Home / Blog / Ransomware: detection measures

Ransomware: detection measures

Posted on 10/14/2021, by INCIBE
Ransomware: detection measures

Having analysed the main prevention measures in articles Prevention Measures (I) and (II), this new blog post explains measures aimed at detecting the ransomware infection where it could not be prevented.

Rapid detection of infection with type of malware is crucial. However, it is a task that frequently proves more difficult for antivirus and other security software.

Evidence and measures for detection at individual level

Potential evidence and measures that will allow us to detect if a specific terminal has been infected with ransomware are provided below.

Appearance of some kind of ransom note

The main objective of cyber criminals executing a ransomware attack is to receive money and that’s why they will leave a ransom note to attract attention in the form of a text document or on the desktop or information on the desktop background, with instructions to make the payment.

Rescate de ekans

Illustration 1. EKANS ransom

Illustration 2. Wannacry ransom Source: AZ

Slowed performance of the terminal

The encryption processes that follow a ransomware attack require high computing power, resulting in an increase in consumption of many of the resources of the terminal.

High unusual activity on hard drive

Further evidence, due to the encryption of the terminals, can include very high use of the hard drive, even reaching 100% for mechanical hard drives, as all the files it aims to make inaccessible must be modified.

A user can check the usage of their hard drive by accessing the task administrator panel of same, but for monitoring the use of the driver, there are other tools such as Nagios.

Unexpected network errors

Another objective of most malware, including ransomware, is to spread. The more terminals infected, more potential payers.

The simplest and most common way to spread is through network units that are installed automatically on the terminal or by taking advantage of protocol weaknesses, as has been seen with RDP and SMB.

To detect these events at local level, there are tools such as Network Monitor, which help identify the quantity and origin of traffic coming in and out of a terminal. If we want to detect them at network level, a perimeter firewall can provide the same information.

Security alerts from the operating system or antivirus solutions

Depending on the platform and software used, an antivirus can sometimes detect a ransomware infection. When faced with this type of alert, acting as soon as possible is crucial to guaranteeing the integrity of the terminal.

Unscheduled programmed tasks

Sometimes, after infecting a terminal, this type of malware can remain in a state of hibernation, with the aim of seeking not only to spread but to establish persistence.

The main objective of this conduct is to affect as many devices as possible simultaneously to cause a greater impact, provoke a certain degree of hysteria in user and obstruct the response.

These tasks can involve actions such as encryption of files and communication with Command and Control (C&C) servers, which would be executed under certain conditions, for example when starting or shutting down the system, at the start of a session or at a specific time of day or when the terminal is not executing any function.

The task programmer of a terminal will allow for the detection, editing and deletion of programmed tasks that exist.

Results of forensic analysis

The forensic analysis techniques that allow for the detection of malware in phases in which it can be imperceptible for a normal user. This analysis is always conducted via computer triage, rapidly and attempting to find changes to different files as a result of encryption.

The triage is conducted to detect the scope of the damage caused and to allow for better action when it comes to tackling the problem, establishing response priorities. Once the computer is under control and the problem has been detected, a deeper investigation is conducted through tests or evidence collected previously, thus developing the forensic analysis of the terminal.

An example of this analysis is revising the MFT (Master File Table) of the NTFS file systems. An entry is registered there every time a file is changed.

Evidence and measures for detection at collective level

If what's required is the detection of ransomware on a network or in an organization, it is recommended to follow the following measures:

Compile and analyse the logs of possible points of access

From the generic points of access, any other point at which malware could access the organization should be reviewed. For the generic points, it could be useful to review the perimeter firewall or email logs, although it all depends on the malware and the situation of the infrastructure.

  • In terms of perimeter security devices, there are the following actions:
    • Search for connections with control servers, for which we can use the help of an IP address and domain categorization service.
    • Search for malicious or unusual traffic on the services that are exposed to the exterior, such as remote desktops (RDP) or file servers (such as Samba).
  • In the scope of email, the search is reduced to analysing malicious elements such as a file, within a compressed folder with password (.zip o .rar); a link or an Office macro.

Password protection prevents the file from being detected by the built-in antivirus of email providers like Gmail or Outlook. Within these compressed files, the malware can be found in many forms, although more commonly it is embedded in Visual Basic Script or in a Word document.

Analyse the network traffic to outsider

Find communications or attempts at communication with C&C servers or find constant monitoring of a kill switch. These are evidence that an asset has been infected with malware. They all constitute unusual traffic possibly directed to a destination catalogued as malicious.

We can know if an IP is malicious using different techniques. The most effective way is to use cyberthreat information exchange services like INCIBE’s ICARO.

If there is no access to a service of this kind, an IP and domain categorization service such as Cisco’s Talos intelligence can be used.

Analyse internal network traffic

The main internal traffic indicators that can show the existence of ransomware that tries to spread through the network of the infected terminal are the following:

  • Unusual traffic to file servers.
  • Unusual RDP traffic.
  • Unusual traffic in the 445 port (exchange of SMB files).

To analyse this network traffic we can use tools like Wireshark or perimeter security devices that have capacity to register and search for network connections, like a firewall.

Exhaustively investigate suspicious terminals

If, using the measures described above, it is suspected that a specific terminal may be infected, it should be examined in more detail. To do that, it would be useful to use a SIEM (Security Information and Event Management) tool as it will recompile logs from multiple sources and unify them in a single consultation point.


Early detection and decision making is important for protection against ransomware threats. This is true both at the level of individual terminals in which an encryption could be detected and the spread of malicious code within the network limited, and at the global level, so that malware can be prevented from affecting assets of greater importance for the country, such as shared data servers where sensitive information is usually stored.