How to detect ransomware activity

Ransomware is an ever-growing and major threat to the cyber environment.  It is a type of software that is designed to block a computer system until a sum of money is paid.  Individuals and companies alike have fallen victim in the last few years.  The new variants of the software make it hard for current security tools such as antiviruses to keep up.  New encryptions and what happens to your data after encryption is always constantly changing.

Here are few tips that may help to detect ransomware.

  1. Be wary of recognized file extensions

It is true that the list of known Ransomware file extensions increasesevery day.  However, it is handy to have detection methods in place that detect suspicious file extensions.  It is best practice to install a file action monitoring system that is both a historical record and a real-time record of all file and folder activity.

  1. Rapid growth in file names could be a red flag

Renames are not an everyday incidence on networks.  You may experience a fewfiles renames over a course of a day.  You should see red flags when you have a huge number of file renames in a day.  This happens as the data undergoes encryption.

It is best practice to set alerts to anything that is renames files up to 4 times per second.  That way when you hit the threshold you know to look out for potential ransomware.

Image result for detect ransomware

  1. Create a ghost network share

Ransomware will first appear as local files and then move to network shares.  A ghost or sacrificial network can be used as a way of detecting ransomware and also interrupt the ransomware from gaining access to the actual network share.  You can accomplish this by setting up a serious of small random files on outdated disks.

  1. Use exploit detection kit to update

Many security systems and firewalls have features such as exploit detection.  The kits can be used to get ransomware onto a client via compromised websites.  The most popular kits are Neutrino EK and Angler EK.  Your network monitoring system may need an update before it is able to detect exploit kits.

  1. Customer-based anti-ransomware may be key

Companies have been releasing anti-ransomware applications for a few years.  The applications run while the application is running and are designed to block attempts at encryption.  The software also monitors for text hints that are known ransomware.  The only downside to anti-ransomware applications is that you will need to connectit across the entire network, and for each network device.

Having applications and system in place to detect ransomware is vital to ensure the safety of business continuity.  The consequences of not having any detection software in place could have long-term financial implications.  The cost of investing in detection software is a small price compared to the cost of repairing reputation damage or paying the ransom.

 

Share