snatch. Peter Mackenzie’s recent article in Sophos News really opened my eyes that ransomware attacks can be detected before they hold systems hostage. Read his article and arm yourself with tools to fight off cybercrime.