The 7 Stages of a Ransomware Attack

Ransomware is a well-known form of malware that can infiltrate your systems, encrypt your data and then demand payment in order to retrieve it. 

It can be very disruptive, as demonstrated at the beginning of July 2021, when the Kaseya IT management suite was hit by REvil Ransomware, which used its own infrastructure to attack the IT systems of more than 1,500 of Kaseya’s customers. 

The software copied the data from the systems before encrypting it and threatened that if the ransom was not paid the data would be published on the dark web, which could have had varying consequences depending on the nature of the data. 

The REvil ransomware was first identified in April 2019 and has been linked to Gould Southfield, a group which runs a Ransomware as a Service (RaaS) model, distributing disruptive software using various online techniques. REvil isn’t the only ransomware software out there, and it certainly won’t be the last one to be created.

Ransomware on the whole is on the increase with a 50% rise in the UK in attacks in the last quarter of 2020. Nearly 50% of businesses are likely to be hit by ransomware at some point. Cybercriminals who create ransomware are looking for the security weaknesses in your IT systems, and therefore it is possible to prevent attacks from happening with a rigorous security policy.

The Anatomy of a Ransomware Attack

There are seven stages to a ransomware attack: 

1. Initiation – This is the process by which the ransomware is downloaded to your machine. This is done without knowledge of the user and can be initiated with a phishing campaign, malicious website, malicious exploit kit code, or weaknesses and vulnerabilities in connections and software. Even with up-to-date anti-ransomware software, the hackers can find vulnerabilities. 

2. Infection – The ransomware lays dormant on your machine (for days, weeks or months) and opens a direct link with the hacker. When the hacker chooses to activate the software there will be an open line of communication in which to do so. 

3. Activation – The Hacker activates the ransomware. Then it is a race against time before your organisation notices the software is there and what recovery processes to put in place. 

4. Encryption – The data on the IT infrastructure is made inaccessible, either through a lockscreen or through full encryption of the data. The software can encrypt masterboot records, individual files, virtual machines and can delete backup systems. Deleting back-up systems is unique to ransomware, as they do not want you to recover your data. The encryption can end up affecting not only data but also the functionality of the systems effectively putting your business viability at risk. 

5. Ransom request – There will be a request for ransom, normally paid in cryptocurrency, before the systems will be restored.  There will be a time scale of a few days, after which the amount requested will increase. 

6. Recovery – Many organisations will pay the ransom and receive some of their data back, or in some cases none of their data. However, with a robust recovery system in place,  and recent off-site back-ups it may be possible to restore the systems to a time before the software was present. However, this isn’t always possible and getting the business back online quickly may mean paying the ransom as the path of least resistance. 

7. Clean up – The most important aspect of the ‘clean up’ is ensuring that the malicious software is removed from all devices. This can be done by isolating networks to ensure there is no reactivation of the software, and once all traces are gone the system can be restored to full working order.

Prevention and Recovery 

Knowing the stages of a ransomware attack doesn’t make getting one and dealing with it any easier, so it is imperative that preventative measures are put in place which include:

• Anti-malware and anti-ransomware software
• Regular updates of all IOS and software
• Multi-factor authentication
• End to End Encryption for email
• Regular back-ups with off-site storage
• Regular training for staff about phishing

In order to get back online quickly and effectively it is important to have an up-to-date disaster recovery plan which outlines all the stages you need to go through to ensure data is recovered with the minimum of fuss and ideally without paying any ransom. 

A disaster recovery plan should include:

• Recovery Time Objective and Recovery Point Objective
• List of all hardware and software within the organisation
• Identification of who is responsible for what tasks
• Disaster response procedures
• Identification of particularly sensitive data

Whilst a disaster recovery plan and a data security policy cannot guarantee that your business will never be targeted by a ransomware attack, they are important tools in the armoury and can reduce the likelihood. 

If you have any further question or would like help assessing the security of your IT systems and curating a robust disaster recovery plan, then contact SupportWise today! ‍