Sometimes, almost everything goes wrong. An organization doesn’t detect the initial access vector, the Security Operation Center (SOC) doesn’t see the ransomware actor conducting reconnaissance on the network or didn’t notice files being exfiltrated, and the threat hunting missions fall short. With an estimated 65,000 manual ransomware attacks in 2020, unfortunately this scenario happens often. Some ransomware actors are skilled at moving through the network undetected, while understaffed, overworked security teams can’t keep up with alerts, patching schedules, security hardening, as well as keeping on top of new issues that are constantly arising.
In American football, when a quarterback throws a long pass to a receiver, generally surrounded by defenders, and almost always in desperation mode with very little time left to play, it’s called a “Hail Mary” pass. That’s what this page is about, a last chance to stop a ransomware attack before files are encrypted.
Please note that even if the detections outlined on this page work, and the ransomware attack is stopped before files are encrypted, there’s still a lot of work to do. The ransomware actor has been in the network for a while, so a lot of incident response (IR) work needs to be completed quickly to fully remove the attacker, or they’ll continue trying to wreck your environment.
In addition, it’s likely that even though the ransomware attack was stopped, sensitive files were removed from the network. This means the organization might have to deal with extortion demands and the threat of stolen files being released publicly. Interestingly, it’s probably more difficult to deal with ransomware groups after a botched ransomware attack, because they weren’t able to leave a link to their chat server or email addresses to contact them. That’s not to say that it’s better to let the ransomware attack continue, just that it may take more work if an organization needs to understand what was stolen (assuming the information can’t be determined through log analysis).
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!