Detect ransomwares with Monitorpack
This guide provides a comprehensive classification of measurable indicators for detecting typical ransomware behaviors
in Microsoft environments. It is designed to be used with the Monitorpack monitoring solution to enable proactive threat
detection before they cause irreversible damage.
Usual known behaviors from ransomwares
Here's a detailed table, categorized by source type, of the measurable and typical indicators of a ransomware attack in a Microsoft
environment. These elements can serve as triggers in a monitoring solution like Monitorpack.
- Mass file encryption,
- Mass creation/modification,
- Abnormal CPU/disk consumption,
- Unusual or unknown services or processes (Event ID 4728),
- Critical services stopped.
- Suspicious network connections to external IP addresses,
- Deletion of backups or snapshots,
- Messages in Event Viewer related to security or file creation.
Network Interface
 Monitoring best practices recommends to define a baseline
before, understanding that your baseline is regular values whe all is going well. Select regular spikes and create a trigger value as 150 % or twice the value.
- Bytes Sent/sec Measures the number of bytes sent by the network card each second. If this counter shows
significantly higher than normal activity, it could indicate network congestion, such as a denial of service
(DoS) attack or excessive data transfer.
- Bytes Received/sec Measures the number of bytes received by the network card each second. A significant increase could
indicate excessive bandwidth usage by a client or abnormal incoming traffic.
- Packets Sent/sec Number of packets sent by the network card each second. An increase in packets sent could indicate
excessive communication from certain applications or suspicious activity.
- Packets Received/sec Number of packets received by the network card each second. Again, an abnormally high value
could indicate unusual behavior.
- Current Bandwidth Shows the current bandwidth available on the network interface. If bandwidth usage is close
to the limit, this could cause network congestion.
How to be informed by Monitorpack
Here's a structured and categorized table of measurable technical triggers in a Microsoft environment (servers, workstations, AD, etc.) to detect
typical signs of a ransomware attack. It covers performance counters, processes, services, ports, network response, Event Viewer, and other metrics
available through WMI, PowerShell, or any monitoring system like Monitorpack.
| Source type |
Measured indicator |
Suspicious behavior |
Typical detection criteria |
Risk category |
| Processes |
wmiprvse.exe, vssadmin.exe, bcdedit.exe, powershell.exe, cmd.exe |
Abnormal or repeated launches |
Repeated creation of critical system processes in a short time |
Malicious Execution |
| Processes |
Unknown processes with high CPU usage |
File encryption by multiple threads |
CPU > 80% on unknown/unsigned process for several minutes |
Encryption in Progress |
| Performance Counters |
LogicalDisk(*)\% Free Space |
Sudden drop in disk space |
More than 20% disk space loss in minutes |
Mass Deletion / Write |
| Performance Counters |
Process(*)\IO Write Bytes/sec |
Heavy disk writing |
Sudden I/O spike on unknown processes |
Active Encryption |
| Event Viewer |
Security Event ID 4624/4625 |
Suspicious or repeated login attempts |
Multiple failed logins or from unknown IPs |
Intrusion Attempt |
| Windows Services |
VSS service disabled |
Disabling backup protection |
VSS service stopped while previously active |
Backup Tampering |
| File System |
Extensions .locked, .zzz, .crypted |
Mass file renaming |
Thousands of files renamed within minutes |
Ransomware Activity |
| Active Directory (Event ID 4728) |
Suspicious user added to Domain Admins |
Privilege escalation |
Unauthorized modification of critical groups |
AD Compromise |
Alarms configuration
See details about alarms to implement in order to detect ransomwares are available on the following page How to monitor security
Support & Questions
If you need additional help you can create a ticket in French and ask your questions to our support
here contact Monitorpack support
|
knowledge base