Skip to main content

Ransomware infection detected

Mark Glinski
  • Updated

In this article:

    Name in API: ransomware_infection
    Severity: High (as of January 20, 2022)
    Factor: IP Reputation
    Factor weight: High

    Why this matters

    Ransomware can cause serious damage to your operations, revenue, and reputation. 

    Ransomware is a type of malware that encrypts sensitive files on an infected device, making them inaccessible to the targeted user or organization. The attack typically includes a threat to publish the files or permanently prevent their access unless the victim pays the malicious party to decrypt the files.

    One ransomware attack method involves deceiving a user into downloading the malware, which is disguised as a legitimate email attachment. Other types of ransomware, such as the WannaCry worm, travel automatically between computers without user interaction.

    If ransomware has been detected in your network, it is critical to inspect and neutralize it before it can move laterally and cause damage. 

    How we discovered it

    Our detection devices received communications indicative of ransomware infection over the last 30 days from your internet-facing assets. 

    How you can remediate it

    Take the following actions to investigate, contain, and correct the issue:

    Find the attack source(s) on your network

    • In your Findings table, note the detected ransomware family for any finding, so that you can research how it behaves and communicates. This will help you to isolate and remove it.

      ransomware-infection-findings.png

    • Click the Observations link for any finding to see port connections for your network IP address from which the attack originated.

      ransomware-observations-blur.png
      Note: You can only see destination IPs if you have a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
    • Search your logs for connections to our destination IPs. From there you can see your IP addresses and ports from which the connections were made. 
    • Use Intrusion Detection and Prevention System (IPS/IDS) rules to identify ransomware by their traffic properties. 
    • If you are knowingly running designated, segmented networks for research or other purposes, remove them from your Digital Footprint.

    Isolate and remove malware infections

    Examine any assets implicated in the attack for evidence of infection. Remove the ransomware or the assets. 

    Take preventative measures

    Monitor all incoming and outgoing traffic for suspicious behavior using IDS solutions such as Snort or Web Application Firewalls (WAFs). Block any suspicious traffic, and add associated IP addresses to a deny list.

    How you can resolve it in SecurityScorecard

    When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Ransomware infection detected findings:

    I have fixed this

    • Tell us if you have:
      • Isolated and removed any infections on your implicated assets
      • Remove infected assets from your Digital Footprint

    I have a compensating control

    • There are no compensating controls for this issue type.

    This is not my IP or domain

    • Tells us if the IPs or domain from where the attack originated do not belong to you.

    I cannot reproduce this issue and I think it’s incorrect

    • Indicate if you have inspected the affected assets and have not found evidence of ransomware.

    Learn more

    See our blog post What is Ransomware and How Do You Remove It?.

    Related articles