I have a confession to make. I don’t like the phrase “ransomware attack”. I don’t like it because the target victim doesn’t know it was a ransomware attack until their systems have been encrypted and they get the note about being “ransomed”. The act of having systems ransomed is an action on an objective or the end goal for the attacker — it is not a means in itself.
Understanding ransomware and its various parts and processes will help us better understand the key points in which we can stop it, and how to do so most effectively.
5 Components of a Ransomware Attack
Every ransomware attack campaign has these 5 common elements.
Entry
The vector by which the attacker gets inside the network. Phishing email, credential theft, exploiting a vulnerability.
Installation
Malicious code is planted across the network. Backdoors may also be created.
Privilege Escalation
Attackers require higher levels of permissions so they look for valid accounts with elevated permissions or try exploit a vulnerability that will give them this.
Lateral Movement
They continue to move throughout the network to figure out what they have access to, look for IP and other sensitive data.
Exfiltration/Encryption
Criminals will begin to exfiltrate sensitive data. Once they are done, they encrypt the systems and deliver their ransom note.
Each of these elements is a sequential step in which another goal of the attacker is realized. Exfiltrating data is a goal, as is encrypting systems and delivering the ransom note. So, if the attack was detected and remediated in steps 1 through 4, or even mid-exfiltration, then it never reached the final goal, making it a win for defenders. This is exactly why someone doesn’t know an attack is a ransomware attack until after the systems are ransomed.
Nevertheless, they can still spot an exploit in action (given the right tools and strategy) and can jump into action to prevent it. You never know if it is simple foul play or a ransomware attack in the making, but a good rule is to always expect and prepare for the worst. In other words, all attacks should be treated as potential ransomware attacks, because that is where they can lead.
How to Protect Against Ransomware Attacks in 3 Steps
The natural next question is how to protect against ransomware, or what could be a ransomware attack. The answer is: You do the same things you always do. You implement a security strategy that has a balance of prevention, detection, and response.
1) How to Prevent a Ransomware Attack
Prevention is doing things to reduce the attack surface. This includes:
The more you put into prevention, the less you will have to put into detection and response. Those steps are trickier because once an adversary has entered your network, you are now playing by their rules. The right prevention steps can limit their chances of getting that far.
2) How to Detect a Ransomware Attack
You need the right tools to detect when something enters the network, and nowadays, there are more avenues to monitor than ever. Capabilities should include:
Using AI-driven tools to detect indicators of compromise (not just indicators of attack) improves your radius when it comes to catching exploits in the act. Both signature and non-signature-based methods should be employed; sometimes it is the simplest attacks (like these common web-based attacks) that give attackers their first initial entry into the environment. Remember, attackers don’t want to work harder than they have to. They will try the door before sneaking into a window.
3) Ransomware Response
Ransomware response is a matter of practice as much as on-paper preparation. Since you don’t want to practice with live bullets (in other words, an actual ransomware attack), you need to simulate this event in your environment by performing red team engagements. This means:
Red teaming and other offensive security tactics will put not only your strategy and solutions but also your SOC to the test. It will help you see which areas of your team are battle-ready under fire and force your practitioners to think creatively. They will be pitted against other capable experts intent on ransacking their enterprise and exfiltrating their data — all for practice, of course. Once all your plans, solutions, and preparations are in place, there is no substitute for simulated real-world tactics to train you in the best methods of ransomware response.
Advanced Solutions for Ransomware Defense
While there is no perfect strategy, understanding ransomware means understanding that any attack could be a ransomware attack. Forta’s suite of best-in-class, layered security solutions for ransomware helps you come to the table ready for anything.
