According to Cisco, ransomware is the most lucrative form of malware in history, and attacks are only expected to get worse, both in terms of the number as well as complexity. Hackers who once used ransomware as a tool to extort money from individuals are now leveraging advanced tactics to compromise data from large corporations with the intention of selling it for a profit.
We’ve talked at length about how to respond and recover to a ransomware attack, but it can helpful to understand what exactly such an attack entails. Insight like this can improve employee education. Knowing the various phases of an attack, along with best practices for preventing them, is key to avoiding costly and time consuming remediation.
That said, let’s take a look, step by step, at what happens when a ransomware attack is initiated.
Step 1 – Initial Infection (Estimated time: 1-2 seconds)
Most ransomware hackers gain access to a target network via social engineering, such as a phishing email. Educating employees on how to spot a phishing scam can dramatically reduce the risk to your organization by preventing successful breaches before they occur.
Step 2 – Execution (Estimated time: 0 – 5 seconds)
Once a malicious link is clicked or infected file opened, the ransomware is able to gain a foothold, quickly infiltrating the network and locking up files. In a matter of seconds, malware executables are released into the victim’s system where they begin to quickly wreak havoc.
Step 3 – Backup Corruption (Estimated time: 5-10 seconds)
The next step involves the ransomware virus targeting backup files and folders. This prevents the user from being able to backup corrupted files, which is what makes this type of malware so profitable. Victims often have no choice but to pay the fee or risk losing all of their data with no way to replace or restore it.
Step 4 – File Encryption (Estimated time: 10 seconds – 2 minutes)
Once the victim’s backups are successfully removed, the ransomware then executes a secure key exchange with the server, thereby putting encryption keys in place.
Step 5 – User Notification (Estimated time: 2-15 minutes)
With the victim’s backup files gone and the encryption successfully established, the final phase involves notification to the user and demand for the proposed ransom. In many cases, the user is given a specified amount of time in which to pay the fee or the amount will begin to increase.
Ultimately, your organization’s defense against these attacks will depend on your level of preparedness. Along with employee education, it’s equally critical to employ the right tools that will allow you to effectively monitor, detect, respond and eradicate these threats. Automated security playbooks, for example, initiate workflows which remediate affected devices while also preventing further propagation. Suspected attacks immediately trigger the playbook to automatically initiate remediation and mitigation procedures.