What are Ransomware Attacks?
Ransomware Attacks are a real headache in the digital world. They occur when Ransomware groups exploit vulnerabilities to access systems, "kidnap" sensitive files or data, and demand payment to return them. Every year, we see an increase in these attacks, with new groups emerging and old ones becoming increasingly active.
How to enable Ransomware Monitoring?
Monitoring Ransomware attacks is a crucial part of Deep & Dark Web monitoring. You can even create a Bot to access the Ransomware Feed source, adding specific term libraries to enhance your searches according to your preferences. Check out our article on Search Bots; it will guide you through this process!
Recommendations on What to Monitor
Search in Explore using the name of a group you want to monitor.
Perform a generic query with the platform filter set to "Ransomware feed" to see all recent attacks.
Example: NOT(qwertyuiop)
Search for brands to check if they have been mentioned in any attack.
qExample: axur OR axur*
✨ It's recommended to add a * to the end of the brand name to get results if the group lists the company as a victim on their site, like axur.com.
Search for the vendor to check if they have been listed as victims.
Example: aws* OR microsoft*
✨ It's recommended to add a * to the end of the vendor name to get results if the group lists the company as a victim on their site, like aws.amazon.com.
Set up an anomaly alert with the brand name, variations, and vendor names to be notified if at least 1 event occurs.
Search for terms that may be in the description and have something in common with the company, such as a country, region, or even TLDs.
Example: brazil* OR *com.br OR latam OR mexico OR *com.mx
Or a market segment:
Example: finance
What Do Ransomware Attacks Do?
Collects information from a victim and ransomware group indexer every 5 minutes.
Displays all possible attacks in Explore.
Allows manual ticket creation from these Explore results, leading to a type of ticket called "Ransomware Attack."
Allows filtering only ransomware alerts using the Platform option and selecting the value "Ransomware Feed."
Allows searching by victim, group name, and description.
Provides the post link, victim's site, group name, publication date, and screenshot when available.
FAQ
I received a Ransomware alert, what should I do?
If you receive a Ransomware alert, immediate action is vital. Explore offers options to search for specific details such as the responsible group, attack description, post URL, victim's site, and publication date. This helps organizations assess the severity of the attack and respond accordingly.
Why do we say a company is a possible victim?
This is because all evidence we have comes from Ransomware groups' posts on their sites. This doesn't necessarily mean that the company listed as a victim has been attacked.
Why does an alert not have a link to the post or a screenshot? Why doesn't the description provide standard information for all alerts?
All information depends on how the group releases new attacks and what our data source can collect. Thus, we rely on information from these third parties.
Why is the date reported in Explore or the ticket result not the same as the screenshot of the post or the group's site?
Axur displays the time in the user's time zone, while the time on the group's site is usually GMT.
There are results detected in August 2023, but they were old attacks. Is this correct?
The detection date is when we collected results for our database. As we brought in all historical attack data and launched the functionality in August 2023, the detection date is correct. To see the actual date the company was listed as a victim of the attack, click to view details in the result.
Why was a ticket created if none of the searched terms match the listed victim?
Search bots look for the added terms in all fields of the Ransomware attack alert, meaning the victim may not necessarily be one of the key terms. If it's an irrelevant ticket, the term likely was mentioned in the description field.
If you have any questions, feel free to reach out at [email protected] 😊