Ransomware became a multi-billion industry over the past two years. Although there is widespread understanding of the risks that enable successful ransomware attacks but still are executed successfully despite the knowledge. A better understanding of the anatomy of ransomware attacks could enable security professionals to better defend against future ransomware attacks.
The most significant step in successful ransomware attacks is the ability to exploit a vulnerability to gain a foothold in the victim network. This provides the attacker with the opportunity to install the ransomware. In this first step, most modern ransomware will self-propagate across the network to other vulnerable machines and install the ransomware on those systems as well. The next phase in a ransomware attack, after achieving persistence in the victim network, is to contact the command and control (C2) servers. Establishing this communication is a vital step in maintaining communications with the victim machines.
Following the C2 server communications, the attacker will perform the handshake and execute the key exchange. The private key is stored on the attacker’s server and the public key is left on the victim machines. Next, the victim devices begin to encrypt the files specified by the attack. The most common ransomware attacks search the drives for specific file types, such as Word documents or Excel spreadsheets that may contain sensitive information. The encryption leaves the files looking identical to the originals and it is not until the victim attempts to open the file that the victim finds that the ransomware has compromised the system. Finally, the attacker will attempt to extort the victim(s) or victim organization to pay for the private key to decrypt the files.
As mentioned in other posts, to prevent these attacks, there are several technical and operational controls that can help prevent such attacks. The human is always the weakest link in the chain of computer security. Providing adequate and relevant security training is key to mitigating the human threat as much as possible. Other controls are prevention or write permissions and performing regular, offline backups.
Ransomware has been around for a couple of decades and has recently become increasingly popular among malicious actors to extort individuals and organizations out of money. Understanding the anatomy of the attack can help security professionals to better secure their networks and can help tailor better security awareness training. Finally, implementing security controls to mitigate the technical and operational risks can further reduce the attack surface and provide a reduced risk of ransomware attacks.