By Ryan Sommers
Over the past three years, ransomware has jumped into the spotlight of the cyber threat landscape; in fact the FBI estimates that $1 billion in losses will be incurred in 2016 from ransomware alone. Until recently, most ransomware attacks were opportunistic, targeting individual users’ or small businesses’ computers, and demanding just a few hundred dollars for an individual PC.
But now, attackers have set their sights on larger organizations with important files and systems that are critical to their daily operations, and can pay larger ransom demands.
However, you can increase the likelihood of successfully defending against—or at least mitigating the effects of—an attack, by understanding what happens at each phase of a ransomware attack, and knowing the indicators of compromise (IoCs) to look for.
Five Phases of a Ransomware Attack
Phase 1: Exploitation and Infection
In order for an attack to be successful, the malicious ransomware file needs to execute on a computer. This is often done through a phishing email or an exploit kit—a type of malicious toolkit used to exploit security holes in software applications for the purpose of spreading malware.
Phase 2: Delivery and Execution
The ransomware executable is delivered to the victim’s system, which typically takes just a few seconds, depending on network latencies. We often see the executable files placed in folders beneath the user’s profile. To improve detection, your organization can monitor for those events and set up a line of defense.
Phase 3: Backup Spoliation
A few seconds after the malware is executed, the ransomware targets and removes backup files. In essence, it wants to remove any means the victim has to recover from the attack without paying the ransom. This function is unique to ransomware, as other types of crimeware and even APTs don’t bother to delete backup files.
Phase 4: File Encryption
Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, establishing those encryption keys that will be used on the local system. Unfortunately, most of the variants today use strong encryption, such as AES 256, so the victim isn’t going to be able to break the encryption on their own.
Phase 5: User Notification and Cleanup
With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay, and after that time the ransom increases. Once paid, the malware cleans itself off the victimized system so as not to leave behind significant forensic evidence that would help build better defenses against the malware.
Five Steps to Defend Against Ransomware
Once you understand how ransomware works, you can defend against its attacks.
Aggressively patch your network so vulnerabilities are eliminated and access routes are contained. Endpoints need to be adequately protected with tools that can automatically detect and respond to infections before they become big incidents.
If your enterprise gets hit with an attack, you can minimize the damage if you detect the malware early. Use threat intelligence sources to block – or at least alert on – the presence of anomalies associated with ransomware in your network traffic. Make sure emails are screened for malicious links and payloads, and use rules that look for files executing from common ransomware folders so you can spot ransomware before any files are encrypted.
Once the ransomware has done its dirty work on one device, take steps to contain it locally. The best means is to have an endpoint protection system in place that looks for the execution and kills the process. To prevent additional files on the network from being encrypted, local host needs to be blocked and isolated from the network.
Once your ransomware incident is contained, you need to eradicate it. The best option is to replace machines that have been affected. However, it’s difficult to know if residual files are hidden on the system and able to re-infect other devices.
For network locations, such as mailboxes or file shares, sometimes it is more prudent to clean those locations, and remove the malicious email message or ransomware instructions. If you choose to clean rather than replace, continue to monitor for signatures and other IOCs to prevent the attack from re-emerging.
Restoring from backup is your number one task. For most ransomware investigations, you will complete the recovery phase by doing a full investigation into what specific infection vector was used against the system, and take steps to ensure that all issues are resolved.
Ransomware attacks against organizations are on the rise, and will continue to proliferate. The ramifications of a successful attack are far more extensive than just the cost of the ransom. Organizations can suffer the effects of lost productivity, loss of business, inconvenience to customers, and potentially the permanent loss of data.
Your organization’s success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your systems and to detect, shut down and contain suspicious activity.
About Ryan Sommers
Ryan Sommers is the Manager of Threat Intelligence and Incident Response at LogRhythm. For more than 10 years, Ryan has dedicated his career to incident response.