After analysing dozens of ransomware incidents over the last 4 years, researchers have identified their defining common characteristics – which can help security managers design targeted defences.

Mandiant Intelligence have published a report that reveals the common attributes of ransomware incidents from around the world and across the industrial spectrum.

The key findings are:

Initial attack vectors

RDP is one of the most frequent initial infection vectors.  Default or weak credentials or credentials stolen from another attack are used to access Remote Desktop Protocol servers exposed to the Internet, which then are used as a beachhead for the attackers to launch their ransomware.

Phishing emails containing malware attachments also featured heavily along with drive-by-downloads from compromised websites.

3 day window of opportunity

75% of ransomware attacks were initiated at least 3 days after the initial infection or system compromise.  This means there is a window of opportunity for security operations teams to identify the initial compromise and contain the attack. SIEM systems  can be configured to look for indicators of compromise during the short window after the initial breach while the attackers are still in the network reconnaissance and delivery phases of their operation.

Overnight damage

Most ransomware is triggered outside of office hours (half at the weekend and a quarter overnight) – as the processor load of encrypting the filesystem will result in noticeably slower system responses which could be spotted by users and support teams. Attackers have even created Active Directory Group Policies that trigger the malware only after a user logs off their system.  Automated monitoring of CPU and disk activity for unexpectedly high workloads outside of office hours could alert that an attack is underway.