How to Detect Ransomware: 12 Monitoring & Alerting Opportunities to Automate

Here are a dozen ways IT teams of any size can set up automated alerts to detect ransomware attacks before it’s too late.  

It’s crazy to think that this May marked five years since the WannaCry outbreak helped make ransomware a household name. In some ways, it feels like a lifetime ago (or longer). Ex: Compared to the jaw-dropping figures cited in today’s reports, some of the ransomware-related stats from 2017 come off as quaint.

• In Q2 2017, the average estimated ransom demand was between $501 – $2,000. According to Coveware, fast-forward to Q1 2022 and the average ransom payment was $211,529.
• In 2017, Cybersecurity Ventures estimated the total cost of damages caused by ransomware would hit $5B for the year. Their latest report estimates total costs in 2021 hit $20B.

Much has obviously changed, and with billions of dollars in play, saying that today’s ransomware operations have matured and evolved is a massive understatement.

As security researcher Kevin Beaumont puts it in a blog post everyone should read:

 

“One ransomware group receiving a $40m payment for attacking a cybersecurity insurance company gives the attackers more budget to launch cyberattack than most medium to large organizations have to defend against attacks in total. And that’s just one attack, from one group, that barely made the news radar of most people.”

— Kevin Beaumont, “The Hard Truth about Ransomware”

 

It’s a sobering assessment, but before we go longing for the “simpler” days of 2017, it’s also worth considering that, for as much as we’ve seen things change these past five years, there’s also quite a lot that hasn’t.

Yes, the cybercrime ecosystem has exploded around ransomware, and ok sure, attack groups have amassed huge war chests for buying zero-days and launching bug bounty programs. But the truth is, despite all this, the majority are still operating in low-hanging fruit mode. Why get all sophisticated and fancy when you can still catch a lot of folks sleeping with the basics?

• Colonial Pipeline? Hacked via an inactive account without MFA.   
• Irish Health Services? Malicious Excel doc. 
• The LockBit ransomware gang’s 5-month access to a U.S. government agency? Exposed RDP.
• The $50M ransomware attack on PC-giant Acer? Unpatched Microsoft Exchange vulnerability.

Yes, prevention is hard for today’s organizations, but then again it’s always been, and I’m not entirely convinced it’s exponentially harder today than it was five years ago. The truth is, strong fundamentals and basic endpoint hardening can take SMBs a long way.

But this post is about detection, right? Well, the same point applies. Most orgs are still going to need dedicated resources (in-house or outsourced) to deploy and actively monitor the detection opportunities we’re going to cover here, but that the barrier to entry isn’t necessarily as high as some security vendors may have you to believe.

Case in point: The following are 12 good, basic detection ideas that can get you results without costing a fortune.

Let’s get into them.

How to detect ransomware (or better yet, when)

For starters, let’s agree that running around trying to detect ransomware activity post-execution (ransomware executables actively running and encrypting data) is a losing race. Some of the most prolific ransomware variants can encrypt 100,000 files in less than five minutes.

Attempts to spot and react to sudden mass changes in file names, etc. will often be too little, too late.

AV / EDR is obviously designed to block ransomware executables, but detection/block rates aren’t perfect, and even if they do manage to block an executable it doesn’t address the issue that attackers have gained access. If they fail once, they’ll try again.

It’s also routine for attackers to leverage tools and playbooks designed for gaining elevated privileges so they can disable security tools (and backups).

For that reason, the best time to detect and disrupt attacks is early on, ideally when you’re dealing with often automated attempts to land and establish beach heads on your systems. Nipping attacks in the bud is far easier than grappling with the next stage, when you’re dealing with an actual human hacker who is operating with a tried and true playbook and numerous tools designed to help them quickly map your network and own it completely.

 

So when we talk about detecting ransomware, the better question might be, “How do we detect the early warning signs of a compromise that could quickly lead to ransomware?”

 

And the emphasis is very much on “quickly.” Reports show that, from initial access, ransomware can be deployed anywhere from days to even just hours later. See The DFIR Report’s breakdowns of “IcedID to XingLocker ransomware in 24 hours” and “Netwalker Ransomware in 1 Hour.”

With so little time to identify the threat and react, it’s critical to have tools and experienced professionals actively monitoring systems and ready to respond (ideally leveraging automation).

Ok, smart guy, so what are early warning signs of ransomware and good detection opportunities?

The good news is that even though there are a ton of attack groups and variants out there, the majority still rely on common playbooks and tools. Thanks to the work of researchers like the ones at The DFIR Report and elsewhere, defenders can learn the most common TTPs and build detection mechanisms accordingly.

The following is a list of detection opportunities mapped to common ransomware attack patterns (huge tip of the hat to The DFIR Report’s 2021 Year in Review). It’s by no means a comprehensive list, but it should provide you with some great direction for getting started.

If you’re using an endpoint management solution or RMM like NinjaOne then you can create monitoring and alerting conditions for many of these detections that you can then easily roll out to endpoints, saving you and your team manual work. You can also build out automated actions that you want alerts to trigger, such as automatically reinstalling/restarting AV/EDR processes if they’re identified as missing/disabled.

If you want to take all this a step further, the folks at The DFIR Report have also shared a boatload of extremely useful Sigma rules that you can utilize with Chainsaw, a free open-source tool from F-Secure Labs that offers a fast way of combing through event logs and detecting suspicious signs of an attack.

Types of ransomware tactics and how to detect them — detection opportunities by attack stage

Initial access

Reports of suspicious emails from end users: They don’t get the headlines that zero-day vulnerabilities do, but run-of-the-mill malicious emails designed to trick users into downloading and executing malware continue to be one of the most common initial attack vectors. Why? Because they still work.

• How to detect suspicious emails: It’s important for organizations to provide employees with security awareness training, but also create a culture where they’re actively encouraged and rewarded for reporting suspicious emails AND potential mistakes without fear of being punished.

Suspicious RDP connections: Exposed RDP is another attack vector that some IT and security folks may roll their eyes at, but continues to be one of the leading points of initial compromise for ransomware incidents.

• How to detect suspicious RDP connections: This post from NCCGroup walks through how to capture low-noise log events related to attempted and successful RDP sessions. In addition, this script from PowerShell expert Kelvin Tegelaar takes things further by documenting whether a variety of remote access tools are installed (Remote Desktop, Teamviewer, Connectwise ScreenConnect, and others) and logging when there’s been a successful connection.

 

Persistence

Suspicious scheduled task creation: One of the most common ways attackers gain persistence on a system.

• How to detect suspicious scheduled task creation: Monitor and alert for this by tracking Windows Event IDs 4698 and 4700 or by leveraging Kelvin Tegelaar’s PowerShell script here.

Unexpected remote access software: Another tactic gaining traction has been for attackers to install third-party software such as AnyDesk (the most popular by far), Atera, TeamViewer, and Splashtop.

• How to detect unexpected remote access software: These are popular tools among MSPs, but if you’re NOT leveraging some or any of these, it’s a good idea to regularly monitor for and flag on their presence. Again, Kelvin’s script can be used for this (see the comment from Luke Whitlock for a modification that monitors for AnyDesk).

In addition, you can also monitor Windows Event ID 7045. 

 

Privilege escalation / credential access

Extracting credentials from the Windows local security authority subsystem (LSASS): While there are other ways for attackers to scrape credentials, this is by far one of the most common.

• How to detect LSASS abuse: One good way to monitor or block attempts to steal credentials from LSASS is to leverage Microsoft’s Attack Surface Reduction (ASR) rules (Windows 10 build 1709 / Windows Server build 1809 or higher required).Side note: Other ASR rules are also great for blocking a variety of common attempts to execute malicious code and gain initial access (ex: blocking Office programs from creating child processes, blocking JavaScript or VBScript from launching downloaded executable content, etc.). See this post from Palantir’s security team sharing their assessment of ASR rule impact and recommended settings.Many EDR tools also provide similar blocking and detection capabilities to protect LSASS.

 

Defense evasion

Disabling / uninstalling antivirus and other security tools: Why bother tip-toeing past security tools when you can simply turn them off?

• How to detect antivirus tampering: Check out this script from Kelvin Tegelaar, or, if you have one, take advantage of your RMM to regularly alert on whether security tools are installed and/or running.

 

Discovery

Unexpected use of port scan and network discovery tools: Once a beachhead has been established, attackers need to look around to see where they’ve landed and identify the best opportunities for lateral movement. Many will leverage built-in Windows utilities like nltest.exe, ipconfig, whoami, etc. as well as ADFind. Others will use port-scanning tools like Advanced IP Scanner.

• How to detect suspicious port scanners and reconnaissance tools: As with remote access tools, if you’re not regularly using these tools then you can test monitoring for them and creating alerts as well as automation rules to proactively block them.

 

Lateral movement

Suspected Cobalt Strike usage: Cobalt Strike is “adversary simulation software” that’s unfortunately become as popular with attackers as it was for its intended audience of penetration testers. It makes a wide range of post-exploit tactics incredibly easy to execute, and routinely shows up as an abused tool in ransomware incidents.

• How to detect Cobalt Strike: Many EDR tools and security researchers have their sites on detecting Cobalt Strike usage. See a great collection of resources to help you do the same here.

Unexpected remote access software: See the remote access section under “Persistence” above.

Suspicious remote access connections: Could include use of RDP, SMB, VNC, and more.

• How to detect suspicious remote access connections: See this list of monitoring ideas from MITRE (ex: network connection creation, network share access, etc.) and drill down into the subtechniques for specifics around the abuse of RDP, SMB, VNC, SSH, etc.

Suspicious use of PsExec: PsExec is another built-in Microsoft tool that attackers have taken to abusing. It allows you to remotely execute commands or scripts as SYSTEM.

• How to detect PsExec abuse: Our man Kelvin has a script for this, as well (because of course he does). You can also find additional Windows Event IDs and registry changes to monitor for here.

 

Data exfiltration

Suspicious outbound connections and spikes in traffic: In order to gain more leverage over victims, it’s becoming increasingly common for attackers to not only encrypt data, but exfiltrate it first. That gives them the additional threat of selling the data or posting it live.

• How to detect data exfiltration: Indicators of potential data exfiltration can include major spikes in outbound traffic, unexpected connections to public IP addresses, uncommonly used ports, high volumes of DNS queries, suspicious source file extensions (.rar, .7z, .zip, etc.), and more. Network monitoring and firewall rules can provide heavy lifting here. For more ideas, see the “Exfiltration” section from MITRE ATT&CK.

Abuse of built-in and open source file-transfer tools: Attackers love using otherwise legitimate tools that can help them blend in. For data exfiltration, that includes Microsoft BITS, curl.exe, Rclone, Mega (MegaSync and MegaCmd), and more.

• How to detect suspicious file-transfer use: While attackers can go to the trouble of renaming these programs, some simply don’t, so blocking and/or monitoring for and alerting on their use is a good starting point. For more advanced/granular detection ideas, see the following: detecting Rclone, detecting Mega and Rclone, and MITRE ATT&CK ID T1197.

 

Add a layer of ransomware detection that’s manageable and scalable

Actively monitoring and alerting on these kinds of activities can be a challenge for organizations without a skilled and trained dedicated resource. In many cases, partnering with the right outsourced experts can be the way to go.

For more examples of automations IT teams can leverage with Ninja, see “What Should You Be Monitoring with Your RMM? 28 Recommendations.”

NinjaOne also partners with Bitdefender to provide an integrated anti-ransomware solution as part of its Unified IT Management (UITO) platform. By including Ninja + Bitdefender GravityZone + Ninja Data Protection the NinjaOne Protect package helps prevent, detect, and respond to ransomware attacks, potentially mitigating the impact of ransomware on your business.

Sign up for a free trial of NinjaOne Protect today.