top of page
shield_bg_smaller_edited.jpg

Stay in the know with Sapphire's industry insights

background_edited_edited.jpg

How Does Ransomware Work?

  • Jan 3, 2023
  • 4 min read
Padlock on laptop keyboard with red, green, and blue light trails.

Ransomware has been one of the biggest cyber security threats in 2022.


This blog will highlight:    

  • The definition of ransomware and how it works.

  • What the anatomy of a ransomware attack looks like.   

  • Preventing ransomware attacks.   


What is Ransomware and how does it work ?   


It is malicious software that denies organisations access to a system and/or data until they pay a ransom.   

Ransomware can affect an organisation by:     

  • Locking the system’s screen.   

  • Locking user and system files.   


Tenable suggests that:   

The Anatomy of Ransomware Attacks     

Ransomware attacks are traditionally seen as being shared via phishing campaigns against specific targets.   

Attackers use several ways to distribute malicious software, such as drive-by downloads, USBs, and other portable devices.  

 

However the ransomware is delivered, the anatomy of an attack remains the same using the steps below.   


Reconnaissance Phase     

Research ensures that the target organisation has exploitable vulnerabilities. This means that the attack will be worthwhile. The analysis will identify the severity of the attack’s impact.  

 

Gain Access     

Gaining access is the next step in an attack.


Using the research gathered in the reconnaissance phase, attackers will attempt to compromise the organisation’s user accounts by:     


  • Brute-forcing passwords.   

  • Using default passwords.   

  • Obtaining credentials via phishing.   

  • Exploiting misconfigured access points.   

  • Purchasing compromised user accounts (usually accounts with admin privileges that give greater access to the organisation’s network).   


Maintaining Access to the Organisation     

Attackers can access an organisation for months before encrypting files or selling access to another criminal body.   


Destroying or Encrypting an Organisation’s Backups     


The objective of a ransomware attack is to deny the availability of resources and force the target into making a ransom payment in order to regain access.


Importantly, attackers often ensure that recovery is not an option by encrypting or destroying any backups they have.   


Attackers have developed strategies for traversing compromised networks, destroying backups, or creating specialised strains to encrypt online backups.


These bad actors aim to force payment from the victim.  

 

Negotiation and Payment     

If the attack is successful, the next step is to begin the negotiation and payment phase.   

The ransom payment, which is often paid in cryptocurrencies, prompts the attackers to release a decryptor to access encrypted files.   


Many organisations choose to employ a third-party Incident Response team to assist with negotiating the ransom.   

Recovery Phase     

Unfortunately, many organisations are left with a clean-up exercise after an attack.

The organisation can suffer from:   


  • Income loss.   

  • Production restoration.   

  • Incident Response costs.   

  • Damage to reputation.  


  

Email     

Email is one of the most successful platforms to spread ransomware.

Attackers often use malicious links or attachments inserted into personalised or branded emails to look like they come from a legitimate source to dupe the receiver to click on the link. 

  

Drive-by Downloads     

Drive-by downloads occur when a user visits a compromised website that infects a device with ransomware.   

As a result, cybercriminals often work on legitimate websites to find security flaws and vulnerabilities. Criminals then embed their code onto the website or present copies of popular websites to lure visitors. 


USB/Portable Device      

As the popularity of cloud services increases, USBs are not used as frequently. However, they can still be used to infect computers and systems.   


In some cases, these devices are left lying around an office space by social engineers and cybercriminals.   


Open Remote Desktop Protocol (RDP) Ports     

Remote Desktop Protocol (RDP) allows IT administrators to access a PC or server, primarily for configuration or application access.   


If these ports have been exposed to the public internet or an untrusted network; it is possible for cybercriminals to access them and use them as a platform to deploy ransomware.   


Ransomware as a Service (RaaS)


Check Point suggests that:

How can I Prepare for Ransomware Attacks?   


Effective cyber security training for your organisation

This can help to raise your employee’s awareness of the risks associated with ransomware and other phishing attacks.  


Regularly backing up data in your organisation

Having regular, verified, offline backups of your organisation’s data can help safeguard your data in an attack.


Disrupt ransomware attack paths before they are exploited


Some organisations can combine risk-based vulnerability management with active directory security. This enables an organisation to disrupt common attack paths.


Active Directory Security stops attackers from gaining a foothold and taking the next step in their attack.   


Prepare for the worst with cyber threat intelligence services

Threat intelligence services can provide crucial information about current and emerging threats to your organisation.


This foresight allows organisations to make informed decisions and reduce risk to their digital and corporate assets.   


Get in touch with our expert team for more information about how to protect your organisation against ransomware attacks! 

bottom of page