4 Tips on How to Detect Ransomware

Are you wondering how to detect ransomware within your IT environment? Knowing how to recognize ransomware is crucial for preventing ransomware attacks.

Ransomware is so effective and devastating because it can encrypt files and sensitive data on your company desktops, laptops, and mobile devices, bringing your business operations to a halt. When faced with ransom demands, no organization wants to make the impossible choice of paying the ransom. By understanding how to detect ransomware on a network, you’ll be able to ward off a ransomware attack before it begins, avoiding financial and reputational damage.

Early detection is crucial when dealing with a ransomware-infected device on your network. Fortunately, there are several suspicious activities that you can look for when detecting ransomware on a network. In this article, we’ll discuss four ransomware detection techniques to strengthen your organization’s network security.

1. Understand how ransomware spreads

Ransomware can’t magically appear on your network; it needs to exploit a vulnerability in your IT environment (whether technological or human). Knowing how ransomware spreads are critical for how to detect a ransomware attack. Below are the most common attack vectors for ransomware:

  • Remote Desktop Protocol (RDP): Microsoft’s Remote Desktop Protocol (RDP) software lets users access and control another computer remotely. If an RDP instance is left exposed, attackers can take advantage of this vulnerability to install ransomware on the device.
  • Phishing emails: Many ransomware attackers use phishing emails and other social engineering techniques to trick users into downloading malicious files. These emails work by imitating a trusted third party, such as a company or government entity.
  • Exploit kits: An exploit kit is a program on a compromised website that detects security holes in a user’s browser and then uses them to install ransomware and other malware. Third-party plugins such as Flash, Java, and Silverlight are common sources of vulnerabilities that attackers can exploit.

Keep Reading: Do I need legal counsel during a ransomware attack?

2. Look for common ransomware signatures

Once ransomware is inside your IT environment, several methods exist to identify its presence. Signature-based detection is one of the most common ways to detect ransomware on a computer.

Essentially, signature-based detection generates a “hash” of all of the applications on a computer. A hash is a string generated by a complex mathematical algorithm that converts a program’s source code into a unique output for each program. Thus, if two programs have the same hash or signature, they are likely to have the same source code, even if they are named differently.

This has obvious benefits for the question of how to detect ransomware on a PC. If an application has the same hash as a known strain of ransomware, then it should be quarantined immediately for further analysis. However, this approach has limitations, too: making even small changes to the source code can result in a different hash, allowing the ransomware to go undetected.

Keep Reading: What does ransomware do to an endpoint device?

3. Monitor for strange behavior

After signature-based detection, the next line of defense against a ransomware attack or data breach is behavior-based detection. Essentially, these methods compare the current network activity against a baseline of normal historical behavior to identify suspicious occurrences.

The list of actions to potentially look for includes:

  • File renames: When it begins to encrypt data, ransomware will often rename files it has already encrypted. The WannaCry ransomware strain, for example, used the .wncry extension to rename encrypted files. A large number of renamed files in a short period of time is a strong indication that ransomware is at work — and it may not be long before you’re asked for a ransom payment.
  • Traffic analysis: Ransomware sometimes needs to “phone home,” communicating with the attackers to receive instructions. Examining your organization’s network traffic logs can identify suspicious activity, such as a device connecting to unknown servers or malicious websites.
  • API analysis: You can often identify ransomware, Trojans, and other malware by the suspicious API (application programming interface) calls they make. For example, the GetWindowDC call in the Windows API is sometimes used by malicious software to capture the device’s active window and steal information.

Keep Reading: What to do after a ransomware attack?

4. Deploy strategic honeypots in the network

Last but not least, one effective tactic for detecting ransomware is creating a decoy or “honeypot” for the attackers. This consists of a server or file repository your organization’s users do not access and therefore should see little activity.

When ransomware first infects a device, it performs scans to understand the network hierarchy and the location of potentially valuable data. If you receive a notification that a file on this honeypot server has been accessed, there’s a good chance that malicious software is at work within your environment.

How to get started detecting ransomware

In this article, we’ve given four answers to the question, “How is ransomware detected?”. Of course, this is only part of the puzzle; the next step is to choose the right anti-ransomware and antivirus software to defend against a ransomware attack.

That’s exactly why UncommonX has created the BOSS XDR (extended detection and response) platform. The BOSS XDR platform helps our clients with everything from protecting against cyber threats—including ransomware—to reacting and recovering after an IT security incident.

Want to see how BOSS XDR can help defend against ransomware and other cyberattacks? Get in touch with our team of IT security experts today to discuss your business goals and requirements and to see a demo of the BOSS XDR solution.

About the Author

At the center of our U.S.-based Security Operations Center (SOC) is a distinctly skilled team of security architects, engineers, analysts, and data scientists. Each is an expert in their respective field and dedicated to protecting our customers 24/7.