What Are the 10 Stages of a Ransomware Attack?
During the last 6 months, nearly 50% of advisories issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) focused on a single type of cyber threat.
That threat is ransomware.
This particular type of cyberattack made constant headlines during 2021 and cost organizations $20 billion that year, according to Cybersecurity Ventures.
The good news is there are ways to detect an attacker in your network before they send ransomware propagating across your IT infrastructure. However, many organizations lack the right kind of network visibility and network detection and response (NDR) to detect threats. This causes them to miss indicators of compromise and red flags to head off an attack.
This can be frustrating and concerning for both NetOps and SecOps teams.
Let’s cover two things that can help in your ransomware risk mitigation strategy.
First of all, we’ll look at the stages of a modern ransomware attack which can help you identify choke points where you can limit the impact of an attack or detect an anomaly. And secondly, let’s examine what can give you maximum visibility into what’s happening on your network even when you’re dealing with encrypted traffic.
Beginning Stages of a Ransomware Attack
A successful ransomware attack has usually come with high costs: extortion demands, the possibility of restoring a portion or all of the network, reputational harm, and stolen information are all typical.
Understanding the anatomy of a ransomware attack is crucial for IT and cybersecurity teams who are charged with detection and incident response. LiveAction’s ThreatEye team just created a visual ransomware attack chart that is worth saving and sharing.
Now, let’s look at how ransomware attacks often begin.
[Stage One] External Reconnaissance: attackers are agents of opportunity. They want money. They go looking for organizations they can attack for a handsome payout at the end of the attack lifecycle. Many ransomware groups will specifically target organizations with $100 million in revenue or more and organizations that absolutely cannot afford network downtime, like oil pipelines and companies that will lose money if networks are encrypted.
If you are a ransomware target, hackers will often scan your network for access via remote desktop protocol (RDP) or through stolen credentials, including those for your organization’s VPN. Can your organization detect this kind of anomalous activity?
[Stage Two] Initial Access: attackers gain access to your network.
Thomas Pore of LiveAction’s ThreatEye team explains how they typically breach the network: “They may use remote access, so it’s gonna be brute force through VPN, it could be through Remote Desktop Protocol (RDP), it could be utilizing SecureShell (SSH), or a weaponized exploit.”
In some cases, a network is compromised by Initial Access Brokers (IABs) who specialize in obtaining illegal network access which they then sell or lease to ransomware operators.
The ability to see anomalous or unexpected behavior vs. typical behavior on your network can help stop or limit the attack at this early stage.
[Stage Three] Privilege and Persistence: once attackers are into your network, they typically take steps to protect their investment of time and money. So they focus on increasing privilege permissions, dump credentials from memory and maintain persistent access to the network.
Middle Stages of a Ransomware Attack
The ransomware operators have now completed their external reconnaissance, gained initial access and elevated their privilege and persistence.
Now they are ready to spend time exploring and exploiting your network as the stages of an attack continue to progress.
[Stage Four] Internal Reconnaissance: the attackers now spend time evaluating and exploring your network. They hunt for internal targets, high value assets, and your organization’s most crucial and proprietary data.
“When when you break into a network, chances are you don’t know where all the critical assets are, so you do need to go looking for them,” says Pore.
“Attackers are going to start scanning and want to try to figure out where are your SQL servers, where are the MongoDB servers and where is all that critical, high value data that I can steal so that I can exfiltrate it and then extort the organization.”
[Stage Five] Lateral Movement: now that attackers have identified locations with your valuable and proprietary data, they go after it.
“Once they do identify a resource, they’re going to try to move laterally to that resource. They’re going to try to create a foothold there.”
[Stage Six] Data Staging: by this stage, the attackers have plundered your network and are now ready to compile the digital treasure they obtained. They are preparing for the ultimate point of the ransomware attack.
“They’ll set up another asset to stage all that, they will collect all your database information or their source code, and they’ll stage that into one host.”
Like most other steps in the attack, this move generates detectable noise. And it also creates opportunity for NetOps and SecOps teams to catch and stop the attack. “On that particular host, you’ll see excessive inbound traffic. That’s a red flag worth looking at.”
Final Stages of a Ransomware Attack
If your organization lacks the ability to detect stages one through six, then the ransomware attack continues to unfold toward its damaging conclusion.
At this point, attackers have explored your network, accumulated as much of your valuable data as possible, and can now complete the final stages of the attack: stealing your data, encrypting your network, and extorting your organization for a hefty profit. A ransom demand is in your future.
[Stage Seven] Command and Control: ransomware operators secretly communicate with their command and control servers, which is the link between attacker and victim.
[Stage Eight] Data Exfiltration: attackers start stealing your data at this stage, in small batches and hidden in the encryption of DNS tunneling. “Over the past couple of years, a fantastic exfiltration avenue has been DNS. DNS is often not monitored for this.”
[Stage Nine] Encryption: now that attackers have your organization’s proprietary data, it is time to disrupt the business. They encrypt the first system, then the next and the next until you disconnect and pull the plug on the attack propagating across your systems.
[Stage Ten] Extortion: at this point, ransomware operators contact you and offer you the chance to pay for decryption keys and a return of your stolen data. If you refuse to pay, many ransomware groups will publish a small sample of your organizational data as a warning and threaten to publish it all without payment.
And in some cases, the attacks leads to triple extortion where attackers threaten to publish your data and launch a DDoS attack against your organization unless you pay up.
Stopping attackers in your network before they can launch a ransomware attack
Now that we’ve clarified the stages of a ransomware attack, let’s look at what can be done to detect the asymmetric or unusual network traffic generated by attackers within the network. The right kind of network detection and response solution can empower your team to short circuit an attack. But make sure your NDR tool is unfazed by encryption, since approximately 90% of network traffic is now encrypted.
Thomas Pore of LiveAction’s ThreatEye team, explains his company’s NDR approach.
“We designed our tool with nearly 150 analyzers that monitor behavioral aspects of network traffic, regardless of encryption. A few examples include encryption on unsigned encryption ports, unexpected plain text when it should have been encrypted, these are all tactics that threat actors will use to try to hide their activity. Also, these threat actors will live within the network for a period of time and we will be able to essentially identify their behavioral characteristics throughout their their campaign because internal recon is going to be very noisy.”
In LiveAction’s case, machine learning powers discovery: “Through our advanced behavioral analysis, we can identify when someone has excessive connections or excessive usage, whether it’s to internal or external IP addresses. And then what’s really important here is they’re going to move laterally. We have DNS tunneling detection capabilities so we can identify that, and we can identify any encrypted outbound session because we’re looking at the traits and characteristics of the traffic. It doesn’t matter what it is.”
Here are three additional resources that can help with your ransomware risk mitigation.