Life Cycle of a Ransomware Attack

As today’s cybercriminals grow more sophisticated, they have more forms of ransomware and more vectors through which to render attacks on organizations than ever before. Even as companies develop more effective countermeasures, criminals adjust tactics and tooling to circumvent their efforts. 

But although ransomware attacks can seem a bit mysterious, they usually follow the same basic structure. Once you understand how these attacks work, you can prepare a more comprehensive mitigation strategy that will hopefully negate or lessen the effects of an attack.

Here’s a closer look at the anatomy of a ransomware attack, including how the attacker gains access to and infects a system. 

Infection and Distribution Vectors

Ransomware is a type of malware used to encrypt important computer files or sensitive data for ransom. Infections occur when ransomware malware is downloaded and installed on devices across an organization’s network. 

Ransomware can gain access to the target system in several ways. The most common way is through phishing emails that contain a link to a compromised website or an attachment with malware embedded in it. When the user clicks the link or attachment, the malware is downloaded and executed on the computer system. 

Read up on four areas that create common vulnerabilities for ransomware. >>

Remote Desktop Protocol (RDP) is another common ransomware attack vector because it’s easy to use and can give an attacker high-level access. In fact, in 2020, RDP was the initial attack vector in half of all reported ransomware cases. 

Compromised RDP access can be bought on the dark web, and finding an exposed RDP connection is just a matter of creating a script that scans for the default port. Hackers often have access to the same tools as security professionals and can scan the entire internet for an open port in less than a minute. 

Other distribution vectors, such as the WannaCry ransomware, attempt to infect systems directly. WannaCry infects computers running the Microsoft Windows operating system, encrypting files on the computer’s hard drive. It then demands a ransom payment in Bitcoin. WannaCry, first released in 2017, is still active and has affected over 100,000 organizations all over the world.

Watch the on-demand webinar to see the anatomy of a ransomware attack and how to architect a protection strategy that addresses each phase. 

Encryption

Once ransomware is installed on the target system, it lies in wait, silently collecting data and infecting as many systems as it can. It then steals and/or encrypts system files with the company’s most valuable and sensitive data. Ransomware can sometimes destroy backups or steal data as part of the attack, but the primary goal is generally to encrypt as many files or systems as possible to render the organization inoperable.

Ransomware comes in several types and variants, including crypto, lockers, extortionate, and ransomware as a service (RaaS).

Crypto ransomware encrypts files, scrambling the contents and making them unreadable. A decryption key is necessary to restore the files to a readable format. Cybercriminals then issue ransom demands, promising to decrypt data or release the decryption key once demands are met.

Locker ransomware doesn’t encrypt files but completely locks the victim out of their system or device. Cybercriminals then demand a ransom to unlock the device. Generally speaking, it’s possible to recover from or avoid an attempted crypto attack if a good backup is available. But a locker ransomware attack is harder and more expensive to recover from. Even with backed-up data, the device must be replaced entirely.

The basic objective of a ransomware attack is to extort money. But organizations can refuse to pay, especially when they have a good backup and recovery system in place. For this reason, attackers have begun using a new technique in recent years called double extortion, in which data is both encrypted and extracted. If the company refuses to pay, hackers threaten to leak the information online or sell it to the highest bidder.

And it gets worse. As devastating as double extortionate ransomware sounds, security experts are warning of a bigger threat: triple extortionate ransomware. Attackers demand money from affected third parties, in addition to extracting data and demanding ransom from the initial target. 

Lastly, ransomware as a service (RaaS) uses the standard software-as-a-service (SaaS) model. It’s a subscription-based service that gives subscribers access to predeveloped ransomware tools to launch ransomware attacks. Subscribers are referred to as affiliates and earn a percentage of each ransom payment.

Ransom Notes and Demands

Once ransomware has been successfully deployed to the target network, ransom demands are made. Hackers alert the victim that an attack has occurred and details the ransom required to reverse the attack. Ransom demands are displayed on computer screens or left in a note in the directory with the encrypted files. 

Ransom requests typically contain details of the ransom amount, the required payment method, and the deadline for payment, as well as a promise to return access to the encrypted files once the ransom has been paid. If data exfiltration has occurred, the hacker may also agree not to expose additional data and show evidence that the data has been destroyed. Payment is usually requested in cryptocurrency (e.g., Bitcoin or Monero).

However, even if a ransom is paid, there’s no guarantee that the attacker will restore data or keep any promises. They may keep a copy of stolen data to use at a later date. Decryption keys may not fully work, leaving some data encrypted, or they may contain additional, undetected malware that the attacker can use in the future.

The Negotiation: To Pay or Not to Pay?

The decision to pay or not to pay a ransom demand can be complicated and depend on several factors:

• How significant is the impact of the breach on business operations?
• Will employees be out of work? How many, and for how long?
• How big is the risk of data exposure?

For a closer look at the pros and cons of paying and not paying, read the blog post You’ve Been Hit by Ransomware. Now What?

If your backup and recovery system hasn’t been affected by the ransomware, you may be able to avoid paying the ransom altogether (depending on the type of ransomware affecting you). But if paying the ransom is truly your only option, it’s a good idea to hire an experienced incident response team to assist with negotiations and facilitate payment.

The Aftermath: Restore and Recovery

The average downtime after a ransomware attack is 21 days. If you pay the ransom, it might take several additional days to receive the decryption key and reverse the encryption. 

Be aware that some ransomware variants identify and destroy backups on the compromised network. If backups have been destroyed or encrypted, the recovery process can become more complicated. But even if backups are usable, recovery could still be a lengthy process, depending on the type of backup and recovery system you have in place.

Whether you pay the ransom or attempt to recover data yourself, plan for the entire recovery process taking several days. Plan as well for some degree of financial loss, whether it comes in the form of ransom payments, incident response costs, or lost revenue due to downtime.

See how the recovery process could vary between two hypothetical organizations with different recovery capabilities in the article A Tale of Two Ransomware Attacks: Which Company Are You?

Be Ready to Respond to an Attack

A ransomware attack is a risk you can’t afford not to be prepared for. You may think you’re doing all the right things to stay secure, but relying on legacy backup architectures won’t protect you from modern attacks. 

The best way to respond to an attack? Only modern solutions like Pure Storage® FlashBlade® with SafeMode™ snapshots and Rapid Restore®, which delivers up to 270TB/hour data-recovery performance, can take your security strategy to the next level.