Understanding the Progression of a Ransomware Attack – Source: securityboulevard.com

Everyone should be familiar with ransomware and its impact on businesses by now. But while you may understand the very basics of ransomware, you can’t really protect your organization until you are familiar with the entire ransomware attack life cycle from the time threat actors get into your system until you make the decision whether or not to pay.

Attack Life Cycle

The most common ransomware life cycle follows a fairly predictable path. The attackers gain access through a targeted phishing email or an exploit and, once inside your system, they install command and control or a remote access app to establish a foothold. They aren’t out to encrypt your data immediately. The cybercriminals want to gain as much information as they can while they’ve infiltrated your network. They want to steal as many credentials as possible, so they will stay inside the system, moving laterally and conducting internal reconnaissance, repeating until they complete their mission. That’s when they’ll take the steps to encrypt and steal your data.

“What threat actors are doing these days before encrypting the data—they are also taking your data,” said Jibran Ilyas, consulting leader with Mandiant/Google Cloud, during a talk at RSA Conference 2023. “If you have really good backups, they still want to take your money.” And they can take your money by telling you that they have your data in their custody, which they can threaten to release as a blackmail tactic.

Favorite Infiltration Tactics

If you want to protect your system and your data from ransomware, the best line of defense is to prevent infiltration. But you can’t do this if you don’t know how they are getting in. Threat actors know the methods that work best, and according to Ilyas, these are the top infiltration tactics they’ll use:

• Email spearphishing

• Password spray on single-factor authentication remote access portals

• Purchase of stolen credentials on the dark web

• Exploit publicly available servers

• Use third-party compromise.

These tactics aren’t straightforward, either. A stolen credential may be from a former employee who is still using the same passwords or for whom access hadn’t been fully revoked, opening the door for the bad guys to enter. Or the attackers will launch their initial attack at an odd time so, even if discovered early, they have already done serious damage before a patch can be cobbled together.

“Some patches, when they first come in, aren’t even a full patch,” said Ilyas. When Log4j happened, for example, organizations began changing register keys and thinking they were secure, only to realize later—when they were attacked again—that the patch didn’t fully protect them.

Another thing to note, Ilyas added, is that if the ransomware is launched via a phishing email, the threat actors aren’t going to be asking for payments or threatening you unless you pay a ransom—at least not immediately. They don’t want you to know that they are attacking you, so the email will likely be a spearphishing attempt that mimics any other email sent by the “sender.” Organizations can’t be lulled into thinking that a ransomware attack will stand out.

When They’re Inside

As mentioned before, once inside, the threat actors will stay as long as they need to, learning their way around your system and gathering as much useful information as possible. And they will likely remain undetected for weeks or months unless your security tools are able to detect their movements. To be proactive, your security system should have layers of protection for passwords and other credentials.

The Endgame

To complete the mission—after they have accessed the credentials and moved throughout the system—threat actors have to know where to find the database and other key servers. They look for anything that stores critical data or backup information; these are the areas they want to encrypt first to cripple your business operations.

If they locate backups or find security services during this final search, they will use the information they gathered to delete or disable these tools. Once this is done, they can now encrypt the data and deploy the ransomware.

“When they run the ransomware, they’ll leave a file on the desktop—a ransom note,” said Ilyas. And you may be surprised to find that professional criminals are articulate, well-spoken and very businesslike. That’s because it is a business, and a good ransomware crime ring will have done its due diligence in its efforts to force you to pay the ransom.

Should You Pay?

The FBI doesn’t want companies to pay ransoms, but in reality, the decision is more complicated than that. Ilyas said you need to consider issues including:

• Can you recover your data and systems on your own, and if so, how quickly can you do it?

• Do you trust the threat actor to actually release your data?

• Does the threat actor continue to have access to your system?

• Do you have cyberinsurance that will cover your losses?

Don’t hesitate to use counter demands, Ilyas suggested. You might agree to pay the ransom, but they should be willing to give you something in return—a full intrusion report that reveals how they gained access and a timeline of their activities; providing the data decryption key and/or all exfiltrated data or no blackmail tactics like revealing their tactics or information about the deal.

Knowing how a ransomware attack plays out offers you better insight on how to prevent it; if one does get by your security, you’ll have a clear view of their tactics and what is at risk in your network.