Digital representation of a window with an alert symbol on a screen

How to detect ransomware


See the best ways to detect ransomware and protect your data.

Read time: 4 minutes

Detecting ransomware is like looking for the proverbial needle in a haystack. And a well-disguised needle at that.

Once upon a time, spotting a fake email was easier. Amateur hackers would create crude messages littered with typos and broadcast it to millions of email addresses hoping for just a few to get through.

Today’s cybercriminals are much smarter, organized, and go to great lengths to make their phishing emails seem authentic. The attacks are more sophisticated, the targets are more specific, and the potential for damage is much greater.

This type of exploitation has become so successful that criminals are even profiting off each other; selling the building blocks for ransomware (military grade encryption algorithms, phishing tools, and advanced social engineering trickery) and offering ransomware as a service (RaaS) to other would-be hackers.

The premise remains the same: to gain control of a company’s network and/or encrypt its data in exchange for a ransom payment, only now it can be extremely difficult to distinguish between legitimate and counterfeit communications.

Simply clicking on an innocent looking banner ad can activate an automatic download of malware with dire consequences for an entire organization.

This article offers a list of best practices to detect if ransomware has infected a given device, and the steps to take after it is found.

Related content

Article: How to Avoid Ransomware

Article: How Should a Company Handle a Ransomware Attack?

Article: Protecting against ransomware attack

Article: What is ransomware

Article: 11 essential hacking terms, defined

Warning signs of a ransomware attack

Some cyberthreats operate in the background, laying dormant for months until the hacker is ready to spring the trap.

Ransomware, on the other hand, usually makes its presence known as soon as it infects a computer. Some common indicators of a ransomware attack in progress are:

  • A mysterious domino effect of system slowdowns or crashes while the malware is worming its way through the network encrypting files.

  • Specific files and applications can no longer be launched.

  • Network drives are displaying a growing list of files and folders that have been renamed or have bizarre extensions such as .encrypted, .xzy, .zzz, .vbs, .cryptolocker, etc.

When the ransomware has finished encrypting files – and sometimes during – a pop-up message appears on the infected device(s) demanding payment, often in cryptocurrency, to release the data. At this point, there is little you can do unless you have data backups or security software in place.

Detecting a ransomware attack

An organization’s first line of defense against ransomware should be employee education, as innocent mistakes by inattentive users are the leading causes of ransomware infections. After employee education, deploying technology solutions is an essential step.

Here are a few ways to boost your chances of detecting ransomware.

Teach digital communications hygiene

Educate users on the risks of ransomware and signs of counterfeit messages:

  • Train employees to look for misspellings or the tiniest of odd details in an email address, such as a lowercase letter where a capital should be, or an unknown URL domain.

  • Do not initiate downloads of apps or email attachments unless the source is verified and trusted.

  • Do not give out passwords or personal information to unknown callers, who may use that knowledge to craft a phishing message that seems authentic.

  • Beware of zip files. It is easy to hide malicious code inside a folder that will be installed when the file is unzipped.

Look out for new file extensions

Beyond the known ransomware file extensions, be on the lookout for new, weird ones. Criminals are constantly inventing new threats to stay one step ahead of anti-virus software. Enable the “show file extensions” option on your PC to display entire file names.

Rule of thumb: If you haven’t seen it before, don't click on it.

Beware of volume file renaming activity

It is not necessarily a red flag for users to rename the occasional file. If this activity occurs several times per second over a sustained period, chances are it is an automated attack and not the work of an employee renaming files manually.

The Honeypot Defense

Ransomware typically starts encrypting files on a local device first, and then starts looking for shared network drives, usually in alphabetical order.

Assuming your active shared drives start with the letter E for example, create a fake network shared drive beginning with the letter C or D, and populate it with lots of old random files. Should an attack reach the network drives it will start encrypting that useless data first. The increase in suspicious activity should trigger an alert to provide sufficient notice to disconnect active drives before they get infected.

Use anti-ransomware agents

These are software applications specialized to monitor for attempts to encrypt data. One example would be Bullwall Ransomware Containment. They work in the background, searching for activity or text strings of code that have identified markers for ransomware, and then isolate the device or resource once malware is detected.

Be aware of Exploit Kits

Exploit Kits are a form of RaaS. They are automated threats that unknowingly divert web surfers to a compromised URL where the kit delivers its payload, malware that infects the host computer and locks out the user.

Exploit Kits allow even bad hackers to be successful, as they are simply leasing the services of a proven attacker to execute ransomware, unleash a Denial of Service (DoS) attack, or infect a system with a banking Trojan virus.

Business should ensure their intrusion detection system (IDS) and firewall have the ability to detect for the presence of Exploit Kits to eliminate this threat.

Decrypting your data

If your business has been attacked and your files have been encrypted, don’t panic.

In some cases, you can safely remove ransomware from the infected device(s) using commercially available malware removal tools, or by wiping the device clean and resetting it to factory conditions. Then perform a malware scan on the asset to ensure it is free of infection before reloading data and applications.

You can also try to unlock your digital data without paying the attackers. While not every type of ransomware has a solution, this website provides almost 100 decryption tools free of charge to anyone who may have the misfortune of being a victim of ransomware.

Then take the necessary steps to ensure your business cannot be victimized again. Managed Security Services can act as an extension of your team in the protection of your data. Anti-ransomware services such as our Bullwall Ransomware Containment services also help to limit your vulnerability and risk of downtime, data loss, and financial damages by providing an additional layer of protection with instant detection, immediate response, and detailed reporting of ransomware attacks without impacting device or network performance.

Looking for more advice on how to be on the lookout for and protect against a ransomware attack? Contact us.

Recommended for you

9 low-tech security threats that put company data at risk
9 low-tech security threats that put company data at risk

9 low-tech security threats that put company data at risk

Digital data breaches get more visibility in the press, but physical data breaches have the potential to be even worse. Read 9 low-tech data threats here.

AIOps is the way of the future
AIOps is the way of the future

AIOps is the way of the future

AIOps (Artificial Intelligence for IT Operations) speeds IT data analysis to inform decision-making, improve performance and drive direction. Are you ready?

Taking ransomware risk off the table
Taking ransomware risk off the table

Taking ransomware risk off the table

How Ricoh's ransomware solution reduces cybersecurity risk for the Town of North Andover.