Detecting Ransomware

This first example is a case where users may attempt to access a shared folder and find encrypted files in that location. It presents the most potential risk to the organization. In this case, there is an infected computer somewhere on the network and the infected user is utilizing it to access network shares. The ransomware, operating with the user’s permission level at this point, goes through the network share and all the files to which the user has access, encrypting them as it runs through the folder. In a larger organization, the number of files the user can access can be extensive, exposing several hundred thousand of files to encryption, theft, or both. A large network share could take days for the ransomware to encrypt but the process can nonetheless begin and run for some time before it is identified. This phase can be detrimental and harder to detect, especially since the victim computer doesn’t yet display a ransom message. To contain initial infection, it is extremely important and time sensitive to find the infected computer(s) through which the ransomware encryption activity is taking place. Narrowing down the infected user(s) is most commonly achieved by looking at file ownership permissions on the files that have been encrypted. It’s also possible to examine the ownership permissions of new files that were created in each folder notifying users that the files have been encrypted. The new files will commonly inherit the user’s permissions that the ransomware was executing under, showing the file owner’s name as the user account that initially became infected with the ransomware.
Once users are identified, their devices and access should be disabled to halt the encryption process in the shared location.

The second possible scenario is a computer becomes infected and a user finds files on the local system that are encrypted and inaccessible, but the user has not yet received an- on-screen ransom message. Most ransomware variants leave a text file or HTML file in each folder they encrypt that informs the user the files have been encrypted and are being held ransom, but in this scenario, it is likely that the encryption process is in progress, the user just happened to try and access a file that has been encrypted, and the ransomware hasn’t yet completed its malicious activity. In this case, the victim computer should be shut down immediately due to the likelihood that the malicious process is active and still going through the various folders on the local and possibly network drives, rendering them inaccessible.

In this scenario, employee device(s) within the organization will silently become infected and begin encrypting all the user’s local files as well as all the files the user may have access to on network shares. Once the encryption process is complete, a message will display on the infected computer’s screen notifying the user their files have been encrypted and providing a method to pay the ransom. The text of a message displayed to the user varies for each ransomware family. Beyond notifying the user that he/she is infected and helping security teams realize an incident is taking place, the message displayed on the infected computer can help determine which ransomware variant has been used to attack the organization. Any displayed messages should be captured by taking a screenshot or photo with a mobile device and kept as part of the forensic information collected about the incident.

Another way for security teams to become aware of an ongoing ransomware situation is seeing file manipulation thresholds cross significantly beyond their normal daily records. An alert of this sort would typically come from a SIEM solution where corresponding rules have been set. The next step is the analysis phase.