Ransomware. It is stealthy, entering unseen and moving undercover. It is patient, reconnoitering the environment until it finds the optimum weak point before striking. And it is thorough, often destroying any means of recovery. When ransomware strikes, it has prepared the way. And the results can be devastating. According to Trellix’s latest “Mind of the CISO: Behind the Breach” research, 95% of senior security decision makers admitted that their organization paid the ransom after an attack; with some paying as much as US$20 million.
We have seen this insidious pest grow in frequency and impact to become the number-one cause of anxiety for every CISO, irrespective of sector or geography. Ransomware has topped the rankings of common cyberattacks every year for the past decade. But perhaps the most alarming trait of the modern ransomware campaign is just how sophisticated it has become. And with sophistication comes boldness. Critical infrastructure — the US Colonial Pipeline, for example — and government agencies are now hit as commonly as the unwary student or the vulnerable senior citizen.
Understanding the ransomware process is the first step (of several) in building an effective defense. Ransomware actors use up to six phases to cause their damage, and while not all phases are used by all attackers, I thought it would be helpful to explore the warning signs and lifecycle of the thing every SOC leader fears most.
- Recon
The enemy scouts the land to determine if a target is worth the effort. Data is collected to pinpoint any vulnerabilities, including human weak points (employees). This information is publicly available, albeit sometimes on the Dark Web. At the end of this phase, the attacker will know a lot about the infrastructure and people involved, allowing them to plan a strike path. - Breach
Our assailant uses the information gathered in the previous step to hop the fence and gain a foothold. Perhaps recon revealed an unpatched software flaw and the attacker has exploited it. Or the threat actor used what they knew about an employee to hit them with a spear-phishing attack and steal their credentials. Whatever the method, once inside the corporate environment, the malicious party can install backdoors for persistent swift access and move on to the next phase. - Escalation
Once inside, the trespasser jimmies other doors looking for keys to other locks. They elevate their access and move laterally within the network, exploring its endpoints in search of other vulnerabilities and user accounts that can take the invader onwards and upwards. System after system, resource after resource, the attacker digs themselves into a foxhole from which they expand their capabilities. Their target data is a few short hops away. - Compromise
When their influence reaches critical mass, the threat actor can make their move and find the data that is of interest to them. They can siphon off the data at will and exfiltrate it. Be it personally identifiable information (PII), intellectual property, or credit card details, the thief now evaluates it in terms of what they think its owner would pay to get it back, or how much it would fetch on the Dark Web. The attacker stores copies on their own servers anticipating the possibility of discovery before they can complete subsequent steps. - Sabotaging continuity
The most effective (and impactful) ransomware attacks dismantle any system that could allow the target to easily recover. A payday is unlikely if a backup can put the organization back on its feet. Attackers will also interfere with any cybersecurity system that may alert the SOC to a malicious presence. This phase is about maximizing dwell time (once the basics of infiltration and exfiltration have been accomplished) and maximizing the probability of a payout. - Encryption
Now the ransomware payload is dropped. Systems are locked and the victim is contacted. Having informed the target that they are in control, the attacker makes their demands. Until their terms are met, business is at a standstill. The financial ramifications can be enormous even before ransom is paid, often pushing the victim towards capitulation. And the organization still must contemplate the damage to its brand, should the incident ever be made public.
Aftermath
Recovery, damage mitigation, and review are all cold comfort to a ransomware victim that has shelled out hundreds of thousands of dollars. But all are necessary if the organization is to prevent future attacks. It is important to discover where the exposure lies. Which systems were compromised? Has all malware been removed from infected devices? How can security measures be tightened? This is an opportunity for the organization to improve its threat posture and it should not be wasted.
For the victim, this could almost be seen as a seventh phase — one that is just as important as any initiated by the attacker. Eradication of the threat is critical to ensure that one does not have to deal with a persistent actor.
In looking to the future, organizations should implement extended detection and response (XDR). Widely regarded as the most effective defense against ransomware, XDR brings together disparate network and endpoint detection methods and mixes in AI to deliver the broad and deep visibility of the IT environment needed to thwart ransomware actors. Traditional point solutions that focus on endpoint protection alone are insufficient to guard against the threats presented by each attack phase described.
When XDR gets together with solid threat intelligence, defense postures benefit. Such a setup can deliver many valuable capabilities, such as real-time behavioral analysis or the ability to detect anomalies as the early phases of a ransomware attack get underway. XDR is a unified, centralized platform that empowers SecOps teams to spot sophisticated attack methods that traditional defenses miss. The team can then respond to ransomware attacks at the recon, breach, or even escalation phases.
And the hundreds of thousands of dollars on which the threat actor has set their sights can be saved.
