When it comes to preventing ransomware attacks, it’s essential that you have an understanding of the “cyber kill-chain”, or the sequence of steps attackers usually follow.
- Reconnaissance – An attacker scopes out targets to identify a potential victim.
- Weaponisation – The attacker identifies a way to breach the victim’s network.
- Delivery – An initial attack gives the attacker a foothold into the victim’s environment.
- Exploitation – The attacker may move laterally across the network, steal privileged credentials or install backdoors.
- Installation – The attacker installs malware on the asset.
- Command and Control – The attacker ensures they can remotely control the malware.
- Actions on Objectives – The attack plan is put into action.
This series of steps may be carried out in different ways, with different levels of sophistication. A less-sophisticated attacker may carry out these steps within hours. Such haste my result in mistakes, such as deleting backups, that provide opportunities for forensic investigators to identify them.
However, a more sophisticated attack will usually involve significant “dwell time” between the perimeter breach and when the ransomware attack is launched. Dwell time may extend to days, weeks or even months.
This extended dwell time assists attackers who are engaged in “Big Game Hunting.” This is an approach whereby attackers seek lucrative targets that are likely to be badly affected by ransomware, and thus more likely to pay-up. Such organisations may include those that run critical infrastructure or OT systems.
Sophisticated attacks tend to be multi-phased. The initial perimeter breach may be followed by extensive mapping activities of the network in order to gain a detailed understanding of the business operations. They may map out network users, virtual machines, host systems, connections to other networks, backup infrastructure, as well as cloud-based and on-premises platforms. These mapping activities allow them to plan their attack in a way that is designed to have the greatest operational impact, cause as much damage as possible and increase the likelihood that the victim will be forced to pay.
We recently investigated a sophisticated attack in which the attackers conducted extensive monitoring of the victim’s operations over several months from within the network perimeter. The attackers realised that the organisation was backing-up data to an external drive at a regular time each week. Knowing this information allowed them to remotely delete the backed-up data on the external drive right after the data was saved to it, but before the external drive was disconnected from the server. Following the launch of the ransomware attack, the company discovered that all the data they thought had been backed-up had actually been erased, forcing them to pay the ransom in order to recover their critical information.
What this case highlights is that ransomware attacks may be executed over a protracted period of time. Whilst an extended cyber kill-chain sequence may allow attackers to launch more sophisticated attacks, they also provide organisations more opportunities to thwart the attack. However, this will only be possible if your organisation has the appropriate prevention, detection and response systems in place.