Defending Against the Five Stages of a Ransomware Attack

The increasing sophistication of ransomware attacks is costing businesses more than ever. Our recently released report, titled Ransomware: The True Cost to Business Study 2022, revealed that 73% of organizations suffered at least one ransomware attack in 2022, compared with just 55% in the 2021 study. 

The study also once again finds that ‘it doesn’t pay-to-pay’ a ransom demand, as 80% of organizations that paid were hit by ransomware a second time, with 68% saying the second attack came in less than a month and threat actors demanded a higher ransom amount. 

A joint report issued by the US, UK and Australia back in February published by the Cybersecurity and Infrastructure Security Agency (CISA) noted, "the market for ransomware became increasingly ‘professional’ in 2021,” and further stated the evolution in ransomware strains seen last year “demonstrates ...threat actors’ growing technological sophistication.”

The days of targeting individuals via tainted spam emails that result in ransom demands in the hundreds of dollars are largely gone and are supplanted by highly targeted ransomware operations, or RansomOps. In our report, RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, we examine these "low and slow" attacks that seek to remain under the radar as they infiltrate as much of the target network as possible before a ransom demand is issued. 

To defend against the latest threats, it is necessary to understand the scope of ransomware attacks in general and how they unfold so proactive anti-ransomware strategies can be adopted to better protect organizations from being victimized.

Five Stages of a Ransomware Attack

A RansomOps attack happens in multiple stages, which Gartner summarizes as the following: ingress, compromise, burrowing/tunneling, command and control and encryption. We’ll dive into those five stages here, and what can be done to prevent them:

  • Initial Ingress: The attack starts with ingress, i.e., the initial point of attack. Often, this will look like a compromised website delivered via a phishing attack, or a compromised API endpoint, or a rogue actor who has infiltrated the network with stolen credentials. Penetration testing helps ferret out these vulnerabilities and identify insecure IT practices, and should include penetration tests based on OWASP guidelines
  • Compromise: This is when the dropper is downloaded onto a workstation and begins the infection stage of the attack. To prevent this, Endpoint Detection and Response (EDR) tools can detect malicious activity and prevent it from proliferating. EDR is defined as “an array of modern, integrated endpoint security tools that detect, contain, investigate, and eliminate invasive cybersecurity threats high in the cyber kill chain.” The addition of NGAV protection is also part of a proactive strategy to prevent malware from executing on infected endpoints, as well as continuously auditing endpoints and correlating that telemetry with telemetry from across the organization to present threats in context–not just alerts.
  • Burrowing/Tunneling: Once inside, the attackers either “burrow down” from the cloud, “tunnel up” from on-prem resources, and move laterally through the network to get access to as much of the environment as possible before detonating the ransomware payload. This spread can be curbed by employing endpoint controls like firewalls and network segmentation and combining that with a strong vulnerability and patch management approach.
  • Command and Control: The installation procedure uses command and control channels (C2) to download additional attack tools and ultimately the malicious ransomware payload. This activity can be detected and blocked by an Extended Detection and Response (XDR) solution, which leverages AI and Machine Learning to detect potentially malicious chains of behavior that can surface a RansomOps attack at the earliest stages. In certain combinations, some chains of behavior are either extremely rare or represent a distinct advantage to an attacker. Your team must also know how to differentiate between the benign use and the abuse of legitimate tools for malicious activities –for instance, “living off the land binaries” (LOLBins) executions which use legitimate tools for malicious purposes.
  • Encryption: The attacker will then detonate the ransomware payload, encrypt the assets on the network, and hold it to ransom until the victim pays. To help ensure payment, RansomOps purveyors have also implemented double extortion schemes. Double extortion is a tactic employed by some ransomware gangs that begins when they first exfiltrate sensitive information from the target before launching the encryption routine. The threat actor then makes the additional demand that victims pay up in order to prevent the attackers from publishing their data online. Cybereason CEO Lior Div explained the different layers of extortion that companies now face if compromised.

Ransomware Prevention

WannaCry infected 7,000 computers in the first hour, and over one hundred million IP addresses in the first two days. We know the infectious malware was ultimately stopped, but as one of the biggest ransomware attacks in history, it was amateur in nature and could have been prevented. There are two basic approaches to dealing with ransomware; you can respond to it, or you can prevent it. 

In preparing to defend against a ransomware attack, many organizations turn to data backups for post-attack remediation, but as we discussed above, that only goes so far. While still a smart choice to backup systems and data, it does not solve the problem of double extortion. 

An effective ransomware prevention plan includes actions like:

  • Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
  • Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
  • Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
  • Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
  • Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
  • Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least once every quarter is recommended to ensure all personnel and procedures perform as expected.
  • Evaluating Managed Security Services Provider Options: If your security organization has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
  • Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly-secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack. Also, take similar precautions with VPN access in limiting its availability during weekend and holiday periods depending on business needs. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.

Ultimately, your multi-layered approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.

Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed