What to do if a Ransomware attacks me


How to know that Ransomware has infected me

Studies carried out on different victims of ransomware show that there are several signals that are repeated when looking through the telemetry records corresponding to previous weeks.

A meticulous analysis of the behavior of the system in the days prior to the moment of the attack, has shown anomalies that by themselves do not represent any danger; but in the inappropriate context they do act maliciously. These are legitimate network management tools, which are used by cybercriminals to set the stage for the attack.

The good news is that these small anomalies can be detected and considered as an important indicator of possible threats to the computer security of the future victim.

Without further ado, here are 5 signs that indicate a possible ransomware attack:

Network scanner, mainly on a server

Usually, attackers start looking for access to a server to find necessary information such as the domain name and / or the company; the type of administration rights that the computer in question has, among others. This, as long as it is a Mac or Windows.

Then they proceed to broaden the search to find out what data or resources are available on the network, and which one or more of them they can access. Before any unusual intervention of a network scanner, such as AngryIP or Advanced Port Scanner; it is best to seek help immediately and begin investigating immediately.

Tools that disable antivirus software

Once the attacker manages to get the network administration rights, the most common is that they try to disable the protective action of any security software with applications specially designed for that function, such as Process Hacker, IOBit Uninstaller, GMER, PC Hunter, among other.

While these are completely legitimate tools, they can pose a great threat to a company’s IT security when used by unauthorized personnel. Given the sudden appearance of this signal, the most recommended is, without a doubt, to carry out a deep analysis as quickly as possible.

Presence of MimiKatz

Any detection of MimiKatz should always be studied. Someone from the management team should be able to vouch for the use of MimiKatz, otherwise it would be a quick red flag. It is a tool that allows you to obtain credentials and for that reason it is widely used for hacking.

Microsoft Process Explorer is also sometimes used, a legitimate tool that lets you dump LSASS.exe from memory and create a .dmp file. This makes the attack even more effective, since it transfers the data to use MimiKatz on the attacker’s test machine to its own environment.

Suspicious behavior patterns

A detection that occurs daily and at the same time or that responds to any pattern is usually a sign that something may be happening, even when the malicious files are detected and removed. Generally, the fact that the attack returns regularly means that there is another, even more dangerous attack, which has not yet been detected.

Attack test

Sometimes the attacker uses a computer to do a test that allows him to measure the efficiency of his implementation methods, as well as the correct execution of the ransomware. When the security software detects and stops the attack, the test is usually repeated with another technique. Many times this happens hours before the real attack, so it is very important to react quickly to phenomena of this type.

If these 5 signals are present on your computer, then pay close attention to this cyberattack following the recommendations of our expert:

“Being attacked by Ransomware is one of the great challenges that sometimes we have to face; However, we can take the appropriate precautions to avoid these attacks, among which we have: make sure your firewalls are activated, avoid visiting suspicious websites and do not click on malicious links that come from email. An antivirus program can also help keep your company safe from any cyber attack”. Explains José Domingo Abogabir, CEO and General Director of Measured Security.