Lifecycle of a Ransomware Attack, Part 1
Ransomware and other types of digital attacks are a growing issue for organizations and IT managers everywhere. We recently helped a company through a ransomware attack. The company was prepared with a secured back up system and did not pay the ransom. Unfortunately, the attack did bring the business to a standstill while the team worked to clear the system of the threat. Critical systems were down for over a week, supporting applications returned to service after two weeks, and security enhancements took another 2-3 months to complete. Ransomware attacks can cost businesses actual money, but the loss of productivity can cost more. If the company has vulnerable customer information, the customer’s loss of trust can be devastating.
What is a Ransomware Attack?
There are many types of attacks and threats to businesses. Ransomware attacks are a very specific kind of cyber threat. Ransomware compromises the Confidentiality and Availability pillars of the CIA (Confidentiality, Integrity, and Availability) security framework. Ransomware invades a computer; lying in wait to be sure it has not been detected, then activates and encrypts the victim’s data until payment (ransom) is made by the victim to regain access. This kind of attack has been going on for some time now. There have been recent high profile attacks against big organizations, companies, government agencies, etc.
What Does a Ransomware Attack Look Like?
The brutal reality is that most companies are largely unaware of the infection as many go unnoticed for six months or more before they learn of the compromising situation. Unfortunately, most traditional anti-virus solutions provide a false sense of security and do very little to protect you against ransomware. As the ransomware goes undetected, it also covertly scans for critical data. When ready, it will encrypt the data and demand a ransom. The ransomware may also steal data to use as leverage against a company refusing to pay.
Lifecycle of a Ransomware Attack
Ransomware attacks follow a similar six-stage pattern. They are:
Scanning (covert reconnaissance)
The first stage is to distribute and install software to potential victims. During this campaign, users are tricked into downloading a malicious dropper (or payload) via an email, a watering-hole attack, an exploit kit, or a drive-by-download. Most users have seen scam emails or phishing attempts, but many may not realize that these sorts of threats are the initial stage to a much larger, more serious threat.
Once on the victim’s machine, the dropper calls home to download a .exe or other camouflaged executable by connecting to a predefined list of IP addresses that host malicious software. From this point, the dropper usually copies the malicious executable to a local directory such as the Temp folder or %AppData%/local/temp. Finally, the dropper script is terminated, removed, and the malicious payload is executed.
The Staging phase is where the ransomware performs various housekeeping items to ensure smooth operation. The ransomware will move itself to a new folder and then evolve, checking the local configuration and registry keys for various rights. It looks for proxy settings, user privileges, accessibility, and other potentially meaningful information. The ransomware also runs a boot in recovery mode which disables recovery mode. It also runs various other commands to delete shadow copies of its original files from the system. The Ransomware communicates with the control server at this stage to perform reconnaissance on the user/system using online IP analytic tools to determine whether or not they are an applicable target.
As soon as the ransomware has set itself up and is fortified to persist, even if there are shutdowns and reboots, it gets ready to take files hostage. Ransomware focuses on critical business files and information, but may attack any vulnerable system to which it has access. The ransomware scans and maps the locations containing those files, locally and on both mapped and unmapped network-accessible systems. Many ransomware variants also look for cloud file storage repositories such as Box, Dropbox, and others. This particular stage is the first real opportunity that security analysts have to stop the ransomware kill chain.
The encryption stage is when files previously discovered by the ransomware are encrypted. Older versions of ransomware will encrypt the local files only, but recently they have started encrypting the backups first. To achieve this, they search for the directories or files specifically named in date format (e.g., data20160323.bak) or containing .bak and encrypt these first before encrypting specific files. Since encryption can be detected by anti-virus software, the ransomware typically encrypts important files (such as system files or files with recent access dates) first so that harm is caused as quickly as possible before detection takes place.
As soon as encryption is completed, a ransom note is generated, shown to the victim, and the threat instigators wait to collect. The ransomware informs the victims of the extent of damage done and ways to recover files. In the case of Cryptolocker, it provides a new installation link in case anti-virus has uninstalled the malware from the system. It also shows users the steps to disable/uninstall anti-virus programs from the system along with all the steps to pay the ransom amount, and it may take 2-3 days for the hackers to verify the payment, which is usually in bitcoins. As soon as payment is verified, the threat actor delivers the private key. The decryption of the files starts after the private key is received by the victim’s machine, and ultimately the files are recovered, hopefully. Ransomware attacks are run by criminal networks and organizations, not single individuals. There is no guarantee that the data will be returned, or that it won’t be leaked/sold to someone else, increasing the profits from the attack.
So what can you to prepare for a ransomware attack?
It is no longer a matter of IF BUT WHEN your organization becomes part of the global statistics.
- Prepare for the likely event. Talk to your insurance carriers and ensure you have sufficient cybersecurity coverage. The proper coverage will be your best defense with containment, negotiation, and resolution for the attack.
- Preemptively conduct a data classification audit to determine sensitive data and take time to map out the physical locations where this resides. Socialize an isolation policy for sensitive information. Far too often, the security is too relaxed to protect from ransomware attacks adequately. This assessment must go far beyond just determining who has access to what within your teams, but investigate much deeper to isolate and contain information. It involves reviewing data and asking questions like:
- Should we have this data in the first place?
- How long should we keep it?
- Who should have access?
- Where should this information reside?
- What authentication and verification process should we have to validate identity and authorize access?
- Next, implement containment exercises to segregate sensitive data. Another common misconfiguration is to co-mingle sensitive data with normal data and rely on simple permissions for protection.
- Hire qualified consultants to access your security layers. There is no single silver bullet available today that will 100% protect your organization. Your best strategy is “defense-in-depth.” With each layer, you are increasing the difficulty for the threat actors. Having enough layers in place, can effectively make your organization less attractive for cybercrime organizations. Make no mistake about it; ransomware is all about extorting money.
- In addition to your standard anti-virus and malware protection solutions, implement a next-generation EDR (Endpoint Detection and Response).
Be sure to check back later for Part 2, which will discuss: Who needs to be involved in solving a Ransomware attack? and What does documentation and institutional knowledge have to do with a ransomware attack?