Cybersecurity: Seven stages of a Ransomware attack

Introduction – Importance of data

Every public or private company’s success depends on the data on which it operates. Companies often classify aspects of this data as their intellectual property. Intellectual property includes trademarks, copyrights, trade secrets and patents. Coca-Cola’s trade secret is the Coke formula. Google’s intellectual property is its source code. Pfizer’s leading intellectual property is its different drug patents over the years. Likewise, the Federal Bureau of Intelligence’s intellectual property is its covert data. These data have helped companies acquire significant market share and revenues. It’s given most companies their competitive edge. Leading technology companies use data to understand potential customers, recruit new sales leads, create targeted sales campaigns and directly market services to new users. In other industries like telecommunication, transport and postal services, data has been used to improve business processes, delivering time and cost-efficiency. Likewise, data in the wrong hands can cause physical, psychological, technological, business and social damage. Recent anonymous data leaks and disclosures on technology products have resulted in significant cybersecurity hacks. Other examples include the illegal use of sensitive data in winning elections with targeted fake news campaigns and whipping sentiment by manipulating data, thereby fuelling uprisings to topple world governments. Crucially, just as data in the right hand can be productive, likewise, data in the hands of cybercriminals can be destructive. Due to the importance of data in all industries and walks of life, its protection is critical. The topmost priority of Chief Information Security Officers (CISO) or Directors of Security is ensuring the confidentiality, integrity and availability of customer and business assets, including data. This data is seriously at risk of ransomware attacks..

What is a ransomware attack?

Ransomware comprises two words: ransom and malicious software. A ransom is the money demanded in exchange for an asset (e.g. data), and malicious software is a computer program showing intent to harm. Combining these two words, ransomware is a computer program that holds data in exchange for money, most commonly cryptocurrency. The National Institute of Standards and Technology (NIST) defines ransomware as a malicious attack where attackers encrypt an organisation’s data and demand payment to restore access [4]. The NIST definition introduces encryption as the technique used to hold the data for ransom. Other techniques used to ransom the data include locking the computer, stealing the data or deleting the data. Also, this malicious software infects various computing environments (including mobile devices, tablets, laptops and servers) on-premise and in the cloud. Often, if the companies pay the ransom, they receive their data back; otherwise, cybersecurity criminals publish the data on the dark web or company access to data is blocked permanently. 

Why ransomware attacks?

Recent data suggest that ransomware attacks are among the fastest-growing cybersecurity attacks companies face. The impacts of ransomware attacks on companies include loss of access to crucial time-sensitive data (i.e. medical records), financial loss (i.e. ransom payment cost), reputational damage (i.e. impact on share price and customer trust) and operational disruption. German prosecutors alleged that a ransomware attack on a hospital led to a loss of life due to the unavailability of the hospital, thereby forcing the ambulance to a one-hour longer commute to another hospital, resulting in the patient’s death [5]. Some reasons ransomware attacks are the fastest growing type of cybersecurity attack are high-profit potential, ease of deployment, low cost, rapid evolution, and the ability to customise ransomware attacks to various network environments. Most leading threat actors, such as cybercriminals, hacktivists, and nation-states, are involved in ransomware attacks. Cybercriminals are majorly in it for financial and economic gain, while hacktivists use this to expose and damage the reputation of their targets. Nation-state threat actors use ransomware cyber attacks to create geopolitical tensions, fund cyber attacks, destabilise government services and cause economic turmoil.

Seven Stages of a Ransomware Attack

There have been various incidents of ransomware attacks. Some of the most publicised incidents include WannaCry [6], launched in May 2017; NotPetya [7], launched in June 2017; Ryuk [8], launched in August 2018; and Colonial Pipeline [9], launched in May 2021. All these ransomware strains caused widespread global disruption and financial losses, and the masterminds are nation-state actors and cybercriminals. For companies to successfully defend against future ransomware attacks, understanding the stages of past ransomware attacks will enable early detection and improved incident response. Understanding ransomware attacks can be done using the Cyber Kill chain framework, which consists of the seven stages threat actors go through to accomplish cyber attacks.

1. Reconnaissance: A reconnaissance attack is the first stage of a ransomware attack. This stage aims to identify potential targets, vulnerabilities, connected third parties and possible entry points. In WannaCry it entailed looking for computers running an outdated and unpatched version of Microsoft Windows with a vulnerability known as “EthernalBlue”. Other potential targets may include exposed internet services and insecure web pages; the vulnerabilities include disclosed vulnerabilities and zero-day vulnerabilities; the connected third parties and possible entry points are stolen credentials, malicious websites, malicious emails and unpatched vulnerabilities. Companies under a ransomware reconnaissance attack should expect a flurry of emails targeted at company staff (i.e. identified targets) with malicious links or attachments to harvest sensitive information. Other attributes include unusual traffic patterns due to tools used to elicit information using techniques such as packet sniffing, ping sweeps, port scanning and internet information queries. Companies should have baselined types and volumes of legitimate traffic to help differentiate them from illegitimate traffic. To detect ransomware reconnaissance attacks, companies should deploy capabilities that harden.
2. Weaponisation: Weaponisation is the second stage of a ransomware attack. This stage aims to exploit the unique information harvested during the reconnaissance attack to gain access into the target’s network environment (including on-premise and public cloud). For a ransomware attack, weaponisation will include malware creation and modification of existing tools for the proposed cyber attack. Malware requires endpoint devices to run on, hence, malicious programs are created with the knowledge of the operating systems of the endpoint devices. In Colonial Pipeline, the name of the malware used was DarkSide. Some common commercially modified hacking tools and services used for ransomware weaponisation include Cobalt Strike, which is used for threat emulation; PsExec, which is used for arbitrary command shell execution and lateral movement; and Mimikatz, which is used for credentials dumping. This stage does not require contact with the target’s network environment and cannot be detected.
3. Delivery: Delivery is the third stage of a ransomware attack. This stage aims to deliver targeted and customised cyber attacks to infiltrate the target’s network environment and reach users. In NotPetya, attackers used a software update for a popular accounting software to deliver the malware to many organisations. Some other common techniques used include emails with malicious attachments and links or a SQL injection attack to target servers with sensitive information. When delivered, ransomware can stay hidden in an endpoint until its files are encrypted or deleted. Like reconnaissance attacks, companies under a ransomware delivery attack should expect a flurry of emails targeted at company staff (i.e. identified targets) with malicious links or attachments to harvest sensitive information. Other attributes include unusual traffic patterns due to tools used to elicit information using techniques such as packet sniffing, ping sweeps, port scanning and internet information queries. Companies should have baselined types and volumes of legitimate traffic to help differentiate them from illegitimate traffic. To detect ransomware delivery attacks, companies should deploy capabilities that harden their external interfaces and detect malicious emails, links and unusual traffic.
4. Exploitation: Exploitation is the fourth stage of a ransomware attack. This stage aims to further infiltrate the target’s network environment by exploiting identified vulnerabilities. In WannaCry, the malware included a worm-like feature that allowed it to spread beyond the local network and infect machines connected to the internet with appropriate cyber security controls. Tools like Process Hacker and AdFind can be used. Process Hacker enables process/service discovery and termination, while AdFind is used for AD discovery as a prerequisite for lateral movement. Companies undergoing ransomware exploitation would see the same symptoms as in the delivery stage of a ransomware attack, however in a more covert and intentional way. Other symptoms of ransomware exploitation attacks include unexplained system changes and unauthorised access attempts (i.e. from legitimate and illegitimate users) Likewise, detection can also be done using the capabilities for detecting ransomware delivery attacks. Companies should scan their systems for configuration drifts and ensure only known configuration drifts are approved.
5. Installation: Installation is the fifth stage of a ransomware attack. This stage aims to take control of the target’s network environment. At this stage, the threat actors would have installed malware and backdoors into the target’s network environment. In Ryuk the malware was deployed in phases, initially installing a dropper or downloader that retrieves and instals the primary Ryuk executable. Companies undergoing ransomware installation attacks will notice unusual network activity, changes to file extensions, pop-up messages, disabled security software and unusual system behaviour. Install malicious computer programs with attributes for packet detection, file fingerprinting, debugging and memory dumping. Companies should use signature-based detection capabilities, static file analysis, dynamic malware analysis, dynamic monitoring of mass file operations, checksumming/cyclic redundancy check (CRC), and machine learning behavioural analysis to detect malware.
6. Command and Control: Command and Control (C2) is the sixth stage of a ransomware attack. This stage aims to ensure threat actors can communicate with either the malware they have installed or other cyber attack tool kits running within the target’s network environment. It opens infected endpoints to further compromise from the threat actor, ensuring it becomes a staging device for the threat actor. Once set up, the infected endpoint communicates to the threat actor’s servers, typically over trusted channels, including DNS. In NotPetya, the C2 servers were hosted on compromised web servers and cloud hosting providers. Companies undergoing ransomware command and control attacks will notice increased network activity, unexplained network connections, suspicious processes and unauthorised data access from compromised legitimate and illegitimate accounts. To detect command and control attacks, companies need to set up precise alerts that can accurately define areas of known compromise based on connections to known malicious IPs.
7. Action and Objective: Actions and Objectives is the final stage of a ransomware attack. At this stage, the ransomware attack has successfully stolen sensitive and encrypted data and locked out legitimate users. Most importantly, the ransomware demand is explicitly made, including payment instructions. In WannaCry and Ryuk, the objective of the attack was to extort money, while in NotPetya, it was to cause widespread disruption and damage. In Colonial Pipeline it was both to extort money and cause widespread description.