Opinion: Ross Brewer, VP & MD EMEA at LogRhythm, looks at the five steps of a ransomware attack and how businesses can defend themselves.
Over the past three years, ransomware has jumped into the spotlight of the cyber threat landscape. Until recently, most ransomware attacks were simply opportunistic and mostly affected individual users’ or small businesses’ computers. The ransom demands have commonly been the equivalent of just a few hundred pounds for an individual PC. But now they have set their sights on larger organisations that have bigger budgets to pay bigger ransom demands. They also have more important files and computer systems that are critical to the organisations’ daily operations.
Understanding what happens at each phase of a ransomware attack, and knowing the indicators of compromise [IOCs] to look for, increases the likelihood of being able to successfully defend against—or at least mitigate the effects of—an attack. These phases are:
Phase 1: Exploitation and Infection
In order for an attack to be successful, the malicious ransomware file needs to execute on a computer. This is often done through a phishing email or an exploit kit— a type of malicious toolkit used to exploit security holes in software applications for the purpose of spreading malware.
Phase 2: Delivery and Execution
Following the exploit process, the actual ransomware executable will be delivered to the victim’s system. Typically, this process takes a few seconds, depending on network latencies. We often see the executable files being placed in folders beneath the user’s profile. It’s good to know this for detection purposes because your organisation can monitor for those events to set up a line of defence.
Phase 3: Backup Spoliation
A few seconds after the malware is executed, the ransomware targets the backup files and removes them to prevent restoring from backup. This is unique to ransomware. Other types of crimeware and even APTs don’t bother to delete backup files. Ransomware variants will try and remove any means that the victim has to recover from the attack without paying the ransom.
Phase 4: File Encryption
Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system. Unfortunately, most of the variants today use strong encryption, such as AES 256, so the victim isn’t going to be able to break the encryption on their own.
Phase 5: User Notification and Clean-up
With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay, and after that time the ransom increases. Once paid, the malware cleans itself off the victimised system so as not to leave behind significant forensic evidence that would help build better defences against the malware.
Once you understand how ransomware works, you can look at how to defend against such an attack. The five steps of defence are:
To prepare for the very real possibility of an attack, it’s firstly important to patch aggressively so vulnerabilities are eliminated and access routes are contained. Endpoints need to be adequately protected with tools that can automatically detect and respond to infections before they become big incidents.
In the event that your enterprise gets hit with an attack, you can minimise the damage if you detect the malware early. Use threat intelligence sources to block or at least alert on the presence of anomalies associated with ransomware in your network traffic. Make sure emails are screened for malicious links and payloads, and use rules that look for files executing from common ransomware folders so you can spot ransomware before any files are encrypted.
Once the ransomware has already done its dirty work on one device, there are steps you can take to contain it locally. Having an endpoint protection system that is able to look for the execution and kill the process is usually the best means of containment. The local host needs to be blocked and isolated from the network, which prevents additional files on the network from being encrypted.
Once you know you have had a ransomware incident, and it has been contained, you now need to eradicate it. The best option is to replace machines that have been affected. Indeed, it’s difficult to know if residual files are hidden on the system and able to re-infect devices. However, for network locations, such as mailboxes or file shares, sometimes it is more relevant to clean those locations, removing the malicious email message or ransomware instructions. If you choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.
For recovery, the number one task is going to be restoring from backup. In most ransomware investigations, you usually want to complete your recovery phase by doing a full investigation into what specific infection vector was used against the system.
Ransomware attacks against organisations are just starting to ramp up. The ramifications of a successful attack are far more extensive than just the cost of the ransom. Organisations can suffer the effects of lost productivity, loss of business, inconvenience to customers, and potentially the permanent loss of data. Your organisation’s success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems and to detect, shut down and contain suspicious activity.