Understanding the stage of ransomware will help understand the payouts that cyber criminals aim for from victims.
In 2023, it was another banner year for criminals, netting more than $440 million since January, according to a recent IT security analysis firm. But there are ways for organizations to blunt the impact.
First, some background: One of the reasons for ransomware’s continuing success, according to IT security analysis firm, is the success of what is popularly called “big-game hunting,” or going after large enterprises with deep pockets and the promise of big ransom rewards. Witness the reach of the Clop gang with exploits of Progress Software Corp.’s MOVEit file transfer software. IT security analysis firm estimates an average payout of $1.7 million per victim.
What trends do manage IT services providers experience?
But the trend has other contributing factors, such as an increased number of successful attacks on smaller targets. Also, as more victims refuse to pay some security analysts think this has motivated attackers to ask for higher ransoms across the board or use more extortion techniques to convince victims to pay. Ransomware continues to be a growth business opportunity for criminals, whether or not victims pay up, because stolen data carries a certain value on the dark web, the shady corner of the internet reachable with special software.
Many of these companies have ulterior motives in laying out their ransomware models, in that they sell research based on their own telemetry (such as Palo Alto Networks and Mandiant) or products that can help find or mitigate malware (such as Blackberry, Darktrace and Flashpoint). Be that as it may, they are still useful documents to learn more about how the typical attack progresses.
And though the number of discrete steps is open to interpretation, it’s apparent from these sources that today’s ransomware attack is far from a simple digital smash-and-grab. Understanding these steps can be useful in figuring out how to detect an attack before it develops into a full-on multidimensional threat. We propose this nine-step model to provide this clarity:
- Target selection. All attacks begin with some kind of research by the criminals where they collect information on a target’s size, the sophistication of its digital infrastructure and security defenses, willingness to pay, and the value of its private data. This could be done via various open-source and public reconnaissance, as well as scanning a potential target’s open network ports, types of access controls and whether or not a target’s network is segmented by firewalls and proxy servers.
- Initial exploit delivery and access. This is usually done via phishing emails, but it could be accomplished using malware exploit kits or exploiting other weaknesses in server or supply chains.
Once the malware has established a beachhead on a victim’s endpoint, the attackers create a connection to their command and control servers to begin the attack. Oftentimes, attackers deliberately take their time. Unit 42 says a month is the average “dwell time” after the first penetration, for example.
The typical next step is to navigate across the target network, expanding their reach and seeking out new targets to gain control over multiple computers. This effort is to find the most critical data that could be used to compromise the victim. Common techniques here include using compromised credentials or exploiting unpatched software vulnerabilities.
How do hackers escalate ransomware?
Attackers will also attempt to escalate access privileges to continue to expand their reach and locate their ultimate data targets.
Next is the actual deployment of the actual ransomware, and then detonation of the encryption process. In some circumstances, attackers will also inflict damage on target systems, such as deleting backup data copies that are found during the recon phase.
Once this has been done, the attackers make offsite copies of the encrypted data.
In this step, the attackers finally send out ransom and extortion notes to the victim. Extortion can take multiple paths, such as posting information about the breach on the dark web and threats to release data. Communication can employ a variety of channels, including email, instant messaging or by identifying a web-based negotiation portal that the attacker sets up.
Whether or not ransoms are paid, the last step is to recover data, mitigate the damages, restore and clean up equipment and patch as needed. There’s also post-mortem analysis of what went wrong and when, and how to prevent subsequent attacks.
A variety of tools come into play through these nine stages — for example, a way to monitor potential intrusions, which can often be as subtle as a few network packets, or a way to examine outbound data flows, which can be an indication of an attack in its later stages. By breaking the attack down into these stages, organizations can assess if their tool collection is adequate or if there are holes that need filling to shore up their defenses.
Stages of Ransomware
Ransomware attacks typically involve several stages as part of their lifecycle. While specific techniques and tactics may vary, here are the general stages commonly observed in ransomware attacks:
- Reconnaissance: In this initial stage, the attackers identify potential targets by scanning and searching for vulnerabilities in systems or networks. They may employ various methods like social engineering, phishing emails, or scanning for exposed services.
- Delivery: The attackers deliver the ransomware payload to the target systems. This can be done through different means, such as malicious email attachments, infected websites, exploit kits, or compromised remote desktop services. The goal is to trick or exploit vulnerabilities to gain initial access.
- Execution: Once the ransomware is delivered to the victim’s system, it is executed, often through the opening of a malicious file or by exploiting a vulnerability. The ransomware code then starts running and begins its malicious activities.
- Encryption: In this stage, the ransomware seeks to encrypt the victim’s files or even entire systems, rendering them inaccessible. The attackers use strong encryption algorithms to lock the files, making it nearly impossible for the victim to recover the data without the decryption key.
- Ransom Note: After the encryption process, the ransomware displays a message to the victim, usually in the form of a ransom note. This note informs the victim that their files have been encrypted and provides instructions on how to pay the ransom to obtain the decryption key. The note may include threats, a countdown timer, and information on how to contact the attackers.
- Ransom Payment: If the victim chooses to pay the ransom, they follow the instructions provided by the attackers, usually involving the use of cryptocurrencies such as Bitcoin. The payment process can be challenging and risky, as there is no guarantee that the attackers will provide the decryption key or honor their promises.
- Decryption: If the victim decides to pay the ransom and the attackers uphold their end of the deal, they may provide the decryption key or a decryption tool. However, it’s important to note that paying the ransom does not guarantee a successful decryption, and it may encourage further attacks.
- Recovery and Prevention: After an attack, the victim must recover their systems and data. This typically involves restoring from backups or seeking professional assistance. Additionally, organizations need to analyze the attack vectors, identify security gaps, and implement measures to prevent future ransomware attacks.
It’s worth noting that these stages are not always linear, and attackers may employ various techniques to obfuscate their activities or change their tactics. Organizations and individuals should focus on proactive cybersecurity measures, such as regular backups, software patching, network segmentation, and user awareness training, to mitigate the risks associated with ransomware attacks.
Is your network following industry best practices?
Gain new business and never worry about the effects after ransomware attack.
Our Complimentary Network and Security Assessment can put your IT to the test against other Toronto managed IT services providers.
365 iT SOLUTIONS offers Toronto award-winning services including:
- Managed IT Services Toronto
- IT Outsourcing Services Toronto
- Tech Support Services Toronto
- IT Support Services Toronto
- Cloud Services Toronto
- Managed Security Services Toronto
- Cyber Security Training and Dark Web Monitoring Toronto
- Business continuity and disaster recovery (BCDR)Toronto
We Make IT Simple!