Detecting and Responding to Ransomware Attacks

Behind the Scenes: What Happens in a Ransomware Attack? [Video]

This post was last updated on September 27th, 2021 at 12:31 pm

The first step to protecting yourself from a ransomware attack is understanding what it actually is. The behaviors that constitute a threat might individually seem like perfectly normal activity, even to someone who knows what they are looking for. If we put ourselves in the shoes of a cybercriminal, we could imagine why they would want to appear like a typical network user. A threat actor who is able to avoid detection is more likely to succeed in encrypting and ransoming a network.

Cybersecurity is all about being one step ahead of hackers, though, and our sophisticated behavioral monitoring techniques help detect attacks in their earliest stages. These two ransomware attacks on hospitals demonstrate how we mitigate threats.


Detecting Ransomware Attacks Early with Behavioral Monitoring

Infocyte is often paired with an antivirus platform. Antivirus acts as your defense to reduce vulnerability, but it does not completely eliminate risk. Our role is to monitor your network for any threats that succeed in getting past your defensive measures and respond quickly, before the attack escalates to encryption.

Today, a threat actor will typically stage a multi-stage attack if they are aiming for a ransom. When someone gains access to your network, their first goal is to learn what this access could be worth to them. If you have a database full of social security numbers, for example, your network could look pretty valuable at this point. Our goal in this stage is to detect sequences of behaviors that indicate that someone is in the Recon, Lateral, and/or Staging phases of a ransomware attack.

Alert: Powershell Download & Execute Command

While a powershell download and execute command isn’t always malicious, this alert should be investigated. The other behaviors surrounding the command begin to tell the story of what is happening on your network. Next, we saw an encoded command. Again, on its own this one behavior does not indicate a threat, but the combination of these two happening in succession begins to raise suspicions.

The story of this ransomware attack becomes clear when we look deeper into that powershell encoded command. Administrators won’t obfuscate their work in the way we see in these alerts. When admins are acting in good faith, they will make their work clear to the other admins on the network. In this case, this is the familiar Cobalt Strike beacon injector.

The actors tried to deploy ransomware everywhere, and they maintained persistence on three systems. Since we were able mitigate the attack, there were no impact behaviors to alert on. A hacker’s goal at this point could be encryption, so our successful mitigation saved this organization from significant pain and suffering.

Ransomware Attack via Phishing

In our next case study, the entry vector for the malware was a phishing email. The simplicity of Jupyter Infostealer allows it to slip past antivirus defenses relatively frequently. A phishing attack masqueraded as a remote work letter, which we pegged with a reputation hit. Our correlated alert feature allows us to see the full story of the attack, and in this case it enabled us to isolate the attack and prevent it from spreading throughout the network.

In both of these attacks, the target organizations were well-protected with antivirus and defensive measures. Just like a deadbolt on the front door wouldn’t deter 100% of burglars, though, defense alone is not always enough. With the rise of ransomware attacks like BlackMatter and DarkSide, the threat landscape is ever-changing. Sign up for a free trial of our platform today and find out how we can help your organization quickly respond to attacks, too.