What Is Your Last Chance To Stop A Ransomware Attack?

THE AUTHOR

James Green
November 2, 2021

What Is Your Last Chance To Stop A Ransomware Attack?

We recently asked renowned Ransomware Expert Allan Liska: "What should you be on the lookout for to stop an attack in progress and avoid the worst of it?" see his response in this video, and in case you've missed it, here's the transcript:


James Green:

Ransomware attackers follow a pretty consistent playbook most of the time. And so, if you know what to watch for, you may be able to stop an attack in progress and avoid the worst of it. Can you quickly just talk us through some of the first things that happen and what folks can be watching for?

Allan Liska:

Ransomware actors, when they land in the network, they have to learn more about what it is. And so, they run generally a standard set of native Windows commands. But they're unusual in that most administrators wouldn't run them like whoamI, netall, things like that. Then, they often will run a bunch of parashell scripts or other types of scripts, one write after the other. Those are really unusual events to occur so quickly together.

James Green:

Most ransomware attackers follow a pretty consistent playbook. Once they've got inside the network, they start to try and learn about the network and then start to take some actions leading up to the point at which they'll actually deploy the ransomware. Can you talk folks through what they should be watching for that might allow you to catch an attack in progress and stop it before it really happens?

Allan Liska:

This is part of the alerting process, the threat hunting process, that we talk about in the book is, the first thing that the ransomware actor has to do is learn where they are. They have to do some reconnaissance work, and that is, they use Windows native commands, like whoamI and netshow and other types of commands in rapid succession to get a lay of the land, if you will. After that, they generally run some power show scripts. They start pushing things out into memory. But they're doing all of this, again, very closely together. If you're looking for this kind of activity, that can alert you that's that a ransomware actor has entered your network.

James Green:

And there is a certain point where they do a last couple of activities and then decide, okay, we're in a good position, let's actually engage the ransomware. What is that jumping off point where if we can catch it before this last piece or couple of pieces, we may still stop this thing?

Allan Liska:

The last thing that they really want to do is delete the volume shadow copies. That is, every Windows machine has essentially hidden backup of recent files and documents that have been used in the network. Ransomware actors have to remove those because otherwise you could just restore the machine from those shadow copies. There are three or four different ways that they do that, but ultimately, they all have to remove it. What's interesting is that ransomware is the only software that actively removes all of the shadow copies.

James Green:

Why else would you do that?

Allan Liska:

Right. Sometimes administrators will do it manually because they need to make room on a system or they're troubleshooting a problem. Some backup software will occasionally do it, but you can create allow list. So if your backup software does occasionally do it, you can make an allow list that, oh yeah, this process is okay if it does it. Anything else that's doing it is probably ransomware.

James Green:

Got it. If we can detect that, we may yet stop this attack. How can folks monitor for that and what should be the next step if they detect that mass deletion of shadow copies is happening.

Allan Liska:

You can monitor it in your Windows event logs, and you can, if you're using CISM and you can monitor it for it there. The challenge is that often it takes minutes, if not hours, from when the event happens to when an alert is seen by a sock analyst. The logs have to be batched. They have to be sent to the log controller, which then sends them over to the SIM. The SIM then processes all the logs that are coming in, identifies this as a high priority event, then presents it as an event. The sock analysts, they may be dealing with other events and they don't get around to it. You may have minutes to hours from when this happens to when it's seen by a sock analyst. But you only have seconds to minutes from when this happens to when the ransomware starts to when the encryption process starts. So, that is one of the disconnects in our normal detection processes versus how fast the ransomware actor can move.

James Green:

And so really, in an ideal scenario, some sort of automation needs to take place the minute it detects that something like that is happening, we shut it all down, pull the cords in a virtual sense.

Allan Liska:

Right, exactly. That is where if you have a EDR in place or you have a sore in place when that event hits, automatically isolate the machine that the event happened on and then kill that process so that it can stop. Even if encryption started, it can stop it and, and limit the damage to that machine or those couple of machines that the ransomware has been pushed out to. Of course, that's the ideal situation. Not everybody has access to those same tools though.

James Green:

If they don't, is there something that's next best thing?

Allan Liska:

There is a free tool available that was developed by Florian Roth, who is a well known security analyst. It's a tool called Raccine, ransomware vaccine. What it does is it only serves one purpose. It looks for any process that deletes shadow copies and kills that process. That's all it does. It's nice in that it's single purpose. It's continuously updated as ransomware actors change tactics for how they delete shadow copies. But it's a file that only does that one thing and it's freely available to any organization that wants it. You have to install it on every machine, but it's also, interestingly, not something that ransomware actors look for in their general day to day operations. It often flies under the weather or under the radar.

James Green:

Very cool. Thanks, Alan.

Allan Liska:

No problem. Thank you.


Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery

Sign Up For Our Newsletter

Don't worry, we hate spam too!

Other Articles You May Be Interested In:

Get Help Preparing For; Preventing;

Or Recovering From Ransomware Now

Get The Latest On Ransomware 
Right In Your Inbox

Sign Up To Receive Our 
Monthly Ransomware Newsletter

envelope
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap