Anatomy of a ransomware attack

How do ransomware attacks work? Typically, they start with threat actors breaking into the victim’s systems and end with the encryption of files and a ransom demand. Different threat actors will use different techniques and tools, but most cybercriminals will follow a common plan of attack:

Delivery

Cybercriminals first have to find away into your system. Phishing emails are a favoured method that most organisations are on the alert for, but beware of other less direct methods such as: 

• malicious advertisements (aka malvertising) on legitimate websites that redirect users to websites hosting exploit kits;

• so-called ‘drive-by downloads’, whereby visiting compromised or malicious websites can trigger the automatic download and execution of ransomware without the user’s knowledge; and

• remote desktop protocol (RDP) exploits. In this approach, attackers take advantage of vulnerabilities in an RDP to gain access to a system and manually install ransomware.

Execution 

Once they’re in your system, the threat actor will install the ransomware on it. This may involve the installation of additional tools or malware components that will help it to evade detection by your security software, and to ensure that it survives on your network.

Privilege escalation 

Ransomware often tries to gain elevated privileges or administrator rights to access critical files and encrypt them.

Encryption 

The ransomware begins encrypting files on your system or network, making them inaccessible. It typically targets a wide range of file types, including documents, images, databases, and more. Some types of ransomware may also encrypt backup files or shadow copies to prevent easy recovery.

Ransom demand 

Once encryption is completed, the ransomware displays a ransom note, or issues instructions as to how to pay a ransom. This note includes details on the payment amount, the cryptocurrency to be used, and instructions for contacting the threat actor. Some ransomware will also threaten permanent data loss or increase the ransom amount if the victim does not comply. If victims refuse to pay a ransom, some gangs use ransomware that exfiltrates sensitive data and releases it for sale on the dark web (a move known as “double extortion”).

Payment 

Cybercriminals will often tell the victim how to create a cryptocurrency wallet, how to buy the required cryptocurrency and send it to the specified wallet address. 

Paying the ransom does not guarantee that the threat actor will decrypt the files or restore access. In fact, as many organisations have found to their dismay, agreeing to pay a ransom will often be treated as a sign that there is more money to be had.

Preventing ransomware attacks and mitigating against their effects

• Regularly back up your data. Maintain secure and up-to-date backups of critical data offline, or in separate systems. Test the backups from time-to-time to ensure they are reliable.

• Patch and update your systems. Keep operating systems, software applications, and security software up to date with the latest patches and security updates. This helps protect against known vulnerabilities that ransomware might exploit.

• Implement security measures. Use robust security solutions, including firewalls, antivirus and anti-malware software, intrusion detection systems, and email filters. Regularly update and configure these solutions for maximum effectiveness. Make sure you have a cyber security solution that can continuously monitor your attack surface for new and emerging vulnerabilities.

• Keep your people educated and aware. Train everyone with access to your network and systems to identify and avoid phishing emails, suspicious attachments, or links. Teach them about safe browsing habits and the importance of being cautious with unsolicited and unexpected messages.

• Follow the principle of least privilege. Restrict permissions to what is necessary for the user to do their job. Regularly review and revoke unnecessary access rights.

• Implement network segmentation. Isolate critical systems and data, because that will limit the lateral movement of ransomware within the network.

• Develop and test an incident response and recovery plan. Make sure that it outlines the steps to be taken in case of a ransomware attack. This includes isolating infected systems, notifying appropriate authorities, and restoring operations from backups.

• Use a security solution you can trust, backed by award-winning technology and 30 years’ experience in managing risk for some of the largest organisations in the world’s most complex sectors.