How to Identify Ransomware on your Network
Knowing how to identify ransomware on your network and contain it is an essential element of network security. Recovering from a successful ransomware attack can be a long process and cost far more than any ransom paid to the perpetrators of the attack. Furthermore, if a network is not cleaned of an infection completely, the ransomware can strike again. Therefore, being able to identify ransomware is not only essential for detecting and containing attacks, it is essential for preventing repeat attacks.
You can identify Ransomware on a network by:
- Monitoring network traffic going to and from file servers and capturing metadata such as file renames.
- Using IDS technologies at the network edge to spot signatures of known Ransomware variants
- Monitoring DNS traffic for queries relating to Ransomware domains
WannaCry made Headlines, but Ransomware is Not New
The recent WannaCry Infections have focused a lot of media attention on the problem of ransomware infections on corporate networks. For many consumers, this was their first introduction to a phenomenon that corporate IT teams have been battling since 1989.
We have been working with our customers to develop and distribute accurate detection technology based on our Windows Fileshare deep dive decoders and other traffic analysis tools. Our tools to identify ransomware provide early detection of ransomware attacks, can help contain the potential damage and facilitate rapid cleanup.
Why You Need to Monitor to Identify Ransomware
Dealing with ransomware requires multiple defensive strategies, typically summarized as:
- Save it – Implement a comprehensive backup policy
- Patch it – Keep IT systems up to date with latest security patches
- Block it – Deploy firewalls, email filters and antimalware detection systems
- Detect it – Be alerted to the presence of ransomware attacks when the previous two fail
- Remove it – Disconnect and rebuild any infected machines
While all elements of the strategy are important, experience tells us that it’s getting harder to ensure ransomware doesn’t get a foothold on the network. The recent WannaCry infections didn’t use email phishing as a delivery vector, instead it propagated rapidly via an SMBv1 exploit and had many built-in techniques to avoid identification by malware detection engines.
At NetFort, we focus on detection by traffic based Network Analysis and Visibility (NAV). This ensures that you are continuously monitoring internal activity so when ransomware strikes, you are immediately alerted, you can identify infected clients, and start containment and cleanup to minimize business disruption.
Why NAV Monitoring is the Best Way to Identify Ransomware
It takes a lot of effort and expense to centralize and monitor the audit logs from all servers and clients on your network. Each server requires a number of configuration changes, logging must be enabled and configured on each endpoint to send the information to a central collector. Further, when an endpoint is infected with malware, it cannot be trusted. Therefore, audit logs from potentially infected clients also cannot be trusted.
In summary, logging requires extensive changes to your configuration, doesn’t monitor unknown systems and has risk of malware circumventing the logging at source.
The advantage of traffic based NAV monitoring is that information collected from the network intrinsically continuously monitors all connected devices and cannot be disabled or compromised by an infected endpoint. Any malware that propagates via the network or that causes destructive actions over the network leaves a trail. By analyzing this trail and retaining critical metadata, we have a robust ransomware detection, alerting and forensics capability.
In summary, if network traffic is used there are no configuration changes, as any server or device on the network immediately generates traffic which can be analyzed.
Deep Dive Decoders and Protocol Analysis
LANGuardian’s advanced protocol analysis and deep decoders monitor and record every access to network fileshares; recording sharename, client IP and username. If the number of file renames or file reads appears excessive, then an alert is triggered. This doesn’t require specific signatures for ransomware variants, but depends on client behavior, so will detect any client that renames or rewrites multiple files on Windows Fileshares. This coupled with specific fingerprints of certain ransomware variants – such as known file extensions used when files are renamed, attempted access to known website domains, or filenames of ransom notes files – leads to rapid and accurate detection.
Additionally, with the advent of WannaCry we’ve seen the propagation of ransomware by exploiting weak protocols such as SMBv1. LANGuardian includes analysis and reporting to highlight clients attempting to establish connections to servers, using the SMBV1 protocol as well as all fileshare transactions that are occurring over SMBv1. This highlights system using the weak protocols so you can take action before infection strikes. The same protocol analysis can be used for SSL.1.0 etc. and weak SSL certificates using SHA1 etc.
Ransomware Detection Features in LANGuardian
LANGuardian Version 14.2.3 includes a newly designed Ransomware Detection Dashboard that brings together all the methods that LANGuardian can use to identify ransomware and other indicators of compromise (IOC), with specific reference to WannaCry. The elements include:
- Graphic showing rate of file renames on network shares. High numbers of file renames is an accurate indication of ransomware activity
- Top clients (you can also get usernames) renaming files on your network
- Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
- Any activity associated with WannaCry web domains.
- A list of Windows XP clients; as these use SMBv1, they are vulnerable.
- A list of servers running SMBv1.
- Any outbound activity on your network using TCP port 445
- Any instances of ransom note text files associated with WannaCry
Find Out More about How to Identify Ransomware on Your Network with LANGuardian
If you have any questions about how to identify ransomware on your network with LANGuardian, do not hesitate to contact us. Alternatively, you are invited to download a free thirty-day trial of LANGuardian now to ensure you are continuously monitoring internal traffic, your network to immediately detect and investigate unusual activity.
Getting your data decrypted
In 2016 the infosec industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal nomoreransom.org where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combating ransomware and those behind such cowardly attacks.
Find out what variant of Ransomware you are dealing with by reviewing any splash screens or by checking for information within ransom note text files. You can then search for a decryption tool on the nomoreransom.org website.