Ransomware has been one of the biggest cyber security threats in 2022.
This blog will highlight:
- The definition of ransomware.
- What the anatomy of a ransomware attack looks like.
- Preventing ransomware attacks.
What is Ransomware?
It is malicious software that denies organisations access to a system and/or data until they pay a ransom.
Ransomware can affect an organisation by:
- Locking the system’s screen.
- Locking user and system files.
Tenable suggests that:
To make matters worse, the ransomware threat continues to evolve.
The Anatomy of Ransomware Attacks
Ransomware attacks are traditionally seen as being shared via phishing campaigns against specific targets.
Attackers use several ways to distribute malicious software, such as drive-by downloads, USBs, and other portable devices.
However the ransomware is delivered, the anatomy of an attack remains the same using the steps below.
Reconnaissance Phase
Research ensures that the target organisation has exploitable vulnerabilities. This means that the attack will be worthwhile. The analysis will identify the severity of the attack’s impact.
Gain Access
Gaining access is the next step in an attack.
Using the research gathered in the reconnaissance phase, attackers will attempt to compromise the organisation’s user accounts by:
- Brute-forcing passwords.
- Using default passwords.
- Obtaining credentials via phishing.
- Exploiting misconfigured access points.
- Purchasing compromised user accounts (usually accounts with admin privileges that give greater access to the organisation’s network).
Maintaining Access to the Organisation
Attackers can access an organisation for months before encrypting files or selling access to another criminal body.
Destroying or Encrypting an Organisation’s Backups
The objective of a ransomware attack is to deny the availability of resources and force the target into making a ransom payment in order to regain access.
Importantly, attackers often ensure that recovery is not an option by encrypting or destroying any backups they have.
Attackers have developed strategies for traversing compromised networks, destroying backups, or creating specialised strains to encrypt online backups.
These bad actors aim to force payment from the victim.
Negotiation and Payment
If the attack is successful, the next step is to begin the negotiation and payment phase.
The ransom payment, which is often paid in cryptocurrencies, prompts the attackers to release a decryptor to access encrypted files.
Many organisations choose to employ a third-party Incident Response team to assist with negotiating the ransom.
Recovery Phase
Unfortunately, many organisations are left with a clean-up exercise after an attack.
The organisation can suffer from:
- Income loss.
- Production restoration.
- Incident Response costs.
- Damage to reputation.
What are some of the most popular forms of Ransomware?
Email is one of the most successful platforms to spread ransomware.
Attackers often use malicious links or attachments inserted into personalised or branded emails to look like they come from a legitimate source to dupe the receiver to click on the link.
Drive-by Downloads
Drive-by downloads occur when a user visits a compromised website that infects a device with ransomware.
As a result, cybercriminals often work on legitimate websites to find security flaws and vulnerabilities. Criminals then embed their code onto the website or present copies of popular websites to lure visitors.
USB/Portable Device
As the popularity of cloud services increases, USBs are not used as frequently. However, they can still be used to infect computers and systems.
In some cases, these devices are left lying around an office space by social engineers and cybercriminals.
Open Remote Desktop Protocol (RDP) Ports
Remote Desktop Protocol (RDP) allows IT administrators to access a PC or server, primarily for configuration or application access.
If these ports have been exposed to the public internet or an untrusted network; it is possible for cybercriminals to access them and use them as a platform to deploy ransomware.
Ransomware as a Service (RaaS)
Check Point suggests that:
How can I Prepare for Ransomware Attacks?
Effective cyber security training for your organisation
This can help to raise your employee’s awareness of the risks associated with ransomware and other phishing attacks.
Regularly backing up data in your organisation
Having regular, verified, offline backups of your organisation’s data can help safeguard your data in an attack.
Disrupt ransomware attack paths before they are exploited
Some organisations can combine risk-based vulnerability management with active directory security. This enables an organisation to disrupt common attack paths.
Active Directory Security stops attackers from gaining a foothold and taking the next step in their attack.
Prepare for the worst with cyber threat intelligence services
Threat intelligence services can provide crucial information about current and emerging threats to your organisation.
This foresight allows organisations to make informed decisions and reduce risk to their digital and corporate assets.
Get in touch with our expert team for more information about how to protect your organisation against ransomware attacks!