Skip to content

The Early Signs Of A Blitz Ransomware Attack

The Early Signs Of A Blitz Ransomware Attack

If you are familiar with the topic of cybersecurity at all, you probably know the basic definition of a ransomware attack. To be brief, it is an attack that uses specialized malware to encrypt the victim’s hard drive. This is done so that the attacker can then demand a ransom for the restoration of access/data. By the time you get that ransom note, you are already in trouble.

There are things that you can do at this point, but it is far better to detect the attack before the encryption begins. This can be done by looking for certain early warning signs. There is a good bit of preparation that must be done before the “final strike” is made. Here are some of the big nasty warning signs that might be seen before a ransomware attack.

Test Attacks

This is perhaps the biggest and surest warning sign of them all. In many cases, ransomware hackers will do several “test hacks” before deploying the main tool. They are doing this in order to test your defenses and see what kind of response they can expect. Test attacks are generally directed at a single part of the network or system, and they will normally be a low-priority part.

If you see evidence of an access breach in which the attackers didn’t really do anything, it could be a test. It’s kind of like someone breaking into your home without taking anything: It tells you that they have a more nefarious motive than simple theft. Another potential way to find a test attack is by looking for the presence of known hacking tools on any connected device.

Presence Of Unauthorized Network Scanners

Before that cyber-attacker can do anything, they must first gather some intelligence. One of the most frequent tools for this purpose is a network scanner. These programs are sometimes used for legitimate purposes (like gathering general network information), but hackers use them for reconnaissance.

AngryIP, NTOSpider, and Advanced Port Scanner are two of the more common tools, but there are plenty of others out there. Unless you have someone using these tools for authorized purposes, it is a definite warning sign. Scanners used by hackers will tend to focus on finding known vulnerabilities in your software or hardware, making them particularly dangerous.

Lots Of Phishing Attempts

Phishing remains the most common way to start any cyber-attack, as it allows one to circumvent just about any technological access control measure. Phishing basically involves credential theft through trickery and/or impersonation. There are generally three steps to a phishing attack

  • 1. Attacker sends a message claiming to be a legitimate entity
  • 2. Message exhorts target to click a link and enter credentials
  • 3. Since the page is fake, it will be embedded with a keylogger that captures the credentials

Here’s the thing: Most phishing attempts are glaringly obvious. These attacks rely on people being unaware of the danger that can come from clicking strange links. Thus, attackers will often make many tries against many potential targets. If you or your team has been getting a lot of these obvious phishing emails lately, it could be a sign that you have been targeted for something larger.

Lateral Phishing Attempts

If you ascertain that you are being targeted by many phishing attacks, you need to take a closer look at those. In particular, you need to look and see if any of those phishing emails/messages are coming from within your network or system. If so, you have already been compromised and a data lock-down is in order.

When you see something like this, you are seeing a hacker who has already gained access to some part of your network or system. Those lateral phishing attempts are an attempt to expand their access in preparation for the deployment of ransomware. There are many ways in which lateral attacks can use the programs and software that are already there, allowing them to disguise themselves more effectively.

Lots Of Failed Logins

You can look at the system logs and see how many failed login attempts have happened recently. Of course, people make typos all the time, so there will naturally be a few failed logins here and there. However, if you are seeing an abnormally large amount of them (particularly if they are all in a short time frame), that is another big red flag that should not be ignored.

Password cracking tools rely on numerous failed guesses to gradually unravel the targeted password. However, they are only effective against short and/or uncomplicated passwords. At the same time, a hacker only needs to find one person who is foolish enough to use common dictionary words or dates as a password.

Presence Of MimiKatz

This is a tool that has some legitimate uses but is commonly used by ransomware hackers. It is a password stealer, but it doesn’t work like the traditional “cracking” programs we discussed earlier. Mimikatz gets the system to dump its temporary memory cache, which is then stolen. That temporary protected memory can often contain passwords and other sensitive information. If you see this anywhere on your system, it probably means that someone is targeting you for some kind of cyber-attack.

Unauthorized Changes To Security Settings

If a hacker gains low-level access to a machine or network, they might be able to change certain settings in order to make their tasks easier. For instance, they will sometimes use remote desktop protocol (if it’s enabled) to remotely hijack other devices on the network. Thus, any unauthorized changes to your security-related settings should be investigated.


We should clarify that many of these signs can have other explanations. Don’t go freaking out if you have seen one or two of these signs, as that could indicate some other sort of problem. However, any of these signs can indicate a ransomware attack and should be investigated with that possibility in mind. If you would like to learn more about cybersecurity and its related topics, you can call PCH Technologies at (856) 754-7500.