Why Ransomware Attacks Work ?
Television and movies would have us believe cybercriminals have to execute complex plans
that involve rappelling from rooftops and avoiding lasers to break into our networks. In
reality, it only takes a well-crafted email and a distracted person to start a chain of events
that can cost millions of $dollars$ to repair.
Starting with phishing emails and malicious attachments.
Spam and phishing attacks have been the most popular way cybercriminals have inserted
malicious code into corporate networks for decades. Phishing emails have become
extremely convincing over the past few years. Looking for misspelled words or poor
grammar are still valuable, but today’s spam looks and reads like legitimate messages.
How ransomware attacks work?
The phishing attack made it to the user, and they clicked a link. What happens next?
Step 1: Infection
This step should really be called deployment since it involves the download and execution of
a fully-functioning, malicious software that spreads laterally through the network to infect
as many systems as possible. In this case though, the system that was initially compromised
could be viewed as patient zero who brought the disease of malware into the network and
allowed it to spread. During this stage, it’s possible for the endpoint protection software to
block the attack, but if it is not detected, the user may see an impact to the performance of
their system.
Step 2: Staging
Once the malware payload has spread, it will begin to modify the operating system to
ensure persistence. Communication may also begin with a command and control (C2)
network that will allow a bad actor to access the network directly. Assuming the endpoint
and network detection tools don’t find the activity, you may see seemingly benign increases
in network traffic and attempts to access websites and systems on the internet that are not
commonly accessed.
Step 3: Scanning
Scanning can take many forms. Some ransomware will scan for specific file types to encrypt
while others will focus on the storage arrays taking a wider brush to data discovery. Still
others will scan for open ports and vulnerabilities that can be exploited as part of a more
direct action. Network traffic will increase during this stage and network monitoring tools
will see a spike in traffic.
Step 4: Encryption
Once the ransomware has spread as far as it can or a specified amount of time has passed,
the process to encrypt files will begin. A user’s files that are stored locally can be encrypted
almost immediately while files stored on the network may be limited to the speed of the
operating systems that access it. That said, given the speed of modern networks, there will
be little to no time to interrupt the process. As the encryption process is happening,
attackers may also begin to exfiltrate data to request multiple ransoms.
Step 5: Extortion
Once you have lost access to your data, the attackers will provide a ransom note which will
explain that your data is being held hostage and provide the amount and method of
payment (usually cryptocurrency) as well as a time limit for the payment. The note will also
outline what will happen to the encrypted data if the ransom isn’t paid. Interestingly, the
ransomware attackers have adapted to the fact that not everyone knows how to use
cryptocurrency and have begun to provide instructions for setting up an account. Some
have gone so far as to provide a support channel to help victims with the process of paying
the ransom. In theory, once the ransom is paid, the attacker will send the decryption key to
restore access to the encrypted files on the victim’s computer. The ransomware victim may
also be promised that they will remove the ransomware and delete any stolen data.