1. Network Scanner: Cybercriminals often start a ransomware attack by accessing one machine where they learn about an organization’s network and the information they can access, Sophos indicated. Thus, they may use a network scanner like AngryIP or Advanced Port Scanner to quickly scan a network.
2. Tools Used to Disable Antivirus Software: Hackers typically disable security software after they obtain administrative rights to an organization’s networks and systems, Sophos indicated. They may use Process Hacker, IOBit Uninstaller and similar tools to disable antivirus software and other security software.
3. MimiKatz: MimiKatz is an open-source application that cybercriminals may use to view and save authentication credentials. As such, MimiKatz is commonly used for credential theft.
4. Patterns of Suspicious Behavior: Patterns of suspicious behavior may occur around the same time each day and indicate that networks or systems are not operating normally, Sophos pointed out. If patterns of suspicious behavior are detected, it may indicate that malicious activity is occurring that has yet to be identified, too.
5. Simulated Attacks: Cybercriminals may initiate test attacks to see if they can successfully execute ransomware attacks, Sophos stated. Once test attacks are completed, cybercriminals can determine if an organization’s security tools will stop these attacks and plan accordingly.
In the event that an organization identifies any of the aforementioned indicators of a ransomware attack, it should investigate the issue immediately. That way, an organization may be able to stop a ransomware attack before it leads to revenue loss, brand reputation and compliance penalties.
How MSPs Can Mitigate Ransomware Attack Risks: To safeguard your MSP business and clientele from ransomware attacks, follow this tip sheet.