You might have heard a lot about ransomware recently…
This is a computer attack where you are shut out of your systems and data by a hacker. And you’ve got to pay a fee, typically in Bitcoin, to get entry again. Although it’s not a new offence, it’s one of the fastest growing online crimes. Because it’s so lucrative for the perpetrators. And thanks to Covid and working from home, more and more corporations are unwittingly opening up to the danger.
In fact, it is reported that there are more than a hundred calls to insurers per day relating to ransomware-related issues.
So, unless you take the appropriate steps, your company will become a victim at some point.
But how do you know that you’re not under attack already?
There’s something most people don’t know about ransomware.
If a hacker has access to your systems now, they’re not going to initiate the attack right away. It will take between 60 and 100 days-if not longer-from the moment you have been violated to the delivery of ransomware. So, you might already have unwelcome guests hidden in your network. Now that’s a scary idea.
You may be curious why these cyber criminals take such a long time launching their attacks. They spend weeks or more just skulking around, investigating the network for vulnerabilities, and looking for just the right moment to maximise their profits. Not just that, but bizarrely, the longer they take, the tougher it’s for you to find them.
And how do you know if you are under attack? And if you are, what do you do?
Here are 4 of the best ways for you (or preferably your IT service partner) to check that your network is safe and secure.
We must tell you about some specific technical things and software that can be signs of an impending attack.
1. Check for open RDP links
What is an RDP link and how do you open or close it?
We don’t want to get too tech here, so to put it simply, the RDP (or Remote Desktop Protocol) is a Microsoft technology that allows a local computer to connect to and control a remote PC over a network or the Internet. You’re probably using this kind of thing if you’ve had any of your people working from home this year, because it makes remote access a lot easier.
But RDP links left open to the Internet are a very common way for cyber criminals to enter your network. Scan for open RDP ports on a regular basis and use multi-factor authentication for your links (multi-factor authentication is where you generate a code on a separate device to prove that it’`s you).
Or use them with a VPN (Virtual Private Network) that allows you a private network from a public internet connection. It’s just a technical work to do. Your IT service company should be able to do this for you.
2. Look for unexpected software
One of the techniques used by ransomware gangs to gain control of the device is certain software tools. It’s critical that you use a network scanner to verify exactly what’s going on and who’s running it.
Many cyber criminals would take care of only one PC first, maybe using a phishing email to force someone to click on the wrong connection without realising it.
Once they have control over one PC, they will attack the whole network. Often methods like AngryIP or Advanced Port Scanner are used to do this. Check the network for resources like this. If they’re present and your IT people haven’t built them, you might have a dilemma. Criminals also use software to steal your passwords and login your credentials. Software such as Mimikatz and Microsoft Process Explorer.
If you discover something unfamiliar somewhere in your system, get in touch immediately with your IT support partner who will investigate further.
3. Monitor your administrators
Your network administrators typically have the authority to download software to the network. So, what’s the safest way for hackers to download the software that they need? They’re making a new administrator account for themselves. Then they can download any resources they need to hack the network.
You need to be aware of programs such as Process Hacker, IOBit Uninstaller, GMER and PCHunter. These are all legal resources that could be used by any IT specialist. Yet they can be dangerous in the wrong hands. And hackers may use it to disable the security software.
4. Check for disabled tools and software
When cyber criminals have administrator privileges, they will find and deactivate the security devices. You can say that the attack is close to beginning when something called Active Directory and your domain controllers are disabled.
Next, all backup data discovered by the offenders will be compromised. And any systems that automatically deploy software will also be disabled to avoid attempting to upgrade the computers after an attack. Then something called PowerShell will be used to spread everything across your network.
It’s worth remembering that all of this is going to be done slowly. Your hackers are going to take their time, because that makes it much harder to detect them. Many security tools only record traffic for a specified period of time, and are then reset. This ensures that no data is stored on the entry. Which disguises the attack until it’s ready to start.
Once an attack has been launched and your data kept to ransom, most of the time there’s little you can do other than try to restore backups. Or pay for the ransom. Hackers have usually been so thorough in their preparation that even the best IT security specialists have few options open to them.
So, once you've found that something might be wrong, what can you do to stop the attack from starting?
The most important step is to regain control of your RDP sessions – remember, the remote access we mentioned earlier. This is going to stop the attackers coming in again. And they’re also going to cut off their control access.
You can force a change of password across your core systems, which will also throw out your attackers. It is worth noting, however, that this is useless if your access to the RDP is not cut off and controlled, as the attackers will just re-enter.
Monitor the administrator accounts. This might sound like a simple step, but you’d be surprised how often it’s neglected. You should also monitor and limit who can use PowerShell within your organisation. Without getting into the details of what PowerShell is; just know it’s a powerful tool that you don’t want the wrong people to play with.
Keep all the software and security patched and updated. It’s very tempting to click on updates later. But saving a little time right now is not worth the massive amount of time and money you’re going to waste if you’re going to be the victim of a ransomware attack. Implement multi-factor authentication across all of your applications, if you haven’t already done so. This adds another level of security to your network and helps prevent unauthorised access.
Finally, set up your protection from the ground up to ensure that any member of staff in the whole company – from the CEO to the entry level worker – has frequent security training. If everybody is aware of the threats and how to prevent them, they could stop a possible attack in their tracks. Because this is such a highly technical subject, it’s not something that you or your team should tackle on their own. You need IT security specialists to take preventive action and monitor your systems regularly for early signs of problems.