20 August 2024

How to Spot a Ransomware Attack

As dependence on technology increases across every industry and more personal data is stored digitally, the number of ransomware attacks is increasing globally. This makes knowing how to spot a ransomware attack an incredibly valuable skill.

In 2023, the UK experienced a significant increase in ransomware attacks. The number of attacks during the first half of 2023 rose by 87% compared to the latter half of 2022.

New ransomware groups are constantly developing, and every sector is at risk of being attacked. However, the impact of an attack could be reduced and the chance of ransomware recovery increased if you spot it early and react quickly.

In this blog, our cyber security experts share signs to look out for on your system to allow you to spot a ransomware attack.

Business email compromise help.

How Ransomware Attacks Work

While there are a large number of different ransomware groups working today, with new ones appearing regularly, they all work similarly.

The group will gain access to your system, this could be done through phishing emails, unsecured remote desktop protocols, or exploiting software vulnerabilities. This is likely to be done days, weeks or months before they start actioning anything.

However, they aren’t lying dormant on your system. They use this time to learn about your system and files. In doing this, they identify valuable data and disable antivirus software that might be running. At this point, they also start to encrypt the files, which is when you and your staff might start to notice something suspicious because files are rendered inaccessible.

When the attackers have all the files they want, they will send a ransom note with a demand, often centering around a payment, in exchange for a decryption key that allows entry back into the stolen files. The demand also includes a threat to release the data publicly should you not meet the demands.

Organisations in this situation often find themselves in a hostage situation as they can’t access their files, leaving them unable to operate as usual.

When in this position, it feels that the only way out will be through paying the ransom, but this rarely leads to the desired effect.

How To Spot a Ransomware Attack

Your staff should learn how to spot a ransomware attack to prevent an attack from seriously impacting on your organisation. There are a number of signs that signify an imminent attack on your system, which staff using your system day-to-day should be aware of. This could be the difference between data retrieval and loss.

Increase In Phishing Attempts

An increase in phishing emails to your staff could be a sign that a ransomware group, such as Lockbit or Play, is looking to gain access to your system.

This is a popular way for attackers to gain entry into systems because it only takes one person in an entire organisation to click or open a virus-laden file for the attackers to infect the whole system.

To avoid your staff accidentally giving access to the attackers, it is important that they know the signs of a phishing email. These include:

  • Unsolicited requests
  • Urgent or threatening language
  • Suspicious links
  • Poor grammar and spelling
  • Unusual sender address
  • Attachments from unknown sources
  • Generic greetings
  • Too good to be true offers
  • Mismatched visuals

A team that communicates about this increase will also be critical in spotting a ransomware attack, as they are likely to notice the pattern and increase in emails.

Code reflected in glasses
Technician checking laptop

Alerts for an unauthorised access attempt

As attackers attempt to gain access to your system, they are likely to trigger alerts to the network administrators notifying them of an unauthorised access attempt.

Staff might also receive emails that notify them of an attempt to change a password.

Both of these notifications show an effort to get entry into your systems from an outside source that has been identified as suspicious, so should be reported, noted and dealt with.

Virus Protection Alerts

Before being deactivated, any malware protection or anti-virus software you have installed on your system is likely to flag dubious software and send out an alert.

In this process, you may also find that the protection software blocks certain programmes running in an effort to prevent the spread of the malware.

Staff should be aware of the anti-virus software your company uses and what an alert may look like, so they can identify genuine alerts.

It is important that you have up-to-date anti-virus software too, as this can give you peace of mind that any ransomware is likely to be picked up and trigger notifications.

Unusual File Names or File Name Extensions

As the ransomware moves through your system, encrypting the files, it usually leaves behind unusual file names or an extension at the end of the file name.

With there being so many different variants of ransomware in action, it would be impossible to learn the file name patterns to look out for. Therefore, it is recommended that your company have a standard file naming format that everyone across the business uses. This will make it easy for staff to identify unusual names or extensions and spot potential ransomware attacks.

Computer Performance Issues

Ransomware can cause interference with computer operating systems, leading to problems with performance and system freezes.

If staff are reporting frequent issues with their computers, it could be a sign that malware is circulating your system, so should be investigated as soon as possible.

Solace Process

What Should You Do If You Spot Ransomware on Your Computer?

If you suspect that your system has a form or ransomware on it, you should disconnect from the system as soon as possible and contact Solace Cyber as soon as possible.

By disconnecting from the system and the WI-FI, you should prevent the malware from spreading, reducing the impact on your files and operations further down the line.

Our team of experts will be able to assess the damage done and advise on the next steps. Usually, this will include an attempt at file retrieval, but we cannot guarantee the success of this.

Early response to an attack provides the best opportunity for recovery, therefore, we work quickly and efficiently to contain the attack and remove the root cause from the system.

If you think you have spotted a ransomware attack on your system or suspect a ransomware group is trying to gain access, call our specialist team today on 01202 308818 or request a callback online.

Request a callback

Solace Cyber, part of Solace Global, helps companies across the UK recover from ransomware attacks and data breaches.

Risk
Offshore
Cyber
Intelligence & Reports
Case Studies

Solace Cyber Limited is registered in England & Wales no. 14028838

Solace Global

Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom

Telephone

Please note that calls may be recorded for security and training purposes.