Contact Us Get an assessment

Anatomy of a Modern Ransomware Attack

Anatomy of a Modern Ransomware Attack

Anatomy of a Modern Ransomware Attack

Ransomware is a serious issue for companies all over the world. From SMBs and startups to multinational enterprises, this particular cybercrime affects organizations of all sizes in every industry. Simply put, ransomware affects everybody. 

This is why it is such a prominent subject for cybersecurity specialists – and has been for a while. However, in line with changing times and emerging technologies, ransomware has adapted to the digital age and taken on new forms. This makes it harder to prevent an attack in the first place, and all the more difficult to deal with the fallout.

According to the World Economic Forum, malware increased by 358% in 2020, while ransomware increased by 435% [1]. But despite its growing prevalence in the cybersecurity culture of today, there are still many misconceptions about it. Many organizations are unaware of the precise nature of a ransomware attack and have little understanding of how ransomware operators work. 

In this paper, we will explore the technical aspects that underpin a typical ransomware attack, while also exploring how modern organizations can minimize the threat landscape and react to ransomware incidents in a swift and effective manner.  

Ransomware attacks in the modern era

Far from being a fringe form of cybersecurity attack that only affects the largest global organizations, ransomware has evolved to become a threat to all companies across all industries. Wherever there is data, there is an opportunity for a ransomware attacker to exploit key assets and information, often to devastating effect.

Ransomware has been around since the introduction of the very first personal computers. In fact, the concept of stealing data or information and using it to extort money predates the invention of personal computers. That said, with the growing complexity of IT systems and computer networks, the opportunities and rewards for ransomware attackers have increased significantly. Today’s threat landscape is unprecedented, leaving companies more vulnerable than ever.

There is no doubt that ransomware is currently one of the most serious cyber threats to organizations, both large and small. In 2022, ransomware continued to rise, with a 13% increase as big as the previous five years combined [2]. It is also estimated that ransomware was used in approximately 70% of malware breaches in 2022 [2]. 

The evolution of ransomware attacks has led to this particular form of cyberattack being weaponized as a service. Ironically, attackers have used the business models of the companies they attack as inspiration to form a professionalized ransomware service.

Ransomware as a service

Emerging in the years of digital transformation, ransomware as a service (RaaS) takes the software as a service (SaaS) business model to offer services that can target organizations from any sector in any part of the world. These RaaS services often take a large cut of the extortion money in return for an expert service that targets a company’s most vulnerable data. Some only license their ransomware software to be used by third parties, while others carry out the entire ransomware attack themselves.

Fortunately, with increasingly sophisticated forms of ransomware defense employed by third-party cybersecurity experts, such as MDR service providers, the impact of RaaS is diminishing.

Key pillars of a ransomware attack

It is useful to take the complex idea of a ransomware attack and simplify it in order to understand how attackers operate. With that in mind, here are the three pillars used by ransomware attackers:

  • Tactics: The objectives that attackers are attempting to achieve and the subgoals that make up the overall goal of the attack.
  • Technique: The specific ways in which attackers operate to achieve their goals and subgoals.
  • Procedures: The tools used during the ransomware attack and the details that define the entire operation.

How ransomware finds its way into a system

There are various pathways within which an attacker can operate in order to gain entry to an organization’s system. They are as follows:

Remote desktop protocol (RDP)

Many modern ransomware attacks now happen via RDP, a communications protocol that allows a remote IT admin to gain access to systems. The use of RDPs has grown exponentially since the pandemic, along with the significant increase in remote workers. Ransomware attackers have capitalized on this opportunity, which explains why 40% of all ransomware attacks now take place via RDPs [2]. SMBs and startups are most at risk from RDP ransomware, and attackers often exploit vulnerabilities arising from unpatched applications or weak user passwords.   

Email

Before the rise of remote working led to a rapid increase of RDP ransomware, the most common pathway to access was through email. Email ransomware still accounts for 35% of all ransomware attacks [2], principally in the form of phishing email campaigns. And while many companies are becoming wise to the tricks employed by cybercriminals who use phishing, the TTPs are becoming increasingly sophisticated. 

Web application 

According to Verizon, web applications are the biggest attack vector in use when it comes to hacking – over 70% of actions are carried out through web applications [2]. This shows the importance of securing web applications in order to defend against ransomware and other types of malware.

Stages of a ransomware attack

Let’s take a look at the various stages that comprise a ransomware attack, from the conceptual stage all the way through to the ransomware demand and the fallout. 

1. Reconnaissance

Before any action is taken, the cyberattacker will carry out detailed research and reconnaissance of the intended victim. This preliminary stage consists of various techniques to actively or passively gain information that will form the foundations of the ransomware attack. 

The information that is used to leverage the attack can be separated into two distinct forms:

Active scanning

Cyberattackers use sophisticated tools to probe into the infrastructure of an organization. These active scans look to pinpoint vulnerabilities they can exploit, either in order to gain initial access, to increase the scope of the attack, or to maximize the ransom demand.

Compiling victim information

The attacker gathers important information on the victim. This information can take many forms. For example, it could be host information, such as configuration data and administrative data. It could also be network information, like DNS, domain names, and IP addresses. Or finally, it may be key identity information, including employee names and email addresses. 

An attacker may even go deeper in their victim reconnaissance efforts to gain initial access. They could research the personal details of a major stakeholder (a CEO, for example), looking through social media to gather vital details they can use in a phishing campaign. 

2. Initial access 

This stage consists of techniques that use various attack vectors to gain entry to the system. These could be any of the following:

Phishing

Initial access through phishing emails is very common, as it can circumnavigate technology and use human error to gain entry. Companies that have done extensive research can create an authentic-looking scam to gain leverage. This is known as a form of ‘social engineering.’

One common phishing technique is to buy a domain name similar to that of the company and set up an email address almost identical to that of the CEO. The attacker will then send an email adopting the same tone of voice in order to act as the CEO, attaching a PDF file for download (quarterly objectives, for example), or instructions to click on a link. Once employees click on the file or link, malicious code is executed on the victims’ systems and the attacker gains entry.

Targeted phishing campaigns remain the number one initial access concern for large companies. As they tend to have invested heavily in technology and have good security controls in place, targeting human vulnerabilities is the most effective method.

Remote services

A common entry point for ransomware attackers targeting SMBs, remote services such as RDP and VPNs enable admins to access the internal network from an external location. Remote service gateways manage connections and authentication for remote services and are often poorly secured and open to exploitation.

Valid accounts

Attackers may use credentials obtained through other measures to bypass access controls and gain entry to a valid account within the network. From here, they can increase privileges and infiltrate restricted areas of the network. As legitimate credentials are used, it can be harder to detect the presence of bad actors.

3. Discovery

Once the ransomware attacker has gained entry, the next stage is to gain as much useful knowledge about the system as possible. They map the victim network by exploring, observing, and navigating their way around the infrastructure, before deciding how and when to act. During the discovery stage, an attacker will try to establish a foothold on systems beyond the initial access machine to ensure they don’t lose access to the system soon after entry.

Accounts

Attackers attempt to find a list of accounts within the system or environment, including local, domain, email, and cloud accounts. They use these to ascertain which accounts are best to aid lateral movement throughout the system.

Cloud infrastructure

Cybercriminals will aim to discover resources such as instances and virtual machines within an infrastructure-as-a-service (IaaS) cloud environment.  

Files and directories

Information obtained from files and directories can inform the ransomware attackers of which actions to take to execute and expand the ransomware.

4. Execution and expansion

Once the adversary has gained access and mapped out the system, they begin to run code and spread throughout the system.

Running malicious code

The cyberattacker employs several techniques to embed the ransomware into the infrastructure. They might abuse command and script interpreters in order to execute commands, scripts, or binaries, exploit vulnerabilities in applications, or deploy a container into the system to execute malicious code and bypass defenses.

Maintain persistence

The adversaries will work hard to get a foothold on the system and evade defense mechanisms that could cut off access. Making access and configuration changes will enable them to maintain access to the system.

Lateral movement

Expanding throughout the system through lateral movement is a key tactic in an effective ransomware attack. Attackers look to install specific tools to navigate the network and expand their reach, while also evading detection. 

Privilege escalation

Finding ways to access higher-level permissions within a system is another major tactic employed by ransomware attackers. While unprivileged access may enable research and discovery, attackers will usually need escalated privileges to access the most valuable assets.   

5. Collection and exfiltration

Once the adversary has gained a sufficient foothold within the system, they will attempt to extract the data in order to extort their victim. 

Collection

An attacker uses automation tools to collect internal data from the victim’s system or network. Within a cloud-based environment, these can be APIs, ETL services (extract, transform, and load), or command line interfaces.

Exfiltration

This stage is the act of stealing data from within the system. Data is often packaged before it is stolen. This can involve compressing the data into an easy-to-extract form or encrypting it to prevent the victims from accessing it.

6. Impact

Besides stealing data from the victim, adversaries can also employ techniques to alter or destroy data for maximum impact. The impact stage is crucial to obtaining the ransom and acts as the pivotal piece that the attacker hopes will influence the victim to pay up. Impact techniques include:

Encryption

The attacker encrypts data on the system to interrupt operations and cause panic throughout the company. The offering of a decryption key upon payment of a ransom is then used to gain leverage.

Destruction

They might also destroy or threaten to destroy important data within the system or network. This data will be rendered unrecoverable by specific forensic techniques that overwrite the files. 

Defacement

Attackers alter data or threaten to do so, aiming to cause reputational damage to a company.

Network denial of service

DOS (denial of service) attacks can be used to reduce the capacity of network resources by depleting critical network bandwidth.

7. Extortion

The final stage is the actual demand for ransom, together with the after-effects of the ransomware attack.

Ransom demand

The ransom demand is created when the ransomware encrypts files or exfiltrates information. The demand will specify the payment amount and other details. Attackers might also request additional funds to prevent the release of sensitive information (double extortion) and even extort customers once they have stolen their details (triple extortion).

While the ransom payment itself may be a big blow to the victim, it is estimated that the resulting operational downtime and reputational damage caused by a ransomware attack can be 10 to 15 times greater than the actual ransom amount. [3]

Defense mechanisms against ransomware attacks

There are three key pillars to building an effective defense strategy against ransomware attacks. These are people, processes, and technology.

Without the right technological tools in place, ransomware attackers can easily bypass a system’s security defenses. However, the right processes need to be in place to ensure the organization has minimized vulnerabilities in the system. Even with these two key pillars in place, without human expertise, organizations leave themselves open to ransomware attacks.  

Below are the most important aspects of an effective approach to ransomware attacks.

Training

It is important to ensure an organization has adequately trained its team to know what to look out for in a phishing attack. This is particularly important for larger companies that have defense mechanisms in place, as it is the main route of attack for adversaries.

Teams can benefit from the insights of cybersecurity experts, such as MDR providers, who can share knowledge, build awareness, and instill good cybersecurity habits. 

Patching

Keeping your software up to date is crucial when minimizing weak points within the infrastructure. Failure to update applications will make your system vulnerable, and modern ransomware attackers can pinpoint these vulnerabilities using sophisticated tools and technologies. 

Adopt cloud technology

Vulnerabilities in cloud-based systems are harder to exploit, but there are many techniques you can use to protect your cloud’s security infrastructure. Cloud storage also enables you to back up and restore data. 

Implement zero trust

Adopting a zero-trust strategy gives organizations comprehensive control and a 360° view of their infrastructure. It also enables security leaders to design a privileged access mechanism to specifically limit the number of users and control their movements across the network. Zero trust models also require authentication and verification for every session.

Protect privileged accounts

Privileged accounts are a key source of information for ransomware attackers and, therefore, should be afforded greater protection. Using privileged access management (PAM) solutions help to ensure high-level privileged account protection, safeguarding an organization’s most valuable assets.

Secure active directory

Securing an active directory means eliminating domains with questionable security, even if they are considered secure by the organization. Establishing an advanced auditing mechanism is key to ensuring that required domain activities are performed in accordance with cybersecurity protocols.

Back up data

If you have a backup to the data that is locked out or stolen, the ransomware attacker has far less leverage. You should have multiple backups in case one becomes corrupted. There are multiple ways to back up data – a mix of the following is ideal:

  • Local backups: Copying data to another data source. This is a fast and simple backup strategy, although it’s still vulnerable to ransomware because attackers might still have access. 
  • Cloud-based backups: Sending local data to cloud-based storage. As data is stored remotely, disaster recovery can be implemented. However, it can be slower.
  • Air gap backups: Copying to a separate system or network. Secures data, but it’s not current, i.e. as it’s not connected, backup data isn’t automatically updated.   
  • Immutable backups: A one-off backup, these are often known as a WORM backup (write once, read many). As it can’t be overwritten, it can’t be encrypted. 

Eliminate lateral movement paths

Limit the amount an attacker can move freely throughout the network once they have gained access with SMB, RPC, and RDP network segmentations.

Reduce attack surface

There are many processes that make up a system or infrastructure. Taking care to design these processes in a way that reduces the attack surface and prevents easy access is crucial. From patch management systems to advanced email security software, organizations need to reduce vulnerabilities to prevent opportunities for ransomware attackers.

Implement an attack response plan

In the event of an attack, every team member and external third-party collaborator needs to be part of a clear and focused response strategy. MDR specialists can set up a response plan that is tailored to the requirements of an organization. 

How to minimize ransomware threats

The key to minimizing the threat of ransomware attacks is to leverage managed detection and response services (MDR). Using a blend of human intelligence and innovative technological solutions, Ackcent’s MDR services can provide fundamental protection from ransomware attacks, with a 24x7x365 service that keeps companies covered around the clock.

MDR minimizes and mitigates ransomware threats through four pillars of cybersecurity: prepare, protect, detect, and respond. By preparing for the event of ransomware attacks, with robust strategies and plans in place; protecting your infrastructure through correct processes, tools, and procedures; detecting anomalous behavior using cutting-edge tools and technologies; and responding to incidents using experience and expertise, we help companies from multiple sectors combat the threat of modern ransomware attacks.

Contact us today to find out more about Ackcent’s expert cybersecurity protection services.

References

  1. Global Risk Report 2022
  2. Verizon DBIR Report 2022
  3. Gartner