Understanding Ransomware: How it Works and How to Avoid It

“By failing to prepare, you are preparing to fail.” 

~Benjamin Franklin 

What is Ransomware?

Ransomware is malware that uses encryption to deny access to a user’s data until a ransom is paid. A ransomware attack can spread malicious attachments and links in phishing emails, insecurely configured networks, by unwittingly visiting an infected website, or installing a fake software update. These actions set into motion a series of events that allow threat actors to infiltrate the victim’s network, navigate through it, and eventually deploy the ransomware payload setting up the path for extortion. Contrary to what users of a ransomware targeted network experience during the event, deployment of ransomware is not an instantaneous process. Instead, it is a symptom of an ongoing problem – the result of a series of unfortunate events. In most cases, it is also an indication that the network has been previously compromised. 

Ransomware & the Cyber Kill Chain

There are many different varieties of ransomware, but these attacks tend to follow similar patterns. In cyberattacks, patterns like this are sometimes called the “cyber kill chain”.  The term “kill chain” has its origins in the military and is used to describe the steps an enemy follows during an attack. As it relates to Ransomware, the cyber kill chain includes the following steps which are carried out by the threat actor: 

  • Reconnaissance – In this phase, the threat actor gathers information about the potential victim network. This can include both the technical layout and vulnerabilities of the network as well as information about people in the organization, gathered through social media and social engineering techniques. 
  • Weaponization– During this phase, the threat actor prepares for the attack, gathering the tools and techniques they will use against the targeted network. 
  • Delivery – This is the phase of the attack when the threat actor delivers the tools they need to carry out the attack to the victim network. This is accomplished through malicious downloads, phishing attacks, successful brute force attacks, and successful delivery of malware. 
  • Exploitation – In this phase, the attacker carries out the actual attack to compromise the network. They take advantage of previously identified vulnerabilities to penetrate the network in order to run exploits on the targeted network. 
  • Installation – After establishing their presence in the network in this phase, the attacker installs malware or executes a file-less attack. 
  • Command and Control – Once the network has been compromised and malware is running on the affected systems, software beacons may be deployed to establish communications with a Command and Control server under the control of the threat actor. 
  • Actions and Objectives – After the threat actors have entered the victim’s network and have established a foothold to work from, they can carry out their objectives. These may include data exfiltration (theft), corporate espionage, monetary gain, political gain, or a combination of these and other motivations. 

Don’t Be the Low Hanging Fruit!

Before the traumatic blow of ransomware-based encryption hits a network, a whole sequence of events happen that are largely invisible to the end user. Even before a victim network is selected by a threat actor, reconnaissance efforts are underway. The attacker usually seeks to identify easy targets – the low hanging fruit – for attack. In order to do this, they may use publicly available security tools such as Shodan or may use information provided by other threat actors. While they do sometimes happen, there are actually very few specifically targeted ransomware attacks that are carried out against preselected organizations. If your organization takes steps to avoid being that easy target, much of the risk associated with ransomware attacks can be alleviated. 

Once a target network has been identified, behind the scenes a threat actor goes to work to begin the attack. The threat actor may carry out a long-term brute force attack against publicly facing Remote Desktop Protocol (RDP) port. Or maybe they have succeeded in scanning for an unpatched software vulnerability that can be exploited to gain access to the network. Maybe an employee has visited a compromised website and malicious software is downloaded to their workstation without their knowledge; or they clicked on a malicious document attached to an email and didn’t think much of it when the attachment didn’t open. Perhaps an outside vendor with legitimate access to the company’s network has had the credentials for their remote management software stolen in a separate cyber-attack. In some cases, multiple methods are used to deliver malware or begin a file-less attack to gain access to a network. 

These – or other similar threats – are all ways to gain access into the targeted network from the outside. If your organization works to proactively detect attacks, patch vulnerabilities, and educate users, the ransomware threat can be further reduced. 

A Silent Presence

Once a threat actor is in the network, they are unlikely to immediately announce themselves or claim a loud victory. Instead, they lay low, and they work quietly to establish and strengthen their foothold on the network. Once inside, the threat actor will often scan the network for attached devices and workstations. They may gather information on backup systems and antivirus protection software. And, they will often use password stealing software such as MimiKatz to gather the usernames and passwords of as many users as possible. 

Or, maybe they have already collected usernames and passwords using banking Trojans such as EmotetTrickbot, or Dridex deployed via PowerShell when the employee clicked on a malicious document file as part of a phishing attack. These malware breakouts are often perceived to be separate incidents, unrelated to the subsequent ransomware attack. Instead, they are precursors. 

The threat actor will next take actions to escalate their own privileges and access to the affected network as much as possible. They may deploy a toolkit that includes a combination of malware and legitimate IT tools to be used for illegitimate purposes. This can include installation (or takeover) of Remote Access Tools which can give the attacker on-demand access to the contents of the network. At this point, the threat actor may take the time to poke around in the network looking for valuable data and may exfiltrate (steal) information at their leisure. 

The threat actor also commonly uses initial network access as an opportunity to establish persistence on the network. In other words, they install back doors, create tasks or scheduled events, or create new users with administrative privileges. These steps allow them to regain access to the network in the event their presence is detected and clean-up efforts are undertaken. 

A Break in the Action

In many cases, we find that the initial attack pauses at this stage, after the network is compromised and user credentials have been harvested. At this point the initial threat actor may take the information they have about the network vulnerabilities they have identified and/or created and the user credentials or other stolen data, and sell these on the dark web or pass them on to a separate set of attackers to escalate the attack into the next phase. Transfer of information from one threat actor to another may take a few days, weeks, or even several months. While the transfer of information between attackers is in progress, time passes and the continued presence of the invader on the system usually remains unnoticed. To the network end user, things look and seem normal. 

Disaster Strikes

After a period of relative quiet, the attack resumes. This is finally the point at which the ransomware attack becomes obvious to the end users of an affected network. Using the previously identified or created access points, the threat actor enters the compromised network to carry out their end objective. At this point, finally, the attacker downloads and executes the ransomware executable file, begins the encryption process, and delivers the ransom note. As part of the ransomware attack, they may tamper with antivirus software settings, delete, corrupt, disable, or encrypt backups so they are unusable, and delete volume shadow copies so that the potential for successful use of data recovery methods other than ransom payment are greatly reduced. 

Though the ransomware attack outwardly seems sudden, in reality, the network may have been compromised by the attacker or multiple attackers for months. Now the ultimate moment of monetization for the threat actors has arrived. By this time, access to the compromised network may have been passed from attacker to attacker, and the current threat actor may hold a significant amount of knowledge about the affected network – usernames and passwords, what sort of business is involved, where backups are located, and what sort of backup systems are in place, etc. This information is often leveraged in ransom negotiations after a successful attack and can drive up the ransom price. 

While many times the motivations of threat actors are purely financial in nature, they may also include political, corporate espionage, or military intelligence gains. There are times when data exfiltration may have already occurred well prior to the deployment of ransomware, or when the threat actor maintains an ongoing presence in the affected network and may come back to re-ransom the same organization. 

The good news is that during each of these phases of an attack, there are steps that can be taken to identify and reduce the threat, and ultimately prevent the successful deployment of these attacks. 

Your best next step:

Take the Tetra Defense Ransomware Stress Test to see where your organization stands now.

Check out some related content on our blog:

Graphic depicts a group of rats on a pirate ship