Your best defense against ransomware: Find the early warning signs

As ransomware continues to prove how devastating it can be, one of the scariest things for security pros is how quickly it can paralyze an organization. Just look at Honda, which was forced to shut down all global operations in June, and Garmin, which had its services knocked offline for days in July.

Ransomware isn’t hard to detect but identifying it when the encryption and exfiltration are rampant is too little too late. However, there are several warning signs that organizations can catch before the real damage is done. In fact, FireEye found that there is usually three days of dwell time between these early warning signs and detonation of ransomware.

So, how does a security team find these weak but important early warning signals? Somewhat surprisingly perhaps, the network provides a unique vantage point to spot the pre-encryption activity of ransomware actors such as those behind Maze.

Here’s a guide, broken down by MITRE category, of the many different warning signs organizations being attacked by Maze ransomware can see and act upon before it’s too late.

Initial access

With Maze actors, there are several initial access vectors, such as phishing attachments and links, external-facing remote access such as Microsoft’s Remote Desktop Protocol (RDP), and access via valid accounts. All of these can be discovered while network threat hunting across traffic. Furthermore, given this represents the actor’s earliest foray into the environment, detecting this initial access is the organization’s best bet to significantly mitigate impact.

ATT&CK techniques

Hunt for…

T1193 Spear-phishing attachment
T1192 Spear-phishing link

  • Previously unseen or newly registered domains, unique registrars
  • Doppelgangers of your organization / partner’s domains or Alexa top 500
T133 External Remote Services
  • Inbound RDP from external devices
T1078 Valid accounts
  • Exposed passwords across SMB, FTP, HTTP, and other clear text usage
T1190 Exploit public-facing application
  • Exposure and exploit to known vulnerabilities


The execution phase is still early enough in an attack to shut it down and foil any attempts to detonate ransomware. Common early warning signs to watch for in execution include users being tricked into clicking a phishing link or attachment, or when certain tools such as PsExec have been used in the environment.

ATT&CK techniques

Hunt for…

T1024 User execution

  • Suspicious email behaviors from users and associated downloads
T1035 Service execution
  • File IO over SMB using PsExec, extracting contents on one system and then later on another system
T1028 Windows remote management
  • Remote management connections excluding known good devices


Adversaries using Maze rely on several common techniques, such as a web shell on internet-facing systems and the use of valid accounts obtained within the environment. Once the adversary has secured a foothold, it starts to become increasingly difficult to mitigate impact.

ATT&CK techniques

Hunt for…

T1100 Web shell

  • Unique activity connections (e.g. atypical ports and user agents) from external connections
T1078 Valid accounts
  • Remote copy of KeePass file stores across SMB or HTTP

Privilege escalation

As an adversary gains higher levels of access it becomes significantly more difficult to pick up additional signs of activity in the environment. For the actors of Maze, the techniques used for persistence are similar to those for privileged activity.

ATT&CK techniques

Hunt for…

T1100 Web shell

  • Web shells on external facing web and gateway systems
T1078 Valid accounts
  • Remote copy of password files across SMB (e.g. files with “passw”)

Defense evasion

To hide files and their access to different systems, adversaries like the ones who use Maze will rename files, encode, archive, and use other mechanisms to hide their tracks. Attempts to hide their traces are in themselves indicators to hunt for.

ATT&CK techniques

Hunt for…

T1027 Obfuscated files or information

  • Adversary tools by port usage, certificate issuer name, or unknown protocol communications
T1078 Valid accounts
  • New account creation from workstations and other non-admin used devices

Credential access

There are several defensive controls that can be put in place to help limit or restrict access to credentials. Threat hunters can enable this process by providing situational awareness of network hygiene including specific attack tool usage, credential misuse attempts and weak or insecure passwords.

ATT&CK techniques

Hunt for…

T110 Brute force

  • RDP brute force attempts against known username accounts
T1081 Credentials in files
  • Unencrypted passwords and password files in the environment


Maze adversaries use a number of different methods for internal reconnaissance and discovery. For example, enumeration and data collection tools and methods leave their own trail of evidence that can be identified before the exfiltration and encryption occurs.

ATT&CK techniques

Hunt for…

T1201 Password policy discovery

  • Traffic of devices copying the password policy off file shares
  • Enumeration of password policy
T1018 Remote system discovery

T1087 Account discovery

T1016 System network configuration discovery

T1135 Network share discovery

T1083 File and directory discovery

  • Enumeration for computer names, accounts, network connections, network configurations, or files

Lateral movement

Ransomware actors use lateral movement to understand the environment, spread through the network and then to collect and prepare data for encryption / exfiltration.

ATT&CK techniques

Hunt for…

T1105 Remote file copy

T1077 Windows admin shares

  • Suspicious SMB file write activity
  • PsExec usage to copy attack tools or access other systems
  • Attack tools copied across SMB
T1076 Remote Desktop Protocol

T1028 Windows remote management

T1097 Pass the ticket

  • HTTP POST with the use of WinRM user agent
  • Enumeration of remote management capabilities
  • Non-admin devices with RDP activity


In this phase, Maze actors use tools and batch scripts to collect information and prepare for exfiltration. It is typical to find .bat files or archives using the .7z or .exe extension at this stage.

ATT&CK techniques

Hunt for…

T1039 Data from network share drive

  • Suspicious or uncommon remote system data collection activity

Command and control (C2)

Many adversaries will use common ports or remote access tools to try and obtain and maintain C2, and Maze actors are no different. In the research my team has done, we’ve also seen the use of ICMP tunnels to connect to the attacker infrastructure.

ATT&CK techniques

Hunt for…

T1043 Common used port

T1071 Standard application layer protocol

  • ICMP callouts to IP addresses
  • Non-browser originating HTTP traffic
  • Unique device HTTP script like requests
T1105 Remote file copy
  • Downloads of remote access tools through string searches
T1219 Remote access tools
  • Cobalt strike BEACON and FTP to directories with cobalt in the name


At this stage, the risk of exposure of sensitive data in the public realm is dire and it means an organization has missed many of the earlier warning signs—now it’s about minimizing impact.

ATT&CK techniques

Hunt for…

T1030 Data transfer size limits

  • External device traffic to uncommon destinations
T1048 Exfiltration over alternative protocol
  • Unknown FTP outbound
T1002: Data compressed
  • Archive file extraction


Ransomware is never good news when it shows up at the doorstep. However, with disciplined network threat hunting and monitoring, it is possible to identify an attack early in the lifecycle. Many of the early warning signs are visible on the network and threat hunters would be well served to identify these and thus help mitigate impact.

How do I select a network detection and response solution for my business?

Network detection and response (NDR) solutions enable organizations to improve their threat response, they help protect against a variety of threats, and also provide visibility into what is actually on the network.

To select an appropriate network detection and response solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Mike Hamilton, CISO, CI Security

select network detection and response solutionNetwork detection and response uses a spectrum of technology and humans, and the right mix for your organization is highly individual. Here are 3 different mixes to consider:

Managed – Managed detection and response combines technology to collect information from your network, detection analytics to identify aberrational activity, and analysts to investigate, confirm, and conduct response operations along a pre-defined playbooks – as a service.

Operated – In the middle, you’ll own the technology, the people to operate the technology, and the processes for response, recovery, and recordkeeping. This is how many organizations have evolved but are discovering that this is harder to sustain.

Automated – At the technology end of the spectrum is automation: SOAR and other methodologies leverage your preventive and detective controls and integrates them to take an action decided by technology.

To decide whether you will be best served by Managed, Operated, or Automated, ask:

  • How fast/easy is deployment?
  • Does the solution ingest and analyze all your data sources?
  • For Operated – What are the resource costs, including how using resources for security may affect current projects as opportunity cost?
  • For Managed – How does the provider source and retain threat hunters and Analysts?
  • For Automated – What is the worst-case scenario for a false positive?

Rahul Kashyap, CEO, Awake Security

select network detection and response solutionNDR solutions can protect against non-malware threats, including insider attacks, credential abuse, lateral movement, and data exfiltration. They give organizations greater visibility into what is actually on the network as well as the activity occurring. But not all NDR solutions are equal. To maximize value, it’s recommended buyers consider three key parameters:

  • Data: Look for solutions that parse the whole packet rather than just NetFlow or IDS alerts. This provides far more depth of visibility, allowing the solution to identify more relevant threats.
  • Machine Learning and AI: Avoid solutions that rely primarily on unsupervised machine learning and act as black boxes. These types of offerings generate significant operational overhead via false positives and negatives, and provide no explanation to the analyst on why something was flagged as an issue.
  • Use cases: Reduce tool sprawl by replacing existing solutions for network forensics, threat hunting etc. This helps consolidate and modernize your security operations, making the team more efficient.

Like any other security solution, simply acquiring a new NDR tool does not improve security. In my experience, it is critical for buyers to think through operational impacts when deciding on a technology stack.

Igor Mezic, CTO, MixMode

select network detection and response solutionThere are some key questions on the underlying methodologies that should be asked when selecting an NDR solution:

Is the AI NDR system partially or entirely dependent on rules? If so, what is the overhead related to tuning and maintaining the rule set? Attack vectors are changing rapidly in a modern security environment, outpacing rule development efforts by a large margin. Rule-based information can be useful as a context, but not as a primary source of information. The core of the machine learning system should be adaptable to new network conditions and thus independent of static rules.

What is the false positive rate for the detections? What is the false negative rate? The reponse part of NDR is highly dependent on quality of detection. Shutting down a subnet over a false positive can disrupt normal network operation. False positives and negatives abound in rule-based systems and systems that use supervised learning methodology based on labeling. Unsupervised systems based on clustering and Bayesian methods also typically feature high rates of false positives.

What happens when we add a new subnet or a router to the network? Does the NDR system have to re-learn everything again? Learning in an off-the-shelf machine learning systems can take 6-24 months. If that cycle repeats every time a new element is added to the network, the methodology is of limited use. The AI system must adapt seemlessly to new conditions on the network, with no additional extensive learning period.

How easy is it to spoof the detection system? It is well known non-generative machine learning methodologies can be easily spoofed by injection of corrupted data, rendering the system incapable of recognizing a specific attack.

Steve Miller, Principal Applied Security Researcher, FireEye

select network detection and response solutionA NDR solution must enable action in a variety of forms.

Detection events must be distinguished into varying buckets of things to care about. The goal of event priority or criticality is to ensure that important, qualified network detection events are at the top of the to-do list. Your security team can take detection events at the top and respond with more care and urgency with respect to the affected assets.

There must be historical recording for network activity. This may be full packet capture stored for a time period, or merely packet capture in a “time wrinkle,” 5 minutes before and after each network detection event. Solutions should include abstracted network logging, such as Netflow and HTTP event logging. The more logging, the easier an investigation becomes.

Solutions must enable alert-to-action automations. When examining alerts, analysts make routine movements to gather information that aids in validation and response options. Solutions must enable automated data collection associated with alerts in preparation for analyst review, thus reducing manual actions.

Functionally, this means solutions must easily integrate and gather contextual data from other technologies such as: DHCP leases; passive DNS resolutions; threat actor or malware associations; and network/asset “handling” systems that may inoculate or reduce the impact of a malicious event through quarantining, blocking, or manipulation of packets. Automatic provision of contextual data and “handling” options is foundational to taking action, which is often the most laborious part of the human workflow.

Jyothish Varma, Director of Product Management, Nuspire

select network detection and response solutionAs organizations look to invest in an MDR, they should consider investing in a solution that has the capability to detect attacks geared to bypass existing security controls. For those solutions with static detection mechanisms, if the exploits used by a hacker don’t trigger a pre-existing rule, no one will know an attack is happening.

For this reason, companies must rely on a solution that augments existing security controls with advanced threat detection and response solutions and dedicated security analysts who are trained to proactively uncover evidence of threats.

Organizations should also consider a solution that detects attacks in real time with experts working around the clock to investigate and respond to alerts technology might have missed. A service that can provide a 24/7/365 security operations center staffed with security analysts ensures you will have full access to experts that can detect attacks as they happen and coordinate incident response plans as necessary. By working with providers that have 24/7 security operations centers, existing security teams will be much more productive and reduce time wasted responding to false positives.

The right MDR solution will not only help you remain secure from cyber threats, but will include these key features and outcomes that will benefit your organization.

Cybersecurity during the pandemic: Try these security solutions for free!

In order to help global organizations of all sizes address cybersecurity during the COVID-19 pandemic, a number of vendors provide free (time-limited) access to their solutions.

All of the offers below are available immediately, and they cover a number of areas. Vendors are listed alphabetically, and all require registration.

Armorblox – Free email protection

Armorblox made its fully-featured email security platform free for businesses that have between 100 and 2,000 employees until April 30th and will reassess the situation for potential extensions beyond that.

cybersecurity pandemic try solutions

Awake Security– Free platform access

Awake Security announced 60 days of free access to the Awake Security Platform for hospitals and other healthcare facilities that are on the frontlines of responding to the COVID-19 pandemic.

cybersecurity pandemic try solutions

Bugcrowd– Free access to Vulnerability Disclosure Program and Attack Surface Analysis

If you represent an emergency service, healthcare, or other care provider helping to manage the unprecedented COVID-19 situation, Bugcrowd are offering you free access to their Vulnerability Disclosure Program and Attack Surface Analysis for the next 90-days.

cybersecurity pandemic try solutions

BullGuard – Free Small Office Security license

BullGuard is offering a free 3-month Small Office Security license for up to 50 devices for businesses that need assistance in managing cybersecurity in the wake of mass movement to home-working.

cybersecurity pandemic try solutions

Dynatrace – Free access to Software Intelligence Platform

Dynatrace is providing new users with extended, free trial access to the Dynatrace Software Intelligence Platform, through May 19, 2020. In addition, new users will receive free access to the Dynatrace Real User Monitoring (RUM) for SaaS vendor experience, through September 19, 2020.

cybersecurity pandemic try solutions

ERMProtect – Free security awareness training

ERMProtect is providing free access to its Security Awareness Training for 3 months. Organizations can access two animated training modules that teach employees to spot phishing attacks and work safely online from home – a particularly relevant module as employees shift to working remotely.

cybersecurity pandemic try solutions

Foresite– Free emergency cybersecurity services

Foresite, a managed security and cyber-consulting services provider, are offering free cybersecurity services for small to medium enterprises: free external vulnerability scan, free phishing awareness campaign for up to 250 users, free firewall monitoring and management for 30 days, and more.

cybersecurity pandemic try solutions

GreatHorn – Free email protection

GreatHorn will provide 60 days of free, unrestricted access to the GreatHorn Email Security platform to give business leaders and employees peace of mind as they navigate changes to work and business operations during the pandemic.

cybersecurity pandemic try solutions

Qualys – Free remote endpoint protection

Qualys is offering instant security assessments, visibility and remote computer patching for corporate and personal computers – free for 60 days. The solution allows security teams to gain continuous visibility of remote computers, see missing patches for critical vulnerabilities and deploy them from the cloud.

cybersecurity pandemic try solutions

SentinelOne– Free platform access

SentinelOne Core is available free of charge through Friday, May 16, 2020, enabling enterprises to secure remote work. SentinelOne’s cloud-based platform scales, making it well suited to protect both businesses and employees transitioning to a work-from-home environment, whether they are using corporate or personal devices.

cybersecurity pandemic try solutions

Signavio – Trial for collaborative crisis resilience and people management

Signavio announced that the Signavio Business Transformation Suite is available for free for 90 days to help affected businesses to rapidly roll out emergency plans and organize operations.

cybersecurity pandemic try solutions

StorONE – Free enterprise storage platform

StorONE is providing its S1 Enterprise Storage Platform at no cost to any organization impacted by COVID-19 until June 30, with healthcare and scientific research facilities at the center of the pandemic response granted free use through October.

cybersecurity pandemic try solutions

Sucuri – Medical service providers can get a year of Sucuri WAF for free

Sucuri is offering a year of their Web Application Firewall (WAF) service to medical service providers. Sucuri’s WAF is frequently updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.

cybersecurity pandemic try solutions

SyncDog – Free trial of Secure.Systems

SyncDog announced free access to their Trusted Mobile Workspace application. Secure.Systems delivers a suite of mobile productivity applications that encrypt corporate data and can be integrated into any existing mobile device on any carrier.

cybersecurity pandemic try solutions

Votiro – Free Disarmer for Email

Votiro‘s advanced email attachment sanitization solution – Disarmer for Email – is free through the end of the year to help reduce organizations’ security risk. Rest assured knowing your workforce’s email attachments are safe from any known and unknown threats.

cybersecurity pandemic try solutions

Awake Security and Google Cloud enable businesses to enhance their cloud security

Awake Security, the only advanced network traffic analysis company that delivers answers, not alerts, has unveiled a technology partnership with the Google Cloud Platform (GCP).

Awake can now protect organizations’ hybrid and Google Cloud deployments with its AI-based platform that detects and responds to threats such as lateral movement, especially as adversaries now attempt to traverse from on-premise to the cloud and vice versa.

Awake on Google Cloud enables businesses to enhance their cloud security, identify compromised instances, ensure regulatory compliance through security monitoring and prevent service delays and application unavailability.

“With the growing popularity of hybrid cloud, networks have grown incredibly complex. Monitoring activity on the network is the best way to ensure both security and performance, but doing so for the new network, across cloud and IoT, has proven challenging,” said Rahul Kashyap, CEO of Awake Security.

“By allowing for the collection and inspection of network traffic at scale, Google Cloud’s Packet Mirroring service is opening new doors that will enable businesses to hunt down and prioritize threats with visibility and speed that weren’t possible before.”

As one of a select set of partners leveraging Google Cloud’s new Packet Mirroring service, the Awake Security Platform seamlessly monitors traffic to, from and within the cloud, automatically profiling, classifying and assessing the risk to every workload.

Harnessing the power of AI to detect malicious intent across hybrid-cloud as well as IoT and OT networks, Awake prioritizes and enables rapid response to threats in the cloud and on-premise from a single, integrated console.

Moreover, as more than 86% of customers have a multicloud strategy according to Forrester, Awake delivers these key capabilities to customers not just on GCP but also on Amazon Web Services and Microsoft Azure.

Across all of these, the Awake Security Platform also enables full packet forensics, supporting audits, investigations and compliance with regulations like PCI-DSS.

“Traffic visibility is critical to prevent security breaches and attacks as networks grow in complexity,” said Mahesh Narayanan, product manager at Google Cloud.

“With Packet Mirroring, our customers now have a way to proactively detect network intrusions, analyze, and diagnose application performance issues for both Compute Engine and Google Kubernetes Engine, across all regions and machine types.”