Anatomy of a ransomware attack
A common misconception regarding ransomware attacks is that they are simple. Ransomware is in fact a combination of sophisticated software, and psychological methods. The attackers are highly organized and carry out organized plans. Do not believe for a moment that hackers simply get lucky. They pay close attention to fine detail, and exploit any weakness they uncover.
The typical ransomware attack consists of the lure, the payload, the action, and finally the aftermath. It is true that phishing is a common part of a ransomware attack, but phishing alone isn’t the only component to be warry of.
The lure is the email or the phone call, that is designed to get the potential victim to perform an action. This action will often be opening an attachment or following a link. The lure is carefully crafted to manipulate the trigger an emotional response.
The hacker knows if he or she can pose as the boss, or another individual who has the authority to request a payment, then the chance of success increases dramatically. That is why certain titles, are more likely to experience attack vs. others. For example, “Accounts Payable”, or “Financial Secretary” are more likely to be targeted than “janitor” Don’t think for a moment that your janitor won’t be targeted, they certainly will be.
The payload is the actual ransomware. This can be disguised as an excel spreadsheet, a PDF or a link. The document or link will appear real. It will have recognizable logos, names, and titles. Pay very close attention, the email will often contain a misspelled word, or grammatical error. Sometimes number will be substituted for letters. Again, the attacker is looking for a quick response, and is anticipating the victim failing to scrutinize the lure.
The action may very well be the most important part of the entire ransomware attack. The stakes are high for both parties, the hacker needs the victim to perform the action, and the victim needs to avoid the action. The action is the step where the victim either executes the malicious payload or successfully identifies the threat and deletes the email.
Clicking on the link or opening the attachment performs the action resulting in the victim’s files being encrypted and possibly exfiltrated by the attacker. If the user is at home, then possibly only their laptop or desktop is affected.
If they are on the corporate network, it is possible, that all folders, and files they have access to are affected, and other departments are impacted.
The aftermath, or the period of time after a company experiences a ransomware attack is chaotic and stressful. For some companies, there is little to no impact and they are back up and running in a few hours. For the majority of companies, the aftermath can last weeks to months and even years.
If the proper backup software is in place, a company can have access to their data while the local data is unavailable. If the worst case scenario occurs, and the backups become encrypted then getting backup and running is going to take a long time.
Getting access to your data is only half of the equation. You are still left with the process of cleaning the infected machine. This process can take anywhere from 4-8 hours depending on the machine. A server that needs to be cleaned up may take even longer.
Once you have your desktops and servers cleansed, you need to make sure there aren’t any traces of the infection left. If you don’t clean up everything, you could easily be reinfected.
How can you be sure everything is cleaned up?
One way is to perform a cyber threat assessment. A cyber threat assessment will look at logs, and configurations to make sure there weren’t any backdoors opened up in your network.
A cyber threat assessment is the starting point in identifying and resolving security vulnerabilities. It is recommended that this type of assessment be performed at a minimum once per year.
Click here to schedule your no cost cyber threat assessment.