In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential ransomware attack based on mass file modification activity, take immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• File auditing must be configured in ADAudit Plus for the relevant file servers.

• The necessary audit policies to generate Event ID 4663 (An attempt was made to access an object) must be enabled on the file servers, including object-level auditing (SACLs) on the monitored folders to audit for Write access.

Steps to follow  

Step 1: Detecting the attack  

1. Navigate to the Active Directory tab > Attack Surface Analyzer > Threats > Ransomware Attack.

2. This report shows all detections related to a possible ransomware attack, identified by a high volume of file write operations in a short period.

Step 2: Understanding the detection criteria  

ADAudit Plus detects a potential ransomware attack based on the following pattern:

• Description: An attacker performs mass modification of files and documents, typically for encryption, to demand a ransom in exchange for the decryption keys.

• Detection Logic: The following event occurs 1,000 times within five minutes:

• Event Code equals 4663 (An attempt was made to access an object).

• Access Mask has the 0x2 bit enabled (indicating a write operation).

• Object Type equals File.

• Account Name does not end with $.

Step 3: Immediate remediation  

A ransomware detection event indicates an active attack that could be encrypting your files. Act immediately:

1. Isolate the source machine: The event log will show the Account Name and the source workstation from which the modifications are originating. Disconnect this machine from the network immediately to stop the encryption process.

2. Disable the compromised account: Disable the user account (Account Name) that is performing the mass file modifications to prevent it from accessing other resources.

3. Identify the scope of impact: Review the file audit reports in ADAudit Plus for the compromised user and source machine to determine which file shares and servers were affected.

4. Restore from backups: The most reliable method of recovery is to restore the encrypted files from clean, recent backups. Do not pay the ransom. Verify that your backups are uncompromised and were not accessible to the attacker.

5. Investigate the point of entry: Determine how the ransomware was executed. Common vectors include phishing emails, exploiting unpatched vulnerabilities, or compromised RDP credentials.

Validation and confirmation  

• After isolating the source machine and disabling the account, the mass file modification activity in ADAudit Plus reports should cease.

• Restored files from backup should be accessible and unencrypted.

• The source machine should be wiped and rebuilt from a known-good image before being returned to the network.

Tips  

The following best practices can help prevent ransomware attacks.

User training and awareness  

• Conduct regular security awareness training. Teach users to identify and report phishing emails, which are a primary delivery vector for ransomware.

Endpoint and network security  

• Use a reputable endpoint protection solution (e.g., antivirus, EDR) and keep it updated.

• Implement a robust patch management program to ensure operating systems and applications are patched against known vulnerabilities.

• Restrict RDP access from the internet. If RDP is required, secure it behind a VPN with MFA.

Principle of least privilege (PoLP)  

• Ensure users only have access to the files and folders they need to perform their jobs. Overly permissive share and NTFS permissions allow ransomware to spread and encrypt more data.

Backup and recovery  

• Maintain regular, tested backups of critical data. Follow the 3-2-1 rule (three copies of data, on two different media, with one copy off-site).

• Ensure backups are immutable or stored offline so they cannot be encrypted or deleted by the ransomware.

Related topics and articles  

• How to detect and respond to an AdminSDHolder attack using ADAudit Plus