There are several key phases to a ransomware attack:
- initial intrusion
- period of reconnaissance inside the victim’s systems
- execution of encryption and exfiltration of data
- ransom demands
A ransomware attack isn’t a single event. It is a series of events designed to disrupt and disable systems, and to force organizations to pay large sums to recover data and get back online. By walking through 7 distinct stages of a ransomware attack, we can better understand the scope of the ransomware threat and why having the right recovery plan in place is critical.
The Calm Before the Storm
The first 3 stages of a ransomware attack can happen without you ever seeing it coming. Prevention is important to intercede where possible, but these attacks are designed to target systems where they are most vulnerable, often starting with users.
Stage 1 – Initiation of the Attack
This first stage is where the attacker sets up the ransomware to infiltrate your system. This can be done in several ways such as by sending out phishing email attacks, setting up malicious websites, exploiting weaknesses in RDP connections, or attacking software vulnerabilities directly. The more users your organization has, the more vulnerable you are to a user-targeted attack like phishing, malicious websites, or a combination of these. It only takes one user to make a mistake and execute the ransomware code, infiltrating the system.
Stage 2 – Instantiation
The second stage occurs once the ransomware has infiltrated your system. The malicious code will set up a communication line with the attacker. The ransomware attacker may download additional malware using this communication line. At this point, the ransomware may lay hidden and dormant for days, weeks, or months before the attacker chooses to initiate the attack. The ransomware may try to move laterally across other systems in your organization to access as much data as possible. Many ransomware variants also target backup systems to eliminate the chance for you as the victim to restore data. You could be completely unaware that your systems are compromised, with the attacker waiting for the optimal time to unleash the attack.
Stage 3 – Activation
The third stage is when the attacker activates or executes the ransomware attack remotely. This can happen at any time the attacker chooses and can catch your organization completely off guard. Once the attack has begun, it can be a race against time for your organization to even identify that the attack is occurring so that mitigation and recovery efforts may go into action.
The Storm
Once an attack has been activated, your system and data are in jeopardy. Without a plan in place to mitigate the attack and achieve recovery, downtime can stretch from hours to days or even weeks. This might result in financial and reputational damage, sometimes unrecoverable.
Stage 4 – Encryption
Ransomware holds data hostage through encryption. Different ransomware variants use different encryption methods which range from encrypting the master boot record of a file system to encrypting individual files or entire virtual machines. Ransomware that also targets backup systems may delete or encrypt the backups to prevent recovery. Decrypting the data is highly unlikely, so your organization will have three choices: lose the data, recover from a replica or backup, or pay the ransom.
Stage 5 – Ransom Request
At this stage, you’re officially the victim and the ransomware has encrypted your data. You’re presented with information on how to pay a ransom via a cryptocurrency transaction. Depending on what data the ransomware was able to encrypt, not only will data be inaccessible, but applications and entire systems can be disabled by the encryption. Operations can be severely impacted without access to data or services.
Stage 6 – Recovery or Ransom
This is the stage where many of the organizations we’ve seen in the news experienced impacts of significant downtime or disruption, potentially choosing to pay a ransom as a result. Without an effective recovery method, even if the data can be at least partially recovered, the cost of doing so may exceed the cost of paying the ransom. However, if your organization has an effective recovery plan in place, you may be able to recover the data quickly with minimal disruption and face no need to pay a ransom, eliminating the negative publicity of downtime and paying an exorbitant ransom.
Stage 7 – Clean Up
Paying a ransom or even recovering data from a backup or replica does not necessarily eliminate the ransomware on the system. The malicious files and code may still be present and need to be removed. The attack itself will likely reveal the type of ransomware and make it easier to locate and purge from the system. If necessary, systems can be recovered in an isolated network to clean up the malware without risking re-activation. Once the malware has been cleaned up, the system can be returned to normal operation.
Taking Control
There are three key stages at which organisations can interrupt this process and can focus on reducing risk and managing continuity.
Stage 1 – Initiation of the Attack
Stopping the attack before it starts increases the ability to resist attacks by improving cyber hygiene and increasing protection.
Stage 3 – Activation
Managing and reducing the impact of any successful attack by creating firebreaks to ensure attacks do not spread into key data sources.
Stage 6 – Recovery or Ransom
Establishing a recovery plan that ensures any attacker can’t control ALL data sources, and that recovery can be started from a fresh and clean environment.
Plan with Vivid Adapt
Ransomware attacks are everchanging and will continue to infiltrate systems despite the best efforts of prevention and damage limitation. Vivid Adapt’s point of view on your security position through the eyes of a hacker will help you understand what ransomware attacks are designed to do, having created a range of solutions and assessments to fully understand what an organisation’s capabilities are across the 7 stages of an attack.
Vivid Adapt is a European Managed Security Services provider with offices across Europe. If you are interested in improving your Security systems please contact us using the form found at the bottom of the page or email us at info@vividadapt.com.