Decoding the Anatomy of a Ransomware Attack

Ransomware attacks are increasing in size, frequency and complexity, with threat actors resorting to more aggressive methods, developing cross-platform functionality to be highly adaptive, and adding new toolsets to launch targeted attacks. Ransomware cost the world $20 billion in 2021, and this is expected to rise to $265 billion by 2031¹.What’s more alarming is the industry estimates which predict that ransomware is expected to attack a business, consumer or a device every 2 seconds by 2031, up from every 11 seconds in 2021¹.

Stages of ransomware attack:

Ransomware is a multi-stage problem, requiring a multi-stage solution to effectively contain the attack at any stage. Understanding the anatomy of a ransomware attack, therefore becomes essential to prepare for and respond to such events. A typical ransomware attack goes through six distinct stages, and deconstructing each of these can help organizations strengthen their preparation and response strategies.

1. Infiltration:

   The first stage is when the attacker infiltrates the systems. This can be done in several ways such as sending out phishing email attacks, setting up malicious websites, exploiting weaknesses in RDP connections, attacking software vulnerabilities directly or employing zero-day exploits. Publicly exposed web applications and network devices with vulnerabilities such as VPN, RDP are exploited to infiltrate into the network. Servers and endpoints also get impacted in this stage.

2. Account Compromise:

   Once the infiltration is complete, the next stage is when the account is compromised. This usually takes place when a local user or admin account is compromised, typically in cases where same local and admin passwords are applied across the organization. The malicious code will set up a communication line back to the attacker. The ransomware attacker may download additional malware using this communication line. At this point, the ransomware may lay hidden and dormant for days, weeks, or months before the attacker chooses to initiate the attack. Often, organizations could be completely unaware that their systems are compromised, and the attacker can wait for the optimal time to unleash the attack.

3. Privilege Escalation:

   The third phase in the ransomware attack cycle is Privilege Escalation – a type of network attack used to gain unauthorized access to systems within a security perimeter. The most exploited service for executing this is Active directory. Active Directory is commonly referred to as ‘Keys to the Kingdom’. If Active Directory is compromised, attackers can gain access to domain admin/enterprise admin credentials, making it easy for ransomware actors to penetrate further into the network. Effective detection mechanisms are very critical to prevent AD compromise. Deploying a robust Privilege Access Management (PAM) solution along with an effective endpoint detection and response (EDR) tool can help prevent AD compromise.

4. Lateral Movement:

   On successful completion of privilege escalation, the ransomware actors move on to performing lateral movement. They can now move freely within the environment across servers, virtual platforms, databases etc. and access the cloud, backup storage etc. Once they have obtained authority and presence within the digital estate, they then progress to the final stages of the attack. Modern ransomware has built-in functions that allow it to search automatically for stored passwords and spread through the network. More sophisticated strains are designed to build themselves differently in different environments, so the signature is constantly changing making it harder to detect by legacy solutions.

5. Data Exfiltration:

   The fifth phase in the attack is data exfiltration which often, is a blend of data theft and extortion. A ransomware actor compromises an organization’s defenses and exfiltrates sensitive data of measurable value – financial records, intellectual property, trade secrets, business data, and so on. After offering the data for sale on the dark web to establish its value, the attacker then contacts the victim and demands a payment to prevent a sale. The attacker’s leverage in this case is the significant reputational damage, potential regulatory files, and other fallout that would result from the data’s release. A dangerous trend that is becoming widespread is triple extortion, wherein after extracting ransom from victim organizations, the ransomware actors reach out to the clients of victims and demand ransom from them.

6. Data Encryption:

   The final phase in the kill chain is data encryption wherein the threat actors steal and encrypt the confidential assets of victims to extort money. Traditionally, ransomware encrypts the victim’s data and holds the decryption key for ransom. In recent times though, it is common among ransomware campaigns to exfiltrate victims’ data for extortion. This approach is becoming increasingly popular because it gives victims two reasons to pony up the ransom: they need to both regain access to their files and attempt to prevent leaks of their data.

Ransomware attacks are getting more targeted in scope and disruptive in impact as attackers constantly up the offensive using expanded toolset, emerging technologies, and new operating models. Addressing the threat of ransomware therefore requires adopting a multi-layered approach that includes securing critical infrastructure, viz., Active Directory, Backups, Network, Cloud and Office365. Enabling multi-factor authentication (MFA), deploying a robust endpoint detection and response (EDR) tool, implementing network segmentation and least privilege access, and running compliance audits, vulnerability scans and Pen tests are some of the recommended best practices that can help organizations protect against ransomware attacks.