Today we have part 2 of our Ransomware series with an emphasis on the stages of a Ransomware attack. Ransomware attacks are not executed quickly they take time to set and even complete. Luckily this gives us a window to react and begin disputing the plan. The plan usually falls into six stages which we will cover. As we will see the first couple happen quickly but the others are longer leaving an opening. Because the first stages are hard to react to while they occur prevention tactics are your best course of action. As with all good game plans disrupting what an opponent is trying to do is critical. But to disrupt that game plan we need to understand the stages of their plan so let’s take a look.
Stages of a Ransomware attack
Ransomware attacks are usually broken down into six stages with varying duration and each is different and has different levels of disruption. These six stages are usually called Distribution or Distribution campaign, Infection, staging, Scanning, Encryption, and finally Pay Day. The first stage is distribution, and this can vary in the effort and the time it takes to hit. This stage is crafting spam or phishing emails or performing waterhole attacks they could also use exploit kits or drive-by-download strategies. The best way to disrupt this is to educate employees on cyber safety, spam filters, and browser protection software. Next, we have the infection stage at this point you don’t have the software that will encrypt your data. The software that you downloaded is one that will “phone home” it connects to preset IP addresses and servers and will finally download a .exe file which will sit in your temp files and delete itself.
Third, we have the Staging step which involves disseminating itself throughout your computer. The software will move itself to a new folder and begin to check configurations and registries and user privileges. At first, it just wants to get the lay of the land and will then proceed to ensure that it will always run by getting itself to run at boot or on recovery or disabling recovery mode. The last thing it does at this stage is to hide and communicate back home.
The Heavy lifting
Next, it moves to the Scanning stage where the previous two steps can take only a few seconds this step can take hours. This gives us one of our real first chances to begin disrupting the Ransomware attack. In this step, the Ransomware begins scanning first local files for their read-write privileges and determine which files are vulnerable. Local files also include cloud storage files that are synced to services such as OneDrive. It then begins to scan for network connection and networked files and scan those for vulnerabilities as well. This tends to take as you can have many files on a computer or server, and it must scan each one. Because there is not a super-efficient way to do this is must do a linear search of every file leading to long run times.
Now we reach the encryption stage which is where the Ransomware begins encrypting files. First with local files then moving onto network files. This stage can take a long time as it entails copying or encrypting files then replacing them with encrypted versions. Just like the previous stage this can take hours, imagine that you have something small like 1 million files on a server. How long would that take to encrypt? Well, let’s assume it takes a quarter of a second to encrypt a single file so in a second we encrypt 4 files. That means that it takes 250,000 seconds to encrypt all files. That is 69.5 hours so it would take almost 3 entire days to encrypt all those files. This makes attacks against large corporations unfeasible and is why small and medium businesses are targets. On a side note, therefore we see leaks from large corporations that aim for a small specific amount of information instead of all the data.
Last, we have the Payday stage of the Ransomware attack in where it has everything it needs and will now tell you by doing something like changing your background. Cryptocurrencies like bitcoin are common payment forms. The attacks will set up a deadline for payment to get your data back and will escalate the price if you miss or delete part of your data as consequence. It is good practice to never pay your attacker therefore backups are key and multiple backs are needed. The attacker often looks for backups when they are doing their encryption or scanning process. It is also good to note that upon missing a deadline attacker increase the ransom by 2 to 10 times as much.
If You are interested in improving your Security systems please contact us using the form found at the bottom of the page or emailing us at firstname.lastname@example.org. Our Managed Hosted Services and Managed Services team can help you improve security, reduce stress, and reduce cost. We use industry-leading software and firewalls from some of the industry’s best companies such as FireEye and Aruba, 24hr proactive monitoring, and identity monitoring through Okta. We can also help you with upgrading your network hardware with hardware from an industry leader such as HPE. Contact us to learn about the Powerland Advantage and how we can help your organization. Powerland a trusted solutions provider in Canada for over 30 years.