The 5 Phases of a Ransomware Attack: Learn How Ransomware Works and How You Can Defend Against It

The 5 Phases of a Ransomware Attack: Learn How Ransomware Works and How You Can Defend Against It

Ransomware is gaining momentum. The FBI estimates that $1 billion in losses will be incurred in 2016 from ransomware alone.

But what is ransomware and how does it work? Most importantly, how can businesses prevent an attack?

Ransomware is malicious software that allows cybercriminals to hold a company’s valuable data hostage until a ransom is paid. It is usually introduced into a company’s system by way of clever social engineering techniques, which exploit human weakness and target employees or other vulnerable individuals. These individuals become convinced that an email attachment or download link is safe and from a valid source before ultimately clicking the infected attachment and releasing a ransomware Trojan into the company’s system.

Ransomware is becoming rampant in part because of its efficient method of attack—and also because it is extremely profitable.

Experts recommend understanding the five phases of a ransomware attack to gain insight into the indicators of compromise and better defend against it. The five phases are as follows:

Phase 1: Exploitation and Infection
In order to launch a ransomware attack, cybercriminals must first get a vulnerable employee or other individual to execute the infected file. This is typically done via social engineering techniques that use phishing and spam emails or through another type of exploit kit.

Phase 2: Delivery and Execution
In this part of the process, ransomware is executed into the company’s system—and then persistence mechanisms that work to keep it there are installed.

Phase 3: Backup Spoliation
Just a few seconds after Phase 2, in order to further cripple its victim’s ability to circumvent the attack, the ransomware Trojan targets and deletes the company’s backup files.

Phase 4: File Encryption
Once all backups are compromised, ransomware establishes encryption keys that will be used to unlock files once the victim pays the ransom demand. The malware then performs a secure key exchange with the command and control server to establish further lock-down of the company’s local system.

Phase 5: User Notification and Cleanup
With the company’s backup capabilities compromised and ransomware’s encryption legwork complete, the victim receives a ransom note with demands for payment in exchange for company files. Sometimes, a company will be given a few days for this exchange—during which time the company is completely without its valuable files and data. After this initial demand phase passes, cybercriminals will often demand even more ransom—and in certain cases, as in the Kansas Heart Hospital attack, they refuse to return the victim’s data unless a second ransom is paid.

Most Small and Mid-Sized Businesses Are Not Equipped to Recognize and Respond to Ransomware

According to the 2015 (ISC)2 Global Information Security Workforce Study, phishing attacks account for 54% of malware distribution techniques, and IT security information professionals spend about 85% of their time in remediation for this type of attack.

Employees and other vulnerable individuals are simply unable to recognize, report, and avoid suspected ransomware and other phishing-type emails. Additionally, information security teams are simply ill-equipped to handle the volume. By utilizing a managed IT security monitoring service that specializes in incident response and advanced threat detection, companies can manage their existing IT employees’ time with more efficiency and keep their valuable data safe and secure.

With ransomware and other social engineering threats evolving and becoming more targeted on a daily basis, vulnerable businesses should consider a comprehensive, advanced threat protection approach. If you’d like to learn more about protecting your business from a ransomware attack, contact Intrinium for an advanced threat assessment.



Pin It on Pinterest

Share This