Security leaders hear about it in the news and it never seems to let up: the latest ransomware attack strikes another organization and new victims, targeting everything from critical infrastructure across the globe to court systems, universities, hospitals and more.
Unfortunately, these attacks continue to rise; ransomware instances approached record highs in the first and third quarters of 2022 and don’t appear to be slowing down in 2023. As a constantly evolving form of malware, ransomware attacks only grow in sophistication and find new ways to steal business-critical data.
So, what can organizations do? Below, are the typical stages of a ransomware attack, touch on how ransomware is evolving, and explore tips on how security teams can combat these growing, changing threats.
Lifecycle of a ransomware attack
Today’s cyberattacks use advanced tactics to bypass traditional malware detection measures and hide in the everyday nature and complexity of their target's environment. They move through the network seeking to steal data, install ransomware, encrypt data, and wreak havoc.
There are four general stages to the lifecycle of a ransomware attack. They entail:
- Initial access: Cybercriminals look to gain a foothold in an organization’s network, often via password theft, exploiting software vulnerabilities, phishing or brute force. Attackers will then try to discover critical identities and obtain login credentials.
- Consolidation and preparation: Once they gain network access, threat actors rely on a variety of methods to execute an attack. They will either enter with malware containing a package of tools needed for the attack. Or, after the intrusion, they will download the tools they need by establishing communication with a command-and-control server to move forward with the next steps in the attack.
The attacker’s “toolbox” includes:
- Reconnaissance tools that enable the attacker to understand where they are in a network and what accounts to target.
- Credential dumping tools can compromise the login credentials of privileged accounts, which the attacker can use to move laterally within a network.
- Built-in programs such as PowerShell, Windows Management Instrumentation (WMI) and PsExec. In some attack instances, commands from WMI and PsExec were used to delete local backup copies and PowerShell was used to create malicious backdoors.
- A Lateral movement and privilege escalation: A threat actor will escalate an attack by leveraging their access to traverse the infrastructure, moving laterally to find vulnerable privileged accounts. Attackers will typically carve a path to the most critical data by breaking through security layers and gathering additional privileges. A common technique in ransomware attacks is exploiting administrator accounts, as organizations tend to have one common password for all local admin accounts. In gaining admin privileges, attackers can tamper with security configurations to disable security controls, avoid detection and download and install a payload to the victim’s endpoint. Access to domain controllers also enables attackers to release malware to all network systems in one shot.
- Impact on target: In the final stage, ransomware has been downloaded and installed on the victim’s system. Once the attacker has disabled the system’s critical protection, they will seek to exfiltrate sensitive information on the endpoint, destroy the organization’s backups and finally encrypt systems and data. Ransom notes or lock screens direct the victim to the hacker’s demand for payment (usually via cryptocurrency) and other details to ensure the victim complies with their demands.
No longer an individual culprit
Often, a ransomware event is an orchestrated attack executed not by a single individual, team, or even organization, but by a network of cybercriminals and groups. Like other cyberattacks, ransomware has been able to grow and scale because a malicious actor no longer needs to be an expert at every phase of the attack. Bad actors who specialize in one area — such as email phishing, creating a ransomware payload, or running a botnet — can work with other individuals who specialize in other methodologies, allowing less sophisticated threat actors to outsource to other groups. The person delivering ransomware may not be the same individual who broke into a machine or network.
For instance, maybe the initial breach is managed by someone who specializes in hacking an organization’s network or systems. After they gain access, that individual can hand off to someone else who specializes in setting up a remote trojan or malware stager. They can add the accessed network to a botnet of infected machines, giving control to the attacker. Then a ransomware actor can obtain access and deliver the ransomware payload through the botnet to target machines. Such a coordinated attack requires an equally coordinated defense.
How to defend against today’s ransomware
The best defense against ransomware attacks is to prevent them before they can occur. Here are 10 steps an organization can take to combat and mitigate ransomware threats.
- Perform frequent backups of critical data, system images and configuration regularly. Test backups and maintain them offsite and offline where attackers can't find them.
- Implement MFA. Multi-factor authentication remains the single best security practice an organization can adopt. Set and enforce strong passwords that are managed through a password manager.
- Limit access to resources over internal networks and enforce time-based access for privileged accounts. Restrict permissions, remove local admin rights from end users and block application installation by standard users.
- Keep security solutions updated. UTMs with sandboxing can detect and sequester malicious files entering the network.
- Patch everything early and often. Patching will keep all operating systems and software current. Ransomware attacks like WannaCry and NotPetya exploited unpatched vulnerabilities to spread around the globe.
- Implement anti-phishing protection with different security layers at the endpoint and perimeter.
- Lock down accessible services at the firewall. If it isn’t needed, turn off remote desk protocol (RDP), and use rate limiting, two-factor authentication, a virtual private network (VPN) or other remote-access tools.
- Ensure anti-tamper protection is activated. Ryuk and other ransomware strains attempt to disable endpoint protection; make sure this security layer is enabled.
- Monitor and respond to alerts. Consider implementing advanced endpoint security solutions such as an endpoint detection and response (EDR) tool that includes a zero-trust protection model approach with multiple layers of defense.
- Raise awareness among users about the risks of phishing and educate them about the dangers of social engineering as part of the organization’s best cybersecurity practices.
Finally, obtaining cyber insurance can play a significant role in network protection. Cyber-insurance coverage can help defray the costs related to downtime following a ransomware attack and bringing in an incident response firm to investigate the attack. Cyber-insurance providers often impose strict requirements in order to obtain coverage, however. The silver lining is that working to meet these requirements forces companies to tighten their security structures, resulting in stronger overall security programs.
While ransomware attacks continue to grow more sophisticated, the defenses used against them do as well. A comprehensive security program combined with user awareness of best practices is key to keeping the bad guys out and critical data safe. Know the threats you face and stay vigilant to do your part in keeping your environment secure.