Advanced Software (return to the homepage)
Menu

How does ransomware work?

20/06/2023 minute read OneAdvanced PR

Ransomware is one of the largest and most persistent threats in cybersecurity today. Ransomware can be the worst nightmare for companies guarding sensitive data. More and more of our customers are asking about it, eager to stay out of the headlines. This is a reasonable concern. IBM’s Cost of a Data Breach Report 2022 states that global ransomware incidents rose by 13% from 2021 to 2022. The same source also indicates that organisations face a ransomware attack every 11 seconds, underscoring the urgency of prioritising detection and prevention.

But, how does this type of virus do so much damage? What tends to happen when an attack or network breach is in progress? After years of researching and countering ransomware assault, we’ve found plenty of trends and patterns for malicious behaviour. This is the strategy we most often see, and it informs our managed security work.

Step 1 — Targets are chosen

Bad-faith web actors begin by identifying the best candidates for compromise. Certain industries such as healthcare, energy, retail, and education are more likely to become a target because they either hold mountains of personal data or have significant financial resources for ransom payments. The hacker might test your IT security protocols to check if there are any weaknesses — for example, a lack of multi-factor authentication or outdated anti-malware/virus defences.



Step 2 — An infection vector is chosen

An attacker can employ various tactics to infiltrate your system. Phishing is by far the most common. The Anti-Phishing Working Group (APWG) observed almost 1.3 million of these assaults in the third quarter of 2022. Phishing usually involves sending employees emails or links that look trustworthy but direct users to a dangerous website or download. Another popular attack vector is leaping over a Remote Desktop Protocol (RDP) with stolen user credentials.

Step 3 — The virus gains entry

The user is redirected to a malicious web address, prompted to download an attachment, or unwittingly shares login details with someone posing as a legitimate source.(e.g., a threat actor impersonating one of their colleagues). The ransomware code now has the single entry point it needs.

Step 4 — Infiltration spreads

The malware silently persists in your system for days, weeks, or months, creating backdoor accounts and escalating access privileges for more attackers. It often spreads laterally across connected networks, impacting third-party vendors and entities connected to the server.

Step 5 — The attack launches

Once the malicious web actor finds a significant number of files, it starts stealing and replacing them with encrypted substitutes. Sophisticated attacks perform this stage automatically by generating a public key and a private key that sits with the web agent, so you can’t access your data.

 

Step 6 — The demand is made

Once the attack is in motion, you’ll likely see a ransom note on your computer screen or in text file directories. The ransom typically requests payment in cryptocurrency enabling anonymous and easily facilitated online transactions with a specified deadline. The attacker will claim they’ll make your data irretrievable forever if you don’t meet their demands by a set date. A report indicates that global ransomware payments amounted to $456.8 million in 2022.


Step 7 — You deal with the fallout

With a 24/7 managed detection and security (MDR) provider, your organisation have a significantly better chances of preventing ransomware from infiltrating your organisation in the first place or rooting out an attack before it becomes serious. Data backups and decryption tools are other useful defences to mitigate any damage. Keep in mind, the impact of a successful ransomware attack can extend beyond the initial demand. In fact, 31% of U.S. companies faced with a breach end up shutting down due to substantial reputational damage.

Ransomware is (justifiably) a hot topic in cybersecurity. And an MDR solution can tip the scales in your favour for finding and dealing with any potential network intrusions.

Advanced security partner - Fortra’s Alert Logic, provides human-led threat intelligence to continuously guard your digital assets with immediate incident triaging as needed. Contact us today to talk about your cyber-security needs.