January 23, 2023

The 5 Stages of a Ransomware Attack

  • Ransomware
  • Cybersecurity

In the world of cybersecurity, ransomware attacks have been dominating headlines over the past couple of years. Consider the attack on Colonial Pipeline, one of the largest pipeline operators in the United States.

In May 2021, a Russia-linked cybercrime group managed to gain entry into Colonial Pipeline’s network through a VPN account. They then infected the company’s IT network with ransomware that shut down many digital systems and halted pipeline operations for several days. The attack and subsequent interruption affected fuel along the East Coast. Moreover, the attackers successfully stole almost 100GB of data. They also locked the company’s computers and demanded a ransom of almost $5 million in exchange for unlocking them.

The incident highlights the possible impact and costs of ransomware attacks, which according to some estimates cost the world $20 billion in 2021 and will cost a staggering $265 billion by 2031. And like almost all modern-day sophisticated ransomware attacks, the attack on Colonial Pipeline involved multiple stages.

For organizations, ransomware protection starts by understanding the ransomware attack kill chain. Knowing and understanding the various stages of the ransomware kill chain can help organizations to prepare against ransomware threats and act quickly to minimize damage if an attack does happen.

The 5 Stages of a Ransomware Attack Kill Chain

Attackers typically go through five phases when perpetrating a ransomware attack. These phases are:

1. Identify the target

Before an attacker can deliver ransomware to an organization, they first identify the target. This first step is important because ransomware attacks are typically directed at specific organizations. Often, ransomware relies on email addresses to deliver an infected payload, i.e., malware, to the target organization. The target may be chosen at random from mass email lists, or the attacker may target a specific company or user through a spear phishing campaign.

The attacker may also deliver ransomware through infected websites by exploiting open vulnerabilities in web browsers. The malware may be a crypto ransomware that encrypts the files and data within a system, a locker ransomware that makes files and applications inaccessible, a scareware that scares a victim into paying a ransom, etc.

How to protect the organization in this phase

It may be possible to stop the ransomware attack in this phase and prevent it from moving on to the next. One way is to implement email filters that keep spam messages out and prevent users from clicking on malicious links or downloading malicious attachments. Endpoint detection, regular patching (e.g., of web browsers), and security awareness training are also useful protective controls in this initial phase.

2. Distribute the payload

Here’s where the attacker distributes the infected payload to the target organization. Commonly, they attempt to get users to click on an infected link or download a malware-infected attachment. When the user interacts with the link or attachment, the malware gets delivered to their system.

Once this happens, their system becomes encrypted. In order to decrypt it, they will need a decryption key, which the attacker promises to provide in exchange for the victim providing a ransom (hence the name ransomware).

How to protect the organization in this phase

File and process monitoring can help security teams to identify and remove inflected payloads. Organizations should also implement the principle of least privilege (PoLP) to control access and ensure that users don’t inadvertently install malware on one or more systems.

3. Communicate with a C&C server

Once the ransomware enters the target system, it establishes a connection with the attacker's command and control (C&C) server, which is an external domain where the ransomware relays information about the infected systems. It may also retrieve encryption key data and other instructions from the server.

The C&C server acts as the ransomware “headquarters”, sending commands to infected systems and receiving stolen data from them. By establishing C&C communications, the attackers can move laterally inside a network. In recent years, many ransomware attackers have started using cloud-based webmail and file-sharing services, which allows the C&C server to avoid detection by enterprise security tools.

How to protect the organization in this phase

PoLP remains an effective control for this phase. It will ensure that users don’t have admin rights to their machines so the malware can’t do much damage even if the user interacts with a bad link or attachment.

4. Spread

After establishing a C&C connection, the malware will try to steal credentials in order to move laterally across the network and access more accounts. It will also search for more files to encrypt, both on the local system and other systems/networks that it can now access through lateral movement.

When this happens, the attacker has successfully scaled up the attack and can therefore demand a bigger ransom from the affected organization in exchange for providing the encryption key or for unlocking the systems.

How to protect the organization in this phase

Monitoring the network, processes, and file activity can be helpful in this stage as well. Keeping an eye on these activities could help well-trained security teams to detect malware activity and act early to prevent it from propagating, say, by isolating the infection or quarantining an infected system.

5. Exfiltrate data

In this stage of the ransomware lifecycle, the attacker starts encrypting local and network files and/or exfiltrating data on those files. They will communicate with the target organization, usually by posting a threatening message on one or more infected machine. The message may say something like, “The contents of this machine are encrypted. Send us X amount of bitcoin to get a decryption key and retrieve your files.”

Crypto ransomware and lockers are two of the most common types of ransomware employed by attackers. However, the ransomware may also be a doxware or leakware. This ransomware is used to threaten companies that the attacker will distribute or publish sensitive or business-critical information online (usually on the dark web).

How to protect the organization in this phase

Before this phase is reached in the ransomware kill chain, affected organizations could attempt to decrypt the encrypted files using decryptor tools, many of which are free to download and use. Many companies provide these free decryptor tools, including like Avast (Babuk, Globe, Troldesh), AVG (BadBlock, SZFLocker), and Kaspersky (Wildfire Decryptor, Rannoh Decryptor).

The best strategy is to avoid reaching this stage and risk losing access to important files or data. That’s why it’s important to implement all the required controls in the previous stages itself. It’s also a good idea to take regular data backups to ensure that the pre-infection files can be restored to the best possible extent.

Ransomware Payments: To Make or Not to Make

The FBI recommends that organizations should not pay a ransom in response to a ransomware attack because they believe that “paying a ransom doesn’t guarantee you or your organization will get any data back”. Even so, many companies ignore this advice and pay the ransom.

One example is Colonial Pipeline, which paid the demanded ransom of $5 million just one day after learning about the attack. Although they were able to recover $2.3 million from the hacker group, the incident only shows that many organizations are all too desperate to get the decryption key from the attackers and get their files and data unlocked. This explains why almost 63% of victim organizations paid ransoms in 2022. However, only 72.2% recovered their data after paying the ransom, which shows that unscrupulous attackers often don’t provide the encryption key even after their ransom demands have been met.

Any organization can find itself in such a situation. That’s why instead of assuming that they must bend to the attacker’s will and pay them off, they should at least try to recover their encrypted files on their own using decryptor tools. It’s also essential to report the attack to law enforcement who could help identify the perpetrators and recover the company’s encrypted or locked data.

How ForeNova Can Protect Your Organization Against Ransomware and Increase Its Resilience

ForeNova’s ransomware detection and response solution is a proven and reliable way to block every step in the ransomware kill chain. Our complete, holistic security solution called NovaCommand can protect you from ransomware attacks. More importantly, it can prevent and mitigate such attacks in real-time.

Another ForeNova offering, NovaMDR, is also a powerful way to stay safe from ransomware. NovaMDR will monitor your endpoints, network, cloud, and identities 24x7 to detect and quickly respond to even the most sophisticated ransomware attacks. Leverage its unique combination of human-machine intelligence to strengthen your organizational security – minus operational overheads and staffing complexities.

Click here to request a free, no-obligation demo of NovaCommand or NovaMDR. Or contact us to talk to an authorized sales representative.