Ransomware is a simple but effective means for cybercriminals to make money from cyberattacks. It's a malware that encrypts a user’s files once it is installed on a victim computer then demands a ransom payment from the victim in exchange for the encryption key needed to restore their data.
Over the past two years, ransomware has increased at a rate of 97%. And today, a majority of organizations admit that they are unprepared for a ransomware attack.
Stages of an Attack
Ransomware attacks can be extremely damaging and expensive to an organization and its customers. Catching the malware as early as possible in its attack lifecycle is crucial to minimizing the impact of the incident. The lifecycle of a ransomware attack consists of four main steps.
Like all malware, the first step in the attack lifecycle for ransomware is infection. The ransomware program needs an opportunity to be installed and executed on the target machine to encrypt files on a user's computer.
Email is one of the most common infection vectors used by ransomware. A phishing email convinces a user to click on a link or download and execute an attachment. For example, a Microsoft Word document may include a macro or another exploit that downloads and executes second-stage malware In many cases, ransomware is a component of a multi-stage attack where other malware performs the initial infection and downloads ransomware as needed.
Before starting to encrypt user files, many variants of ransomware perform some form of reconnaissance on the target machine. Reconnaissance is performed for a few different reasons.
One purpose of reconnaissance on a victim machine is to determine whether or not the device is worth encrypting. Some ransomware variants, like Ryuk, are designed to be targeted attacks. If the end victim of an attack does not contain data that the owner is likely to pay a ransom for, the ransomware may not execute.
Ransomware may also perform reconnaissance to protect itself against detection and removal. Searching for antivirus programs and other processes that could pose a threat to the malware is a common feature in ransomware, and the malware usually kills these processes if they are detected.
The encryption stage of a ransomware attack is when it does the real damage to the target computer. Most ransomware variants perform a recursive search through the file system on the machine. Each file is compared to a list to determine whether or not it should be encrypted (designed to prevent the ransomware from rendering the machine unusable). If the file should be encrypted, the malware uses a symmetric encryption algorithm (like AES) and deletes the original file.
Encryption keys are often appended to a file after being encrypted with a per-infection RSA public key. The corresponding private key is encrypted with the ransomware author’s public key and sent to them before being deleted from the device.
Many ransomware variants do not limit themselves to the file system of the infected computer. During the encryption stage, the malware may look for shared network drives, removable media, other physical drives on the machine, or any other file store. If one is detected, the ransomware will encrypt it as well.
Different ransomware variants have different levels of protection against file recovery. At the end of the encryption stage, some variants will work to delete shadow copies and take other actions to ensure that encrypted files cannot be recovered.
The final stage of a ransomware infection is typically the only one that is visible to the victim. Once the ransomware has completed encryption and cleaned up after itself, it presents a ransom note to the user demanding payment in cryptocurrency in exchange for the encryption key needed for file decryption.
At this point in the attack lifecycle, the ransomware no longer needs to be subtle. Unless a free decryptor has been released for that ransomware variant, the victim needs to decide between writing off the lost files and paying the ransom. Even after paying, the victim does not receive a decryption key in many cases, and a valid key and decryptor typically does not restore all of the encrypted files.
Ransomware attacks can be expensive, but the cost goes down dramatically if the incident can be caught early in the attack lifecycle. Two methods for identifying an in-progress ransomware attack are threat hunting and 24x7 monitoring.
While many security teams take a reactive approach to identifying threats to the organization, this guarantees that threats are only detected after they have caused damage to the network. Threat hunting involves taking a proactive approach to identifying potential threats before their presence becomes apparent.
Some ransomware variants include a sleep stage between being installed on the victim machine and beginning their attack. If this is the case, threat hunting can identify the presence of the malware at this stage and remove it before it does any damage.
Malware almost always originates from outside the organization and typically enters via the network. The design of the typical corporate network, with a single connection between the internal network and the Internet, makes it easy to deploy monitoring solutions at this bottleneck to detect malware attempting to enter the network.
Detecting malware as it attempts to enter the network can stop an attack before it even happens. Proactive monitoring for phishing emails or suspicious traffic that may include a malware download can help catch ransomware in the infection stage.
However, when attempting to stop a ransomware attack using active monitoring, it is necessary that that monitoring runs 24x7. The global nature of the Internet means that a ransomware attack can happen at any time, and it only takes a few minutes for some ransomware variants to go from initial installation to a fully encrypted computer. If the organization does not have access to a 24x7x365 Security Operations Center (SOC) that can respond immediately, it may be too late.
A ransomware attack can be devastating to an organization, but most of the costs go away if the attack can be detected and blocked early in the attack lifecycle. By deploying ransomware protection solutions and implementing a strong vulnerability scanning and patching program, organizations can dramatically decrease their exposure to ransomware.
Ransomware Protection Solutions
Ransomware is designed to encrypt many files on a user’s computer. Accomplishing this requires the malware to access, modify, and delete many files in a short period of time. Since this is not usual behavior for legitimate programs, ransomware protection solutions can monitor for these operations and use them as an indication that a specific process should be terminated as potentially malicious.
Ransomware protection solutions can also take advantage of the fact that most ransomware attacks use the same ransomware variants over and over again. Since signatures exist for these variants, ransomware protection solutions can scan for matches and terminate any matching programs as malicious.
Scanning and Patching
While ransomware is often spread over email, this is not always the case. WannaCry is an example of an extremely powerful ransomware variant that spread by exploiting vulnerabilities in the SMB protocol. Other email-spread ransomware variants may also use vulnerabilities to increase their permissions on target systems in preparation for file encryption.
Since ransomware (and other types of malware) use software vulnerabilities as part of their attacks, performing frequent scanning and patching of vulnerabilities can allow an organization to identify and remediate holes in their cybersecurity defenses before an attacker can discover and exploit them.
Importance of response and remediation
When a ransomware attack is detected, it is vital that the organization's security team immediately responds to remediate the attack. With ransomware, the time between the first stage of the attack and the last can be measured in minutes, and responding too late can result in a loss of sensitive and valuable data.
Responses to a ransomware attack should not be limited to dealing with the obvious victim computer. In many cases, ransomware is targeted to attack the entire organization. The first computer to show symptoms of a ransomware attack may only be the first of many victims. When security experts in a SOC respond quickly enough to an attack, they may be able to identify and remove other malware infections or phishing emails before they have the opportunity to cause damage to the organization, which is why it's crucial to have monitoring 24x7x365.