Chris Swagler | April 21st, 2022

Ransomware is one of the most devastating threats for businesses of all sizes within every industry. For many organizations, especially small and midsize businesses (SMBs), experiencing a ransomware attack is the difference between thriving and going under. Organizations that partner with a cybersecurity company like SpearTip, which offers a 24/7 Security Operations Center staffed with engineers continuously detecting and remotely responding to suspicious activity, are at considerably lower risk of suffering an attack. The reality for organizations that do not employ such a robust defense, it’s a matter of when not if a ransomware attack will occur.

The hinge difference between these organizations—or the engineers who monitor them—is the ability to identify and neutralize malware in its initial stages. Detecting early signs of ransomware attacks can depend on whether the attacks are automated or human-operated. Even though people view ransomware attacks as something that “just happens,” there are warning signs when ransomware attacks are in progress.

Automated Ransomware Vs. Human-Operated Ransomware

Automated ransomware infections are often opportunistic attacks that follow a pattern and can cause severe problems. Users download ransomware by clicking on links and attachments, typically within malicious emails, then the ransomware encrypts data, runs its program, and displays a ransom message to users.

Human-operated ransomware is more sophisticated. Ransomware groups will find a way to infiltrate corporate networks and, once inside, spend an enormous amount of time researching companies’ systems and planning their attacks. The groups will have gained deep knowledge about the companies’ inner workings by the time they issue their ransom demands. There have been cases of human-operated ransomware in which operators knew details of the victims’ data insurance policy and months may pass between the initial breach and the ransom demands being issued.


Warning Signs of Automated Ransomware

With automated ransomware, there’s the misperception that users click on links and are infected instantly. Every ransomware variant is different; however, victims don’t receive a ransom demand right away because the operators want to first cause maximum damage. If threat operators display the ransom demand when starting the attacks, victims can pull the plug on their computers with minimal damage. Even though every ransomware variant is different, users can detect signs of ransomware attacks in progress by spotting certain irregularities. An abnormal spike in disk activity is the largest sign of any automated ransomware attack. Ransomware will examine every folder for data to encrypt and, depending on the attacks, victims and other people on the networks will notice the systems are less responsive.

Even though at one-time ransomware attacks focused on victims’ hard disks, modern ransomware variants attempt to encrypt the data on network shares. If companies use continuous data protection (CDP) backup technology, the backup server will detect a sharp spike in activity. When the storage blocks that comprise files are modified, CDP products are designed to back up files. Because the malicious encryption process modifies storage blocks, the CDP backup systems must work overtime to keep up with the changes.

Warning Signs of Human-Operated Ransomware

 Human-operated ransomware tends to be more difficult to detect than automated because the attacks occur over a period of weeks or months as threat operators deliberately move slowly to avoid detection. However, there are still signs of ransomware activities users should look for.

When threat operators breach networks, they create a backdoor allowing them into the network whenever they need. Users need to lockout for new accounts being created especially privileged accounts and unauthorized software installations. Spotting MimiKatz, Process Explorer, PC Hunter, or other similar tools are indications that users are under attack. Systems that behave properly suddenly seem glitchy is another sign. Threat operators will attempt to shut down security-related services or tamper with the backups. If users notice that their security-related services are constantly shutting down for no reason, they need to contact their security team immediately.

If users’ backup application that has always been reliable suddenly begins producing numerous errors, they shouldn’t assume it’s a malfunction. To force companies to pay the ransom, threat operators will attempt to disable or destroy their backups and critical security systems. Any breaching-related activities can indicate that a ransomware attack is underway. Internal network port scans and failed attempts to access network shares or infrastructure appliances can also indicate an impending attack.

Defending Against Ransomware

All these reasons indicate why it’s important for companies to remain vigilant on the latest threat landscape and look for early warning signs of ransomware attacks whether automated or human-operated. At SpearTip, our advisory services help companies have a better understanding of how to protect themselves and defend against even the most sophisticated ransomware attacks. Our certified engineers perform security risk assessments to quickly identify real and imminent threats as well as the gaps likely to be exploited in real-world attacks.  During our cybersecurity risk assessment process, our engineers examine companies’ entire security posture and put their policies, procedures, systems, networks, defenses, and staff to the test to locate all vulnerabilities. We also assess the gap between companies’ current cyber state and where it should be by utilizing a cyber maturity-based approach. Engaging in risk assessments and having total endpoint visibility are the surest ways to protect against ransomware.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.