Go to content
Menu Menu Menu

Logo NIC.br Logo CERT.br

Ransomware: How to Detect

Author: CERT.br
Version: 1.0 — October 5, 2025

English translation technical review: Merike Käo, DoubleShot Security

See also

Ransomware: How It Happens

Ransomware: How to Protect

Ransomware: How to Respond

Download the PDF Brochure

Summary

Introduction

Ransomware attacks can be detected in different phases, in different ways and with varying levels of detail. The sooner the detection occurs, the smaller the impact on the organization and, as a result, the efforts to respond.

For detection to occur, it is essential that the environment is previously prepared to monitor and detect the activities of the attackers, and has tools and people capable of interpreting the results.

Each phase of the attack offers opportunities to detect and stop the attacker's malicious actions. This is illustrated in the "Ransomware: How to detect" Infographic and discussed below.

Infographic Ransomware: How to detect
Infographic "Ransomware: How to detect"

Ícone Enable and analyze logs 1. Enable and analyze logs

Logs generated in the various devices and systems help identify attackers’ malicious activities and malware and, due to their importance, need to be protected against unauthorized removal or alterations.

  • Enable logging on network devices, servers, security tools, applications and cloud services, especially in critical systems:
    • in network devices and firewalls, also enable netflow.
  • Protect logs from improper access:
    • send the logs to centralized servers with protection mechanisms enabled.
  • To facilitate the correlation of logs, events and other data:
    • keep all logs in the same time zone (e.g. UTC);
    • keep the time of servers and network devices synchronized with a reliable time source using, for example, the NTP protocol.

Ícone Monitor network traffic 2. Monitor network traffic

Network monitoring should include both incoming and outgoing Internet traffic, as well as internal traffic between the organization's own networks. It helps in the detection of Initial Access, Persistence and C2, Lateral Movement and Impact.

2.1. Incoming traffic

  • Identify a baseline of incoming traffic patterns.
  • Determine which equipment and service ports can be accessed from other networks, both from the Internet and from internal networks.
  • Monitor:
    • External access to equipment that should not be accessed from outside the network: may indicate changes in the configuration of the equipment to allow remote access.
    • Successive attempts to access a specific service port: may indicate potential for exploiting vulnerabilities in this service or brute force attacks.
    • Network and port scans: may indicate attempts to identify active equipment and the services used, and then associate vulnerabilities with these services.

Analyzing scan data on equipment exposed to the Internet can be challenging, due to constant attack attempts and also non-attack traffic coming from numerous research projects and companies that scan the Internet to map vulnerabilities. This analysis may require the use of specific traffic analysis tools to detect relevant anomalies.

2.2. Outgoing traffic

  • Determine the network outbound traffic pattern in advance.
  • Monitor:
    • Atypical increases in the volume of data being transmitted: may indicate Data Exfiltration.
    • Unusual traffic increases in network shares, such as SMB: may indicate Data Encryption in these areas.
    • Connections to IP addresses known to be involved in malicious activities and to phishing links detected via notifications and security tools: may indicate compromise of user or system credentials.
    • DNS queries used for communication with C2 and with domains suspected of involvement with ransomware: may indicate the presence of Persistence mechanisms.
    • Tor or Tor2Web Requisitions: may indicate communication with C2 or Data Exfiltration.
    • Very long sessions: may indicate communication with C2 or Data Exfiltration.

Ícone Watch for alerts coming from security tools 3. Watch for alerts coming from security tools

Security tools, such as end-point detection and response, firewalls, anti-spam and anti-phishing filters, usually issue alerts when they detect suspicious activities and also assist in the Response, automatically blocking some activities.

  • Monitor:
    • Logs and alerts generated by security tools.
    • The security tools themselves for deactivation attempts or changes in settings.
  • Configure security tools to identify and block the installation and execution of pirated software.

Ícone Monitor user and administrator accounts 4. Monitor user and administrator accounts

The compromise or creation of user and administrator accounts is one of the Initial Access vectors. It can also occur in the Lateral Movement and Persistence and C2 phases.

  • Monitor:
    • Creation or change of accounts, especially administrator accounts.
    • Credential brute force attacks, especially successive denied attempts followed by successful authentication.
    • Access to old accounts or accounts that do not comply to the organization rules for employees or third-party login names: it may indicate that an account is compromised and being used to access the organization's network.
    • Successful remote access, such as VPN: can help track compromised accounts and attackers' actions.

Ícone Monitor the use of systems 5. Monitor the use of systems

In the different phases of the ransomware attack, attackers can change settings, install malware and remote access tools, scan networks, Delete Backups and Exfiltrate and Encrypt Data. Such actions affect the behavior of the systems and serve as alerts of malicious activities.

  • Establish what is considered "normal" use of the equipment.
  • Monitor:
    • Changes in patterns of equipment use, such as increased CPU usage and disk and network access activity.
    • New software installations and executions of unknown processes.
    • Changes to system settings, such as scheduled tasks, startup scripts, and registry keys.
  • Run health check software on critical files, such as file systems, directories, databases, operating system components and applications, and monitor changes.
  • Create decoy files and monitor access to them.

Decoy files are, for example, files that appear to be of sensitive data, passwords, certificates or access tokens, but that are not used by anyone in the organization. They must be monitored and used to generate alerts whenever accessed, as access is likely to be the action of an attacker or malware.

Ícone Establish a channel to receive security notifications 6. Establish a channel to receive security notifications

Publishing contact information to where security notifications should be sent is important to help your organization to identify problems, such as data leaks, infected equipment, hacked accounts and attempts to exploit vulnerabilities. The notifications can be received from both people outside and inside the organization.

  • Create and monitor communication channels to receive notifications from external sources, such as researchers and incident response teams, and internal sources, such as employees and contractors:
    • create standard e-mail accounts, like abuse@domain and security@domain;
    • keep the technical contact of your domain name registration always updated to the individual responsible for reading critical notifications and emails regarding the domain name;
    • create the file security.txt at your site following the standard available at https://securitytxt.org/.
  • Publish the communication channels and teach employes how to make security notifications:
  • Encourage employees and contractors to notify whenever they encounter security problems, such as phishing, ransomware, ransom requests and “strange” behaviors on equipment, for example, missing files or alerts from security tools.
  • Use the notifications received to train filters in security tools and as an alert for attacks against the organization.