Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern.

1. Research + Reconnaissance
In this stage, the attacker researches the company, including pulling job postings, social media posts, blog comments, press releases, company reports and may even make a list of employees mentioned on the company website and crawl the internet searching for their email addresses. The more they know about a victim, the better they can execute social engineering tactics, such as crafting believable phishing emails to lure them into clicking on a malicious link or opening a dangerous attachment. Criminals use this information to build a dossier on the organization, which may also include third-party contractors, suppliers and other vendors associated with the target company.

2. Identify Entry Point
Determining how to best gain access to a particular target without being detected is where IABs play a critical role. Often, these actors work directly on behalf of the ransomware gangs to find vulnerable systems or perform spear phishing campaigns or simply collect harvested credentials and databases from forums and resell them to ransomware gangs.

3. Gain Access
Once access has been obtained, the next goal is to penetrate the network and establish a foothold. A common entry point is through a public-facing Remote Desktop Protocol (RDP) portal, a Citrix server, or a VNC portal. During this phase (sometimes outsourced, other times performed by ransomware operators themselves), the attacker executes malicious code on one or more systems. This often occurs through credential-based social engineering, most often spear phishing via email or internal messaging services, or by exploiting a software vulnerability. The attacker needs to ensure continued control over a newly compromised system. Typically, they establish a foothold by installing a backdoor or delivering malware to the victim.

4. Escalate Privileges
Attackers often escalate their privileges through software vulnerabilities or credential exploits, such as password cracking. In many cases, passwords stored on a network have essentially been converted into sets of cryptographic hashes, which, when obtained by criminals, are long strings of scrambled characters that look nothing like the original password. Using various methods, the threat actors can either crack the passwords or use pass-the-hash attacks to obtain cleartext passwords. In an ideal scenario, threat actors will then be armed with a systems administrator’s credentials, giving them freedom to move laterally around the network without arousing suspicion.

5. Network Propagation
Some malware includes self-propagating features, automatically infecting multiple systems in a network without any extra effort from the criminal actor. In other cases, the attacker may use their initial access to move from system to system within the compromised environment, scanning files to find exposed secrets, additional credentials or configurations. One of the key acts is to develop and deploy a backdoor to slip in and out of during the attack and, in some cases, return to the scene post-attack to inflict more damage. This could happen over a period of months.

6. Destruction + Encryption
Once the attackers have completed their theft, the ransomware will be deployed and encryption begins. This is often the point when organizations realize they’re under attack. What are the signs your system may have been infected by ransomware? Filenames will change to show that they have been encrypted. You’ll see a mysterious ransom note file on your desktop called openme.txt or something similar, with instructions for how to communicate with the ransomware gang.

7. Negotiation
Criminals have turned to extortion tactics in recent years, such as threatening to leak victim names or expose potentially damaging information to the public or to competitors. The question for organizations remains the same: how much risk can you tolerate? If you’re a company losing millions of dollars per day or if lives are at stake, you are going to pay. You may be more likely to pay if you’ve got a cyber insurance policy that reimburses you, at least partly, for the payment. But even after paying the ransom, there is no guarantee your files will be returned.

8. Aftermath
The ransomware recovery process is costly and time-consuming. While costs vary, organizations can expect to pay for legal fees, lost business, customer outreach, and overall interruption of traditional business operations. Regardless of financial losses, it’s rare that organizations fully recover from a successful attack.

There is no one-size-fits-all when it comes to ransomware attack prevention, it is necessary to have a layered defense focused on quick remediation of exposed credentials and stolen cookies (we call it Post-Infection Remediation).

Steps to prevent ransomware should include:

• Continuously monitor and remediate compromised credentials and stolen cookies
  
  
• Implement multi-factor authentication (MFA)
  
  
• Educate workforce on cybersecurity best practices
  
  
• Detect malware infections and stop the bleed with Post-Infection Remediation

Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground by Initial Access Brokers. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.