Ransomware Guide

How Does Ransomware Work? 

Ransomware works by attempting to force a victim to pay the ransom. Specifically, the malware deployed by an attacker in a ransomware attack will follow a pattern of breaking in, maliciously encrypting targeted data, and then forcing the ransom from the company or individual.

As mentioned above, double extortion has become more common. It’s not enough for modern attackers to block access to a company’s data, they also see the value in stealing it and demanding an extra payment to get it back.

The effects of ransomware on network systems can vary, depending on the type of defenses in place and response time. When access is gained, attackers can use post-exploitation frameworks to search the environment and gain elevated privileges. If a threat actor gains full access, they could encrypt the entire network, leading to complete disruption of business services.

Infected endpoints in the larger network ecosystem could contain the threat for a period of time, but it’s a race against the clock before the malware spreads. Rapidly removing these infected assets is essential to limiting the blast radius of an attack.

Stages of a Ransomware Attack 

1. Initial access and persistence: The first stage of the ransomware attack chain involves gaining access to an organization's network. Common techniques attackers leverage here include phishing, credential stuffing, and vulnerability exploitation. 
2. Reconnaissance: In this stage, attackers map out the organization's network, where they'll work to gain initial context around the systems and user privileges they have obtained. This is typically the most complicated stage for the attacker. 
3. Credential theft and lateral movement: After gaining access to the organization's network, the attacker will attempt to obtain administrative credentials so they can move freely around the network. During this time, attackers are likely to disable any security protocols already in place. 
4. Exfiltration: During this stage, attackers are looking for files to exfiltrate from the network. These sensitive documents will be used for extortion. Examples include financial documents, accounting information, client data, project information, and more. 
5. Encryption: The final stage is encryption – often the most impactful to an organization. The attacker encrypts various target files, subsequently demanding a ransom for their return.

Ransomware Examples

Ransomware is ubiquitous in today's world. Let's take a look at some recent notable examples. 

WannaCry Ransomware

This 2017 WannaCry ransomware attack is one of the most notable and infamous recent examples of ransomware. It deviated from traditional ransomware by including a component that was able to find vulnerable systems and spread quickly. Because of this behavior, this type of ransomware is known as a worm, tunneling its way through a network and doing the maximum amount of damage.

Due to the nature of employing both traditional phishing tactics and the worm format of the malware, it was particularly nasty and caused fallout around the globe. A Bitcoin ransom was demanded from users as well as organizations who typically did not have up-to-date software and/or potentially poor hygiene around permissions, passwords, and credentials.

Petya Ransomware

Similar to WannaCry, Petya ransomware typically was deployed with the ability to spread easily and quickly locate vulnerabilities. Users would encounter it as a reboot request, after which their systems would become unavailable. Petya was first launched as malicious email attachments that would infect a system after a user clicked on the attachment and it downloaded locally.

The initial Petya attack did large-scale damage across Ukraine, severely affecting its banking infrastructure as well as other critical sectors in the country. From there, it was able to spread across Europe like wildfire. A subsequent variant, dubbed NotPetya, featured even more malicious capabilities than the original version and also caused billions of dollars in damage.

CryptoLocker Ransomware

Perhaps the most persistent of these examples, CryptoLocker primarily lured victims with phishing emails containing malicious attachments. This might be a good time to pause and extol the virtues of security awareness training. Not all, but many of these attacks require an action on the part of the user to be able to access their system(s), so it’s important that workforces are aware of actions to take and not to take.

Of note, CryptoLocker was particularly effective due to bad actors mimicking prompting actions of well-known companies like FedEx and UPS. Asymmetric encryption is used to lock users out of their files, meaning two keys are employed: one for encryption and one for decryption.

How to Prevent Ransomware

Ransomware can be prevented by following key best-practice behaviors that should flow throughout the whole of any security program. Zooming in, there are two key phases of a ransomware attack during which action is critical in order to lower risk and prevent the worst effects of an attack. 

• Prior to the attack: Minimize the attack surface by identifying specific techniques attackers use to deploy ransomware. From there, security teams can apply layers of preventative measures – this includes workforce training – and reduce risk. Purposeful network segmentation can ensure critical machines are isolated to prevent the spread of malware.
• During the attack: For in-progress attacks, access to mission-critical data should be extremely limited. Constant system backup should be a high priority so that — in the event mission-critical data is compromised — data restores can be deployed using recent, uncompromised backups.

Avoid becoming a repeat victim by identifying and remediating the initial access and execution vectors in the first attack to ensure complete attacker eradication. 

How Can Ransomware be Removed? 

Ransomware can be removed by scanning networks with an effective anti-malware solution. Teams should be able to automatically investigate and contain ransomware/malware before it can do real damage.

After scanning and discovery, it’s a good idea to quickly remove a targeted user’s domain account from the local administrator group. User accounts with administrator rights allow for automated and targeted attacks to interact with system-level privileges and easy deployment of ransomware.

Additionally, system administrators can generate decision points for security analysts to block infected user accounts and malware communications – or completely quarantine machines from the network. Leveraging automation to slow the infection, security responders will have more time to fully eradicate the ransomware threat.

Read More About Ransomware

2023 Ransomware Stats: A Look Back To Plan Ahead

Learn about Rapid7's Ransomware Prevention Solution

Ransomware-as-a-Service (RAS) Cheat Sheet

Ransomware: Latest Rapid7 Blog Posts

Report: Pain Points: Ransomware Data Disclosure Trends