Detecting Ransomware

The way by which an organization first detects ransomware infection can vary according to the situation, but in most cases, an employee will find it impossible to access files, receive a ransom note, or notice that a certain service is no longer accessible. The most time-sensitive issue at the onset of the attack is to identify any and all infected systems and those in imminent danger of becoming infected. The first goal is to contain the spread of the infection as soon as possible and help minimize the risk to the organization by isolating the infected systems. This also helps stop any ongoing encryption processes that may still be underway, thus reducing the damage to the organization and the effort that will be necessary to restore access to data, systems, and business operations. We have uncovered common discovery scenarios through our response engagements while helping IBM Security customers deal with ransomware attacks. Those top scenarios are listed in the following sections.

Keep in mind as you read the scenarios below that just because an organization identifies one infected host encrypting files, it does not mean others have not been affected. If a single host within an organization is found to be infected, there is a high likelihood that additional hosts are also infected because the same vulnerability may exist through hosts across the entire enterprise. If you identify an infected host that is responsible for encrypting files, especially on a network share, monitor the shares very closely after you take the infected host offline in case there are other infected hosts that continue the encryption process.

This first example is a case where users may attempt to access a shared folder and find encrypted files in that location. It presents the most potential risk to the organization. In this case, there is an infected computer somewhere on the network and the infected user is utilizing it to access network shares. The ransomware, operating with the user’s permission level at this point, goes through the network share and all the files to which the user has access, encrypting them as it runs through the folder. In a larger organization, the number of files the user can access can be extensive, exposing several hundred thousand of files to encryption, theft, or both. A large network share could take days for the ransomware to encrypt but the process can nonetheless begin and run for some time before it is identified. This phase can be detrimental and harder to detect, especially since the victim computer doesn’t yet display a ransom message. To contain initial infection, it is extremely important and time sensitive to find the infected computer(s) through which the ransomware encryption activity is taking place. Narrowing down the infected user(s) is most commonly achieved by looking at file ownership permissions on the files that have been encrypted. It’s also possible to examine the ownership permissions of new files that were created in each folder notifying users that the files have been encrypted. The new files will commonly inherit the user’s permissions that the ransomware was executing under, showing the file owner’s name as the user account that initially became infected with the ransomware.

Once users are identified, their devices and access should be disabled to halt the encryption process in the shared location.

The second possible scenario is a computer becomes infected and a user finds files on the local system that are encrypted and inaccessible, but the user has not yet received an- on-screen ransom message. Most ransomware variants leave a text file or HTML file in each folder they encrypt that informs the user the files have been encrypted and are being held ransom, but in this scenario, it is likely that the encryption process is in progress, the user just happened to try and access a file that has been encrypted, and the ransomware hasn’t yet completed its malicious activity. In this case, the victim computer should be shut down immediately due to the likelihood that the malicious process is active and still going through the various folders on the local and possibly network drives, rendering them inaccessible.

In this scenario, employee device(s) within the organization will silently become infected and begin encrypting all the user’s local files as well as all the files the user may have access to on network shares. Once the encryption process is complete, a message will display on the infected computer’s screen notifying the user their files have been encrypted and providing a method to pay the ransom. The text of a message displayed to the user varies for each ransomware family. Beyond notifying the user that he/she is infected and helping security teams realize an incident is taking place, the message displayed on the infected computer can help determine which ransomware variant has been used to attack the organization. Any displayed messages should be captured by taking a screenshot or photo with a mobile device and kept as part of the forensic information collected about the incident.

Another way for security teams to become aware of an ongoing ransomware situation is seeing file manipulation thresholds cross significantly beyond their normal daily records. An alert of this sort would typically come from a SIEM solution where corresponding rules have been set. The next step is the analysis phase.