How to detect a ransomware attack
Stop a Ransomware Attack!
Welcome to Vectra Threat Detection & Response platform. Learn how you can use Vectra to detect and respond to ransomware attacks targeting your network.
Track suspicious activities
Vectra tracks activity over time and attributes detections to specific accounts (or hosts) that behave suspiciously. These scores are dynamic, and change based on the detections.
Scores are comprised of certainty and threat.
- The certainty score is based on the degree of difference between the behavior that caused the detection and normal behavior.
- The threat score of a detection expresses the potential for harm if the security event is true.
- The graph shows accounts with a combined high certainty and threat score.
Accounts are sorted in priority order.
Track suspicious accounts
Vectra's patented AI stitches together the cloud account and network account.
This account has 4 detections
An attacker has compromised a user's credentials through spearfishing.
The attacker has uploaded a malicious DLL file to the users OneDrive where it is automatically synced with their host.
The DLL is synced to the compromised users host and leads to a successful DLL hijacking. This triggers code execution on the host that makes a call back to the attackers C2 infrastructure enabling remote access and the ability to now attack the network.
Click to expand for details.
Lateral movement and reconnaissance phase
The attacker now moves from the cloud to enterprise network.
Using *LDAP* and *RPC* calls, the attack maps the network in search of domain admin credentials to distribute the ransomware on critical assets, in this case a domain controller.
With this knowledge, the attack uses *RPC* to call out to 300 machines and move laterally.
The attacker's recon leads them to find that there are domain admin credentials on host alan-x1.corp.example.com and so the Azure AD and network AD connected credentials are used move laterally. Once connected to alan-x1.corp.example.com the attacker is able to gain access to the domain admin credentials on the host.
The combination of the activities to this point would put this host & account in the critical quadrant, demanding immediate attention.
The attacker continues with their reconnaissance, scanning port 445 to identify potential targets.
The ransomware has been launched
We will continue as though the alerts were ignored and the attack is successful.
The recon is now complete now. The attacker has: a high privilege account for propagation, file shares to encrypt, as wellO365 files to encrypt.
List of encrypted files
Vectra Cognito will show you which files were actually encrypted.
The suspicious remote execution detection can be used to see which hosts were infected with the ransomware.
It's important to note that while the hosts have been infected, they have yet to be encrypted at this point.
As attackers connect, they exfil out data.
Learn more about the Vectra platform
Understand more about the Vectra platform and its approach to threat detection and response.Discover the Platform