Understanding the Tactics of Ransomware Attacks

Amid a global pandemic and political unrest, cyberattacks have still managed to grab headlines. Technology is considered critical infrastructure, and when ransomware strikes, it only amplifies the hardships that businesses, non-profits, organizations and entire nations face.

The frequency with which these attacks are reported is also rightfully concerning: Google reported a 350% increase in malicious websites since the pandemic took hold. While ransomware and similar cyberattacks are set to strike up to every 11 seconds by 2021, the timing of an attack may be unclear from a victim’s perspective. To better understand the nature of ransomware, research beyond the headlines is necessary. It’s important to keep in mind ransomware’s methods of entry, common tactics and timeline to determine patterns and help isolate when attacks are actually set to deploy.

Ransomware Military Tactics

It is true that ransomware involves numerous automated processes for infiltrating a network, but several human, customized actions set into motion a series of events that allow threat actors to execute their crime. To increase their chances of a successful payoff, they usually spend several days, weeks or even months navigating a network to eventually pave the way for extortion. While most victims of ransomware experience an unsettling hijacking of their systems in an instant, chances are the ransomware threat actors were present in the network already. Threat actor groups are highly organized, human-operated ransomware distributors. They use unique messaging to target and persuade their victims to “click here,” and then they follow a proven intel process:

  • Reconnaissance

Before even attempting to write a suspicious email or insecure website, the threat actor gathers information. This can include the technical layout, any vulnerabilities of the network and even information about the roles and privileges of people within the organization. Oftentimes this information is cross-referenced and gathered through social media and social engineering techniques.

  • Weaponization

During this phase, the threat actor prepares for the attack, gathering the tools and techniques to use against the targeted network. Oftentimes this includes the use (or rather, the misuse) of legitimate tools that provide access called Remote Access Tools (RATs).

  • Delivery

This is the phase of the attack that may be visible to the victim in an obvious way: The threat actor delivers the tools they need to carry out the attack, through phishing emails in an inbox, a successful brute force attack or even a malicious Word doc that can successfully deliver the malware.

  • Exploitation and Installation

In this phase, the attacker carries out the actual attack to compromise the network, taking advantage of previously identified vulnerabilities to penetrate the network to run their exploits. After establishing their presence in the network in this phase, the attacker installs malware or executes a file-less attack.

  • Command and Control

Once the network has been compromised and malware is running on the affected systems, software beacons may be deployed to establish communications with a command and control server under the control of the threat actor.

  • Actions and Objectives

After the threat actors have entered the victim’s network and have established a foothold to work from, they can carry out their objectives. These can vary from simple disruption and monetary gain to data exfiltration (theft) and even publicly naming and shaming their victims online.

A common situation a victim may face directly is usually upon opening a malicious email, attachment or website, followed by “business as usual.” Threat actors lurk and purposely go unnoticed for as long as they need before they determine their best plan of attack. It is reported that human error to some extent was involved in 95% of security breaches in 2019; however, this can be hard to pin down since threat actors take their time to move through these stages before taking action.

“Most of the time, we find that the employee who double-clicked on the malicious attachment within the phishing email had no idea of the havoc that they are helping the threat actor unleash on their employer’s network,” said Tetra Defense President Cindy Murphy. “Sometimes we see that they will even carry on a conversation with the attacker about how the attachment wouldn’t open, totally unaware that it was never intended to open. They have no idea that they’ve been tricked into helping the intruder gain access.”

Known Infiltration Tactics

In 2019, 92% of all malware was distributed via email. As far as what can be seen in more recent attacks, even the pandemic-specific ones, delivery methods haven’t changed much. The old, tried-and-true techniques for threat actors still include phishing campaigns with malicious attachments, open RDP ports, leftover RATs from vendors, unpatched operating system vulnerabilities and unpatched software. These are still their best ways into a victim’s network to carry out the attack.

To that effect, luckily, the best practices in cybersecurity still stand. They are still effective in protecting networks even if threat actors may appear more often than they have in the past. To avoid the bombardment of recent COVID-19 attacks especially, be sure to rely on trusted news sources directly. Organizations such as the WHO and the CDC have clearly informed the public of their cyber policies in response to the attacks that use the pandemic in vain. In general, emails that attach unexpected documents, request credentials or offer any lotteries or prizes, even if they appear to be from trusted sources, should not be trusted.

How to Prevent Ransomware

In addition to maintaining a healthy amount of skepticism, there are proven techniques that deter other common infiltration methods. For one, always confirm the requests that end up in your inbox are actually legitimate. To that effect, multi-factor authentication (MFA) can help by automatically thwarting a threat actor with only one piece of information or only one set of credentials. In the swift transitions that many workers faced in working from home in COVID-19, it’s also recommended to change default passwords to scaffold the security of home networks as well.

While ransomware seems to strike at an impossibly fast rate, their timing within a victim’s network is anything but. Ransomware is expected to become even more malicious as known groups start to pool resources and threaten data breaches, and ultimately demand more money in exchange. One thing is certain: Staying aware of the risks that we can see today puts you in a better position of not falling for them tomorrow.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard
Christopher Gerg

Christopher Gerg

Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra Defense. He's a technical lead with over 15 years of information security experience, dealing with challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial and payment card industries. He has worked in mature information security teams and has built information security programs from scratch, leading them into maturity in a wide variety of compliance regimes.

christopher-gerg has 1 posts and counting.See all posts by christopher-gerg