Ransomware is a serious issue for companies all over the world. From SMBs and startups to multinational enterprises, this particular cybercrime affects organizations of all sizes in every industry. Simply put, ransomware affects everybody.
This is why it is such a prominent subject for cybersecurity specialists – and has been for a while. However, in line with changing times and emerging technologies, ransomware has adapted to the digital age and taken on new forms. This makes it harder to prevent an attack in the first place, and all the more difficult to deal with the fallout.
According to the World Economic Forum, malware increased by 358% in 2020, while ransomware increased by 435% [1]. But despite its growing prevalence in the cybersecurity culture of today, there are still many misconceptions about it. Many organizations are unaware of the precise nature of a ransomware attack and have little understanding of how ransomware operators work.
In this paper, we will explore the technical aspects that underpin a typical ransomware attack, while also exploring how modern organizations can minimize the threat landscape and react to ransomware incidents in a swift and effective manner.
Far from being a fringe form of cybersecurity attack that only affects the largest global organizations, ransomware has evolved to become a threat to all companies across all industries. Wherever there is data, there is an opportunity for a ransomware attacker to exploit key assets and information, often to devastating effect.
Ransomware has been around since the introduction of the very first personal computers. In fact, the concept of stealing data or information and using it to extort money predates the invention of personal computers. That said, with the growing complexity of IT systems and computer networks, the opportunities and rewards for ransomware attackers have increased significantly. Today’s threat landscape is unprecedented, leaving companies more vulnerable than ever.
There is no doubt that ransomware is currently one of the most serious cyber threats to organizations, both large and small. In 2022, ransomware continued to rise, with a 13% increase as big as the previous five years combined [2]. It is also estimated that ransomware was used in approximately 70% of malware breaches in 2022 [2].
The evolution of ransomware attacks has led to this particular form of cyberattack being weaponized as a service. Ironically, attackers have used the business models of the companies they attack as inspiration to form a professionalized ransomware service.
Emerging in the years of digital transformation, ransomware as a service (RaaS) takes the software as a service (SaaS) business model to offer services that can target organizations from any sector in any part of the world. These RaaS services often take a large cut of the extortion money in return for an expert service that targets a company’s most vulnerable data. Some only license their ransomware software to be used by third parties, while others carry out the entire ransomware attack themselves.
Fortunately, with increasingly sophisticated forms of ransomware defense employed by third-party cybersecurity experts, such as MDR service providers, the impact of RaaS is diminishing.
It is useful to take the complex idea of a ransomware attack and simplify it in order to understand how attackers operate. With that in mind, here are the three pillars used by ransomware attackers:
There are various pathways within which an attacker can operate in order to gain entry to an organization’s system. They are as follows:
Many modern ransomware attacks now happen via RDP, a communications protocol that allows a remote IT admin to gain access to systems. The use of RDPs has grown exponentially since the pandemic, along with the significant increase in remote workers. Ransomware attackers have capitalized on this opportunity, which explains why 40% of all ransomware attacks now take place via RDPs [2]. SMBs and startups are most at risk from RDP ransomware, and attackers often exploit vulnerabilities arising from unpatched applications or weak user passwords.
Before the rise of remote working led to a rapid increase of RDP ransomware, the most common pathway to access was through email. Email ransomware still accounts for 35% of all ransomware attacks [2], principally in the form of phishing email campaigns. And while many companies are becoming wise to the tricks employed by cybercriminals who use phishing, the TTPs are becoming increasingly sophisticated.
According to Verizon, web applications are the biggest attack vector in use when it comes to hacking – over 70% of actions are carried out through web applications [2]. This shows the importance of securing web applications in order to defend against ransomware and other types of malware.
Let’s take a look at the various stages that comprise a ransomware attack, from the conceptual stage all the way through to the ransomware demand and the fallout.
Before any action is taken, the cyberattacker will carry out detailed research and reconnaissance of the intended victim. This preliminary stage consists of various techniques to actively or passively gain information that will form the foundations of the ransomware attack.
The information that is used to leverage the attack can be separated into two distinct forms:
Cyberattackers use sophisticated tools to probe into the infrastructure of an organization. These active scans look to pinpoint vulnerabilities they can exploit, either in order to gain initial access, to increase the scope of the attack, or to maximize the ransom demand.
The attacker gathers important information on the victim. This information can take many forms. For example, it could be host information, such as configuration data and administrative data. It could also be network information, like DNS, domain names, and IP addresses. Or finally, it may be key identity information, including employee names and email addresses.
An attacker may even go deeper in their victim reconnaissance efforts to gain initial access. They could research the personal details of a major stakeholder (a CEO, for example), looking through social media to gather vital details they can use in a phishing campaign.
This stage consists of techniques that use various attack vectors to gain entry to the system. These could be any of the following:
Initial access through phishing emails is very common, as it can circumnavigate technology and use human error to gain entry. Companies that have done extensive research can create an authentic-looking scam to gain leverage. This is known as a form of ‘social engineering.’
One common phishing technique is to buy a domain name similar to that of the company and set up an email address almost identical to that of the CEO. The attacker will then send an email adopting the same tone of voice in order to act as the CEO, attaching a PDF file for download (quarterly objectives, for example), or instructions to click on a link. Once employees click on the file or link, malicious code is executed on the victims’ systems and the attacker gains entry.
Targeted phishing campaigns remain the number one initial access concern for large companies. As they tend to have invested heavily in technology and have good security controls in place, targeting human vulnerabilities is the most effective method.
A common entry point for ransomware attackers targeting SMBs, remote services such as RDP and VPNs enable admins to access the internal network from an external location. Remote service gateways manage connections and authentication for remote services and are often poorly secured and open to exploitation.
Attackers may use credentials obtained through other measures to bypass access controls and gain entry to a valid account within the network. From here, they can increase privileges and infiltrate restricted areas of the network. As legitimate credentials are used, it can be harder to detect the presence of bad actors.
Once the ransomware attacker has gained entry, the next stage is to gain as much useful knowledge about the system as possible. They map the victim network by exploring, observing, and navigating their way around the infrastructure, before deciding how and when to act. During the discovery stage, an attacker will try to establish a foothold on systems beyond the initial access machine to ensure they don’t lose access to the system soon after entry.
Attackers attempt to find a list of accounts within the system or environment, including local, domain, email, and cloud accounts. They use these to ascertain which accounts are best to aid lateral movement throughout the system.
Cybercriminals will aim to discover resources such as instances and virtual machines within an infrastructure-as-a-service (IaaS) cloud environment.
Information obtained from files and directories can inform the ransomware attackers of which actions to take to execute and expand the ransomware.
Once the adversary has gained access and mapped out the system, they begin to run code and spread throughout the system.
The cyberattacker employs several techniques to embed the ransomware into the infrastructure. They might abuse command and script interpreters in order to execute commands, scripts, or binaries, exploit vulnerabilities in applications, or deploy a container into the system to execute malicious code and bypass defenses.
The adversaries will work hard to get a foothold on the system and evade defense mechanisms that could cut off access. Making access and configuration changes will enable them to maintain access to the system.
Expanding throughout the system through lateral movement is a key tactic in an effective ransomware attack. Attackers look to install specific tools to navigate the network and expand their reach, while also evading detection.
Finding ways to access higher-level permissions within a system is another major tactic employed by ransomware attackers. While unprivileged access may enable research and discovery, attackers will usually need escalated privileges to access the most valuable assets.
Once the adversary has gained a sufficient foothold within the system, they will attempt to extract the data in order to extort their victim.
An attacker uses automation tools to collect internal data from the victim’s system or network. Within a cloud-based environment, these can be APIs, ETL services (extract, transform, and load), or command line interfaces.
This stage is the act of stealing data from within the system. Data is often packaged before it is stolen. This can involve compressing the data into an easy-to-extract form or encrypting it to prevent the victims from accessing it.
Besides stealing data from the victim, adversaries can also employ techniques to alter or destroy data for maximum impact. The impact stage is crucial to obtaining the ransom and acts as the pivotal piece that the attacker hopes will influence the victim to pay up. Impact techniques include:
The attacker encrypts data on the system to interrupt operations and cause panic throughout the company. The offering of a decryption key upon payment of a ransom is then used to gain leverage.
They might also destroy or threaten to destroy important data within the system or network. This data will be rendered unrecoverable by specific forensic techniques that overwrite the files.
Attackers alter data or threaten to do so, aiming to cause reputational damage to a company.
DOS (denial of service) attacks can be used to reduce the capacity of network resources by depleting critical network bandwidth.
The final stage is the actual demand for ransom, together with the after-effects of the ransomware attack.
The ransom demand is created when the ransomware encrypts files or exfiltrates information. The demand will specify the payment amount and other details. Attackers might also request additional funds to prevent the release of sensitive information (double extortion) and even extort customers once they have stolen their details (triple extortion).
While the ransom payment itself may be a big blow to the victim, it is estimated that the resulting operational downtime and reputational damage caused by a ransomware attack can be 10 to 15 times greater than the actual ransom amount. [3]
There are three key pillars to building an effective defense strategy against ransomware attacks. These are people, processes, and technology.
Without the right technological tools in place, ransomware attackers can easily bypass a system’s security defenses. However, the right processes need to be in place to ensure the organization has minimized vulnerabilities in the system. Even with these two key pillars in place, without human expertise, organizations leave themselves open to ransomware attacks.
Below are the most important aspects of an effective approach to ransomware attacks.
It is important to ensure an organization has adequately trained its team to know what to look out for in a phishing attack. This is particularly important for larger companies that have defense mechanisms in place, as it is the main route of attack for adversaries.
Teams can benefit from the insights of cybersecurity experts, such as MDR providers, who can share knowledge, build awareness, and instill good cybersecurity habits.
Keeping your software up to date is crucial when minimizing weak points within the infrastructure. Failure to update applications will make your system vulnerable, and modern ransomware attackers can pinpoint these vulnerabilities using sophisticated tools and technologies.
Vulnerabilities in cloud-based systems are harder to exploit, but there are many techniques you can use to protect your cloud’s security infrastructure. Cloud storage also enables you to back up and restore data.
Adopting a zero-trust strategy gives organizations comprehensive control and a 360° view of their infrastructure. It also enables security leaders to design a privileged access mechanism to specifically limit the number of users and control their movements across the network. Zero trust models also require authentication and verification for every session.
Privileged accounts are a key source of information for ransomware attackers and, therefore, should be afforded greater protection. Using privileged access management (PAM) solutions help to ensure high-level privileged account protection, safeguarding an organization’s most valuable assets.
Securing an active directory means eliminating domains with questionable security, even if they are considered secure by the organization. Establishing an advanced auditing mechanism is key to ensuring that required domain activities are performed in accordance with cybersecurity protocols.
If you have a backup to the data that is locked out or stolen, the ransomware attacker has far less leverage. You should have multiple backups in case one becomes corrupted. There are multiple ways to back up data – a mix of the following is ideal:
Limit the amount an attacker can move freely throughout the network once they have gained access with SMB, RPC, and RDP network segmentations.
There are many processes that make up a system or infrastructure. Taking care to design these processes in a way that reduces the attack surface and prevents easy access is crucial. From patch management systems to advanced email security software, organizations need to reduce vulnerabilities to prevent opportunities for ransomware attackers.
In the event of an attack, every team member and external third-party collaborator needs to be part of a clear and focused response strategy. MDR specialists can set up a response plan that is tailored to the requirements of an organization.
The key to minimizing the threat of ransomware attacks is to leverage managed detection and response services (MDR). Using a blend of human intelligence and innovative technological solutions, Ackcent’s MDR services can provide fundamental protection from ransomware attacks, with a 24x7x365 service that keeps companies covered around the clock.
MDR minimizes and mitigates ransomware threats through four pillars of cybersecurity: prepare, protect, detect, and respond. By preparing for the event of ransomware attacks, with robust strategies and plans in place; protecting your infrastructure through correct processes, tools, and procedures; detecting anomalous behavior using cutting-edge tools and technologies; and responding to incidents using experience and expertise, we help companies from multiple sectors combat the threat of modern ransomware attacks.
Contact us today to find out more about Ackcent’s expert cybersecurity protection services.
References
Get resources in your mailbox for free