Television and movies would have us believe cybercriminals have to execute complex plans that involve rappelling from rooftops and avoiding lasers to break into our networks. In reality, it only takes a well-crafted email and a distracted person to start a chain of events that can cost millions of dollars to repair. While that seems like a simple problem to solve, multiple layers of security controls needed to fail for the ransomware attack to succeed. First, the email needed to bypass the spam and phishing filters to arrive in the user’s inbox. With the billions of spam messages created each day, the possibility of one or more getting through your defenses is not unreasonable. Next, the attachment or URL needed to bypass the local antimalware software and the web security gateways to download the main payload which also had to be missed. And of course, the network-monitoring tools had to miss the malware spread as it infected other systems and encrypted files. The point is, even when using simplified ransomware examples, a lot must go wrong for a ransomware attack to be successful, but that has not stopped ransomware attacks from becoming a multi-billion-dollar industry. Given that, let’s look at what’s happening under the covers during an attack and discuss some ways you can improve your odds of early detection that don’t necessarily have to do with the security architecture.
Starting with phishing emails and malicious attachments
Since the example above started with phishing emails and a user, let’s start there. Spam and phishing attacks have been the most popular way cybercriminals have inserted malicious code into corporate networks for decades. Phishing emails have become extremely convincing over the past few years. Looking for misspelled words or poor grammar are still valuable, but today’s spam looks and reads like legitimate messages. Most law enforcement agencies recommend training users to slow down and think critically about the message they are receiving is critical to stopping cyberthreats from gaining access to sensitive data. It’s also been shown that allowing employees to feel they are part of the solution will foster a shared sense of purpose and provide benefits security software can’t. As an example, here’s a screenshot of a message I received.
This phishing email is so convincing because the attackers literally copied a real Amazon message to eliminate the telltale signs users have been told to look for. There were several small technical things that gave it away as spam, like the email headers not coming from the right domain, but the biggest indicator was the address it was sent to isn’t associated with an Amazon account. Again, slowing down and thinking critically was a better solution than investing in more antimalware software.
How ransomware attacks work
The phishing attack made it to the user, and they clicked a link. What happens next?
Step 1: Infection
This step should really be called deployment since it involves the download and execution of a fully-functioning, malicious software that spreads laterally through the network to infect as many systems as possible. In this case though, the system that was initially compromised could be viewed as patient zero who brought the disease of malware into the network and allowed it to spread. During this stage, it’s possible for the endpoint protection software to block the attack, but if it is not detected, the user may see an impact to the performance of their system.
Step 2: Staging
Once the malware payload has spread, it will begin to modify the operating system to ensure persistence. Communication may also begin with a command and control (C2) network that will allow a bad actor to access the network directly. Assuming the endpoint and network detection tools don’t find the activity, you may see seemingly benign increases in network traffic and attempts to access websites and systems on the internet that are not commonly accessed.
Step 3: Scanning
Scanning can take many forms. Some ransomware will scan for specific file types to encrypt while others will focus on the storage arrays taking a wider brush to data discovery. Still others will scan for open ports and vulnerabilities that can be exploited as part of a more direct action. Network traffic will increase during this stage and network monitoring tools will see a spike in traffic.
Step 4: Encryption
Once the ransomware has spread as far as it can or a specified amount of time has passed, the process to encrypt files will begin. A user’s files that are stored locally can be encrypted almost immediately while files stored on the network may be limited to the speed of the operating systems that access it. That said, given the speed of modern networks, there will be little to no time to interrupt the process. As the encryption process is happening, attackers may also begin to exfiltrate data to request multiple ransoms.
Step 5: Extortion
Once you have lost access to your data, the attackers will provide a ransom note which will explain that your data is being held hostage and provide the amount and method of payment (usually cryptocurrency) as well as a time limit for the payment. The note will also outline what will happen to the encrypted data if the ransom isn’t paid. Interestingly, the ransomware attackers have adapted to the fact that not everyone knows how to use cryptocurrency and have begun to provide instructions for setting up an account. Some have gone so far as to provide a support channel to help victims with the process of paying the ransom. In theory, once the ransom is paid, the attacker will send the decryption key to restore access to the encrypted files on the victim’s computer. The ransomware victim may also be promised that they will remove the ransomware and delete any stolen data.
What can you do to reduce your risk and prevent ransomware attacks?
Companies have invested millions of dollars in security software, but we’ve seen how clicking on a phishing email with questionable file attachments can quickly escalate to a full-scale disaster. Knowing we can’t block all malware attacks, it’s important to look at what can be done to reduce the risk of a cyberattack and limit the damage that can be done. While it’s not possible to buy another tool and call the problem solved, there are several things you can do with your current resources to improve your security posture.
After looking at ten years of ransomware statistics, some patterns have emerged that lead to the need for better cyber hygiene. Most attacks have exploited poor password policies or a lack of multi-factor authentication. The spread of ransomware can be linked to a lack of segmentation and poor access controls, and the attacks often exploit unpatched vulnerabilities. A quick fix would be to create a strong password policy and provide end users with a password manager along with education on how to use it. Enabling multi-factor authentication where you can is a key component of most cyber insurance policies and can significantly reduce the risk of unauthorized access.
Longer term, creating a patching schedule that includes the proper amount of testing but is flexible enough to address emergency issues can remove vulnerabilities from the network. This should include weighing (and documenting) the risks of the vulnerability verses applying a patch that may not have been fully tested.
Segmentation can be complicated by the organic growth of an organization and in many cases requires an overhaul of the infrastructure. Done correctly at both the network and application levels can limit the spread of ransomware and reduce the organization’s overall exposure to attack. Of course, due to the dynamic nature of most organizations, plans should be put in place to audit these controls on a regular basis.
As we’ve discussed it only takes a well-crafted email and a distracted person. Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity can go a long way to stopping attacks from starting. Conduct organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails.
Following your vendor’s best practices for hardening your environment should be standard practice. The U.S. government agencies like CISA have included a list of general recommendations and checklists in their Ransomware Guide. Also, joining information-sharing groups can help you identify new ways to enhance your protection.
- Multi-State Information Sharing and Analysis Center (MS-ISAC): https://learn.cisecurity.org/ms-isac-registration
- Sector-based ISACs: MEMBER ISACS | natlcouncilofisacs (org
- Information Sharing and Analysis Organization: Information Sharing Groups – ISAO Standards Organization
Secure backup is your last line of defense
The most reliable way to regain access to your files is to ensure you have secure backups for all your files. To avoid the worst-case scenario of paying the ransom, you need a plan in place that includes verified, tested and secure backups that can be restored quickly. Rapid, reliable recovery is an integral part of the overall cybersecurity incident response process and must be thoughtfully planned out just like the rest of your security architecture.
Of course, ransomware attackers will do anything to ensure the backup files are not available and will exploit security holes in the backup infrastructure to make sure the only way to regain access to your files is to pay the ransom. This means that even the backup systems should be able to alert administrators if there are changes to the schedule or the backup jobs.
Ransomware scams aren’t going away anytime soon. It is simply too easy and too profitable to hold data hostage on an infected system and have a ransom demanded. That said, the types of ransomware are starting to change from screen-locking ransomware to multi-stage attacks that both encrypt files and steal them from infected devices. Mobile ransomware attacks are on the rise as well and demonstrate the evolution in attack methods is continuing and we as defenders need to stay vigilant to make sure we don’t become the next ransomware victims.