In recent years, ransomware attacks have become common enough—and expensive enough—to solidify ransomware's position as a boardroom risk. These attacks exploit vulnerabilities in human, network, and software behavior to infect target devices and can be perilous for organizations—failure to comply with the threat actors can result in the exposure or permanent loss of confidential business information.
There are currently thousands of strains of ransomware making rounds on the internet, one of the most prolific being WannaCry. This strain first emerged in 2017 and affected over 200,000 computers in 150 countries by encrypting all the files on infected devices, and requesting a ransom in Bitcoin to restore them. Ransomware gained traction with the growth of cryptocurrencies like Bitcoin, and there's no end in sight.
Ransomware incidents are predicted to become worse throughout 2021, evolving in terms of scale, efficacy, and impact. Most attacks will target towards individuals, schools, hospitals, and small businesses as opposed to large corporations. These entities often don't have sufficient cybersecurity measures in place to defend against the attacks, leaving them vulnerable to cyberattacks. So how can they improve their security posture?
In this blog, we'll cover how ransomware works, and what steps you can take to protect your network from cyberattacks.
The ransomware kill chain typically involves five stages:
The first stage of a ransomware attack involves identifying a target organization or user and devising a plan to deliver the infected payload to that target. Cybercriminals often use various techniques to sneak ransomware into a user's network, such as social engineering, brute-force attacks, malvertisements, or phishing emails. Due to human error and ignorance of security risks, the ransomware will eventually be downloaded onto an endpoint device, like a desktop computer, laptop, or smartphone.
Once the infected payload has been downloaded onto an endpoint, the ransomware script will install itself onto the target system and attempt to communicate with its command network. In some cases, the ransomware program will retrieve encryption key data from its command network since a different public key is required for each infection.
At this stage, the ransomware prepares to encrypt data and take the files hostage. It covertly gains intelligence on systems and data in the network, then moves laterally, infecting more endpoints along the way. The program works to target specific directories on a host system, particularly searching for sensitive data that will ensure a successful ransom demand and resulting payment. At this stage, the ransomware also executes several persistence mechanisms such as disabling recovery mode, covering its tracks, and disguising itself as a legitimate program.
When the encryption phase is reached in the kill chain, it's already too late—nothing much can be done to stop the attack without access to the decryption key. The ransomware program starts to encrypt all of the files it discovered in the scanning stage. After encrypting the local files, it will infect any other hard disks or USB devices connected to the infected host machine.
Once encryption has been completed, the ransomware will display a ransom note to the victim with instructions on how to pay the fee to get the decryption key. The ransom can range anywhere from a few hundred dollars to thousands, payable to cybercriminals in cryptocurrency. On successful payment of the ransom, the attacker decrypts the files and restores access to the user. In most cases, the ransom demand increases if it isn't paid within a stipulated time. After that point, the program may begin to delete the encrypted files.
Though not foolproof, here are some defensive steps you can take to prevent ransomware from infiltrating your network.
The most effective way to handle ransomware attacks is to make periodic backups of your data. It's best to keep at least three separate versions of the backup data on two different storage types, with at least one offsite.
Regularly train your employees to identify and avoid common ransomware pitfalls such as malvertisements or phishing emails.
Add programs to your list of trusted software, and block unauthorized programs from communicating with your network.
Block malicious attachments, spam, phishing emails, and other methods used to propagate ransomware.
Restrict unwarranted access by using robust access management, and reduce the number of access points through which malware can enter your organization.
In the event of a ransomware attack, you can stop its lateral movement by separating your network by sections and departments.
Reduce the vulnerabilities in your operating systems, browsers, and other applications by regularly updating and patching them.
Using a security information and event management (SIEM) solution provides several avenues of approach that allow you to handle ransomware attacks at every stage. With an efficient SIEM solution, you can:
Are you looking for a comprehensive SIEM solution that has the above capabilities and more to help protect your network from increasingly sophisticated ransomware attacks? Try out a free, 30-day trial of Log360 to test these features out for yourself!
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.