How to detect a ransomware attack

Stop a Ransomware Attack!

 

Welcome to Vectra Threat Detection & Response platform. Learn how you can use Vectra to detect and respond to ransomware attacks targeting your network.

 

Track suspicious activities

 

Track suspicious activities in the Vectra Threat Detection Platform.

 

Vectra tracks activity over time and attributes detections to specific accounts (or hosts) that behave suspiciously. These scores are dynamic, and change based on the detections.

Scores are comprised of certainty and threat.

  • The certainty score is based on the degree of difference between the behavior that caused the detection and normal behavior.
  • The threat score of a detection expresses the potential for harm if the security event is true.
  • The graph shows accounts with a combined high certainty and threat score.

 

Accounts are sorted in priority order depending on the malicious activity detected.

 

Accounts are sorted in priority order.

 

Track suspicious accounts

 

Vectra detects suspicious behavior in the Cloud and Network.

 

Vectra's patented AI stitches together the cloud account and network account.

 

4 malicious activities have been detected in this specific account.

 

This account has 4 detections

 

Account compromise

 

An attacker has compromised a user's credentials through spearfishing.

An attacker has compromised a user's credentials through spearfishing.

 

The attacker has uploaded a malicious DLL file to the users OneDrive where it is automatically synced with their host.

The attacker has uploaded a malicious DLL file to the users OneDrive where it is automatically synced with their host.

The DLL is synced to the compromised users host and leads to a successful DLL hijacking. This triggers code execution on the host that makes a call back to the attackers C2 infrastructure enabling remote access and the ability to now attack the network.

 

Click to expand for details.

  

Lateral movement and reconnaissance phase

Vectra's AI detected lateral movement and reconnaissance phase.

The attacker now moves from the cloud to enterprise network. 

Using *LDAP* and *RPC* calls, the attack maps the network in search of domain admin credentials to distribute the ransomware on critical assets, in this case a domain controller.

Using *LDAP* and *RPC* calls, the attack maps the network in search of domain admin credentials to distribute the ransomware on critical assets, in this case a domain controller.

First signs of a ransomware attack

 

With this knowledge, the attack uses *RPC* to call out to 300 machines and move laterally.

 

The attacker's recon leads them to find that there are domain admin credentials on host alan-x1.corp.example.com and so the Azure AD and network AD connected credentials are used move laterally. Once connected to alan-x1.corp.example.com the attacker is able to gain access to the domain admin credentials on the host.

The combination of the activities to this point would put this host & account in the critical quadrant, demanding immediate attention.

 

The combination of the activities to this point would put this host & account in the critical quadrant, demanding immediate attention.

The attacker continues with their reconnaissance, scanning port 445 to identify potential targets.

 

The attacker continues with their reconnaissance, scanning port 445 to identify potential targets.

 

The ransomware has been launched

The ransomware is now executed!

 

We will continue as though the alerts were ignored and the attack is successful.

The recon is now complete now. The attacker has: a high privilege account for propagation, file shares to encrypt, as wellO365 files to encrypt.

 

List of encrypted files

Vectra Cognito will show you which files were actually encrypted.

 

Vectra Cognito will show you which files were actually encrypted.

The suspicious remote execution detection can be used to see which hosts were infected with the ransomware.

 

The suspicious remote execution detection can be used to see which hosts were infected with the ransomware.

It's important to note that while the hosts have been infected, they have yet to be encrypted at this point.

 

Data exfiltration

Data Smuggler detected

 

As attackers connect, they exfil out data.

 

Attack Stopped!

Stop ransomware before it starts

Understand more about the Vectra platform and its approach to threat detection and response.

Discover the Vectra Platform