Go to listing page

How Advanced Ransomware Attacks Work? - A Six Stage Process

How Advanced Ransomware Attacks Work? - A Six Stage Process

Hardly a day passes by when we don’t get to hear about ransomware attacks in some corner of the globe. Ransomware has become one of the greatest threats of all times on the web. The adversaries involved continually look for ways to monetize their effort for surreptitiously encrypting data, whose decryption key is held back for ransom. The more valuable the data, the higher could be their ransom demand. In many cases, these crooks know who or what they are going after. They study their target—individuals or organizations—and ensure that copies of the data are not available elsewhere for an easy restoration.

Here we discuss a six-stage strategy for an advanced ransomware attack.

Reconnaissance: Attackers begin by reviewing and accumulating information on the target. For a company, they want to know who are all the employees and perhaps their email addresses. Through this, attackers get more information on an employee’s activity from forum posts, blog comments, site registrations, and more. They may read through their social media feeds and newsletters, job postings, press releases, and company reports.

Groomed attackers usually build a dossier for key employees, tech analysis, and organizational processes from the gathered information. It may also include partners, contractors, and other third parties that often interface with the target company.

Penetration: Now, the attackers are ready to penetrate your secured network by launching a spear-phishing campaign or whaling attacks on individuals in the business. How do they do it? They might craft a sophisticated email (using info from the dossier) referring to an event or routine engagement and share it with an individual in the targeted company. The email, generally, contains malicious payload specifically designed to circumvent network controls.

The attacker is only setting up their staging area till this point. Though, for attackers, high-value targets work the best, but advanced attacks exploit other individuals as well. Malicious codes today can spread from machine to machine once a target fall for the phish.

Reinforcement: Attackers have to hide the evidence of their entry into the foreign network. They establish redundant methods of accessing the device, and methods to reinfect components during the reinforcement stage. Also, attackers would not appreciate if somebody else entered their territory. Their payloads have protected codes that prevent the infected assets from other attacks. Hence, other hackers cannot reach the same machine and inadvertently call attention to its activities.

Infiltration: At this stage, attackers up their game and look for higher-value accounts to gain access to more sensitive information and assets to exploit and bypass technical controls. The tactic is used to disrupt backup and archival processes.

However, some attackers may just steal data in this phase which they find holding some price value for selling purpose or to be used in additional attacks.

Taking reins: The stage is set for manipulation. Some of the tasks attackers perform at this stage include altering backup routines, removing the backup configuration for target, purging some data, etc. They may modify backup procedure documentation procedure to increase difficulties for the defenders. Attackers may also introduce flaws in software to make it harder to conduct a restore or modify backup documentation.

Ransom: Finally, attackers execute the malicious program—yes! the ransomware—to data stores where the target data rests. The attackers may even time this stage so as to have the highest impact, such as during mergers, acquisitions, or before a major announcement for the organization.

They may use any type of ransomware as long as it effectively gives them the authority over hacked data or network. Attackers clear off archived copies of the data when data is distributed across many different devices, servers, and locations. Any evidence that could lead back to the attackers is wiped off, except for some avenues for a return visit to demand ransom.

Cyware Publisher