Windows servers and clients are by far the No. 1 operating systems targeted by ransomware, and the attacks are only growing in sophistication, often attacking servers via Remote Desktop Protocol and Active Directory services. This guide will teach you the signs to watch for in order to possibly catch a ransomware attack before it happens.
1. Stopped or Disabled Services
Keep an eye on your background services. If you notice a service that is supposed to always run has suddenly stopped—or worse yet, been disabled—it could mean that ransomware is attempting to free up files usually locked by those services so that it can write to and thus encrypt them. According to Microsoft, the taskkill.exe and net stop tools are often leveraged by ransomware to kill such services. It may even use sc.exe to disable a service through the registry.
Be especially wary if any stopped services belong to your security software. Many ransomware variants will try to kill your security software before it has a chance to detect and intercept the attack. If it successfully brings your security down, it’s open season on your data.
2. Sabotaged Backup and Recovery
Some ransomware will go after your disaster recovery mechanisms before fully launching an attack. Backups are the last line of defense against ransomed data, and attackers know it.
Not only may an attack try to kill your backup and recovery software’s running services (including Windows’ own System Restore service), but it may also terminate scheduled backups, search for and destroy existing backups, and even delete shadow copies, ensuring you have no means of recovery to fall back on once the attacker encrypts your data.
3. High CPU or Disk Usage
Always be on the lookout for mysterious spikes in CPU or disk usage. There are many benign reasons your resource consumption may spike, but if the reason isn’t apparent or is seemingly undetectable, be alert. Ransomware processes often need to run in the background and may require a significant portion of resources, be it CPU for execution or disk resources as it writes over and encrypts multiple files.
Though in some cases it may be possible spot a resource-hungry attack in Task Manager, some variants will be clever enough that their processes will be almost impossible to identify in a list of running processes.
4. Garbled Text or Unauthorized Modification
If you ever open a text file and find the contents illegible, be alert—that garbled text may be the beginning of an attack, and what appears to you to be nonsense characters may be the result of an attempt to encrypt your data or an anti-forensics method for covering up its tracks.
Also, always be on the lookout for any signs of unauthorized attempts to modify files on your system. This may not be so obvious, but for example, if you see prompts to authorize access seemingly out of the blue or see unaccounted-for attempts recorded in logs, it could mean ransomware is trying to gain a foothold.
5. Missing Log Files
Speaking of log files, be especially wary if any logs suddenly vanish. Some types of ransomware will use tools such as cipher.exe, wevtutil, and fsutil.exe to destroy logs and thus remove any evidence of foul play.
Lockbit 2.0 serves as a recent example, which both deletes log files and shadow copies residing on disks.
Modified Boot Settings
If something weird seems afoot when you first boot up, such as any services failing to start, check for signs of modified boot settings. Some ransomware will try to disable warning messages and prevent automated repair processes by modifying Windows boot settings, where it can ensure that not only are the services stopped, but they’ll never even have the chance to start.
For example, consider Redboot, which appeared in 2017 and not only attacked the Master Boot Record, but also the partition table.
6. How to Protect Yourself
None of these symptoms prove the certainty of an attack; in fact, they may often be caused by other, far less threatening issues. But any time one or more of these symptoms are observed, exercise caution. There are some tools and strategies that can help.
First, Microsoft provides some advanced hunting features in its Microsoft 365 Defender suite. To fully utilize it, you’ll need to learn some of its query language, which you can then use to execute various simple scripts to check for attempts to kill servicers, delete data, kill backups, and more. Next, check out our guide on Threat Hunting and How to Prevent Ransomware, then learn about how to build a well defended Ransomware Backup Strategy, including the “3-2-1 Rule,” which will help guard against attempts to sabotage your backups.