Organizations globally are experiencing sudden operational disruptions combined with huge financial losses, all due to increasingly demanding ransomware attacks. If you’re located in the US, you’re probably familiar with the frantic search for gas in the spring of 2021 when ransomware stalled Colonial Pipeline’s transportation of oil across the east coast. At the same time in Ireland, healthcare patients were left stranded when both the Department of Health and Health Service Executive (Ireland’s public healthcare system) suffered a ransomware infection that shutdown networks for weeks.
How can we maintain cyber resiliency against these growing attacks threatening operations in a variety of industries? Knowing how ransomware attacks happen and spread can help security teams identify attacks early, and reduce the time hackers have to move deeper into your system.
In this blog, we dive into how ransomware attacks happen and spread, and what indicators to look out for in each step. Ransomware can enter your network from a variety of sources (think infected email links sent to employees, pop ups you click through quickly when entering a new website, etc) but follow a relatively straightforward set of steps to access your organization’s valuable data.
Step One: Campaign Planning
Ransomware attackers aren’t targeting networks on a whim; they often are strategizing and planning out attacks similarly to how your organization might go about quarterly planning to hit your goals. Attackers are conducting research on the best organizations to target (likely those with the resources to pay a high ransom), and which organizations might be connected to each other.
The way ransomware attacks happen and spread to a profit has led to the development of an entire industry in itself. Ransomware-as-a-service, used by the group behind the Colonial Pipeline attack, is when a “customer” or interested attacker purchases a ready-made ransomware kit (including pre-written code) that they can easily launch against a target organization, usually one with at least $1 billion in yearly revenue.
Needless to say, ransomware attacks are generally well thought-out to have the best return on investment for attack groups.
How to fight back during campaign planning: If your organization falls into a high-interest category for ransomware attackers, don’t wait to take action when ransomware hits: establish a dedicated task force specifically to identify and fight ransomware.
Step Two: Bait
In the bait phase of a ransomware attack, cybercriminals are identifying the tactics, techniques, and procedures (TTPs) they are going to utilize to access an intended network. This is when the mode of attack (maybe a website compromise or gaining access to a certain data repository), the type of injection method, and coding action plans for the intended attack are agreed on.
How to fight back during the bait phase: While it may be hard to predict how a ransomware attacker is going to approach your network, security leaders can stay ahead by keeping up with industry trends for how ransomware is targeting their peers. If a competitor announces a ransomware compromise that originated through an employee opening a compromised email, it might be short-sighted to celebrate their financial suffering. Instead, CISO’s can advise teams to be on alert for similar attacks, hold mandatory employee training, and have a dedicated resource responding to employee phishing tickets.
Step Three: Injection
Once a ransomware group has planned and initiated the beginnings of a compromise, the next step is to take over network controls in small, subtle ways. Injection can include creating backdoor accounts, escalating privileges for ransomware gang members, and more. The process of securing company data and controls has begun.
How to fight back during injection: While one of the different injection methods might not seem significant when identified individually, it is critical for security teams to have a complete view of network risks to identify dangerous trends as soon as they occur. With an objective view of your network, using technology like the Bitsight Security Rating and cybersecurity analytics platform, security leaders can be confident they aren’t missing key risk points that could indicate early ransomware happening and spreading.
Step Four: Lateral Movement
As ransomware attackers gain access to more systems, they’re able to cross into connected networks to launch secondary attacks. This could be in a third party’s environment, or maybe through a subsidiary network or business unit. This phase of an attack might last weeks or months, with ransomware groups lingering in shadow environments even beyond an initial identification and remediation or payment cycle.
How to fight back against lateral movement: Organizations have seen success combating lateral movement by following a “zero-trust approach” to network security, meaning employees must have different accounts and log-ins to different programs, business unit networks, and high-stakes internal systems. It is also important to maintain visibility into potential ransomware impacting your third party networks.
Any ransomware attack that is happening and spreading through your vendor network might also be targeting you. With vendor scanning and historical performance data, vendor risk managers can act quickly when ransomware is present in their third party ecosystem, sometimes before a vendor has communicated the breach to them.
Step Five: Infection
In this phase, attackers can move forward with the “data stealing” now that they have mapped out where critical data lives. Ransomware groups will encrypt network files, cloud storage, backup systems, and critical data to prevent organizations from restoring their data and push them towards paying ransom.
How to fight back during infection: Besides the previously mentioned scanning and network monitoring technology to enable your team to act on ransomware indicators as efficiently as possible, the effectiveness of infection can also be mitigated using secure systems for data backup. With multiple types of data backup (using potentially costly solutions) organizations can reduce the effectiveness of a ransomware attack by eliminating the need to pay ransom.
Step Six: Extortion
This is when the ransomware attack usually becomes public knowledge. During extortion, organizations become aware of their compromised data, and how much money the bad actors are demanding in return for it. The compromised organization may face a complete or partial halt in company operations, which increases the pressure to work with the ransomware group.
Attackers often take it a step further, and are targeting organizations with double or triple extortion attacks. Double extortion is when ransom is demanded for the return of an organization’s data or compromised information, plus an additional ransom in exchange for not publishing exfiltrated data on the Dark Web. Some cyber criminals take it even a step further and also target a business’s customer pool directly to demand payment in return for their personal data not being shared on the Dark Web. Triple extortion attacks are a bigger threat for industries like healthcare where there is obvious sensitive patient data to target.
How to fight back during extortion: There is an ongoing debate whether or not to pay ransomware groups during an attack, versus working to resume business operations or restore data in other ways (usually with extensive work from an organization's internal security team). Many security leaders hold the belief that paying ransom only incentivizes groups to conduct future attacks.
If a company decides to pay ransom, it is not guaranteed to get a full return of their data. Ransomware attack groups often are not operating with fully moral standards of deal-making, and are just as likely to leave an organization empty-handed after receiving payment.
When deciding how to fight back during a ransomware negotiation, an organization may find value in cybersecurity insurance plans that cover ransomware attacks. Alas, ransomware isn’t covered in many insurance options, and some security experts warn against insurance as it makes companies even more of a target.
What’s the Best Way to Move Forward?
Clearly, there are a lot of moving parts when it comes to defending against the steps to a ransomware attack. Across the board, security leaders agree that identifying ransomware attacks as soon as possible helps reduce the impact when a ransomware attack happens and spreads.
Gaining a complete view of your network, down to the indicators or ransomware infiltration, might be the best way to combat bad actors.