The Anatomy of a Ransomware AttackWhere does it come from and how do we stop it?
To see just how damaging a sophisticated ransomware attack can be, look no further than the devastating impact of the WannaCry malware on the UK's National Health Surface (NHS) recently. In just a few hours the malware was able to infect thousands of PCs across the NHS network, encrypting patient data, test results and other key files, virtually bringing the service to its knees.
Ransomware is one of the oldest forms of malware, but instead of slowly dying out over time, it has become more and more prevalent. Notable examples such as CryptoLocker, CryptoWall and now Wannacry are thought to be responsible for tens of millions of pounds worth of losses for their victims, making them serious business for cyber criminals. The threat posed by ransomware is clear, so as a business looking to defend itself against a ransomware attack, where is the best place to start?
The threat posed by ransomware is clear, so as a business looking to defend itself against a ransomware attack, where is the best place to start?
Breaking the threat down into smaller parts is a great starting point. Asking questions such as 'where does it come from and how do we stop it?', 'how does it spread and how do we stop that?', and 'if we can't stop it, what do we do after the attack?' will help businesses to start understanding exactly what they are up against and how, where and when attacks could potentially be neutralised. Using this approach to break down a ransomware attack, three distinct phases typically become apparent:
- Delivery: Malicious content containing the ransomware attack method arrives
- Infection: The payload detonates and/or the endpoint spreads the infection
- Recovery: Restoring data to the state before the attack
Once broken down in this manner, it is possible to examine each phase in more detail and start creating defence strategies to counter an attack:
Phase one: Delivery
This is the moment when the ransomware or the ransomware-enablement first enters the network. There are several different considerations at this point: the nature of the ransomware, and the threat vectors it uses.
The nature of ransomware: Ransomware is a specific subset of Advanced Threats, meaning it is a sophisticated piece of malware, repackaged frequently to avoid detection. To defend against this smarter breed of malware, Advanced Threat Protection (ATP) is required, ideally an ATP solution that employs the intelligence gathered by the others, which makes processing faster and more scalable. For comprehensive security, ATP should be utilised across all potential threat vectors (see below).
The threat vectors: The following is a breakdown of potential malware threat vectors, each of which can be a point of attack:
- Email: Email is the #1 threat vector. The vast majority of malware deliveries are attempted through this vector.
- Web: Drive-by downloads, cross-site scripting attacks, social media vulnerabilities and infected ads can all deliver malware to an endpoint.
- Network: Attackers can deploy automated tools to scan networks and find openings that allow them to enter the network. Once inside, they may find a way to deploy additional malware on the network.
- Application: One of the most vulnerable and least understood vectors. Web applications such as webmail, shopping sites and online forms are all exposed to the public and can sometimes be vulnerable to exploits.
Phase two: Infection
This next phase begins when the ransomware process is executed in the network. In most cases an attacker will use a phishing attack to enter the network, where they impersonate a figure of authority in order to try and trick an employee within the target network into unknowingly opening an infected email attachment containing the malware. Common examples of this include posing as a member of the organisation's HR or finance department, or as a third party such as a travel agency. Whichever guise is chosen, the email used to deliver the malware will be designed to match the impersonation, so as to appear as inconspicuous as possible.
If the attacker is successful, as soon as the employee opens the email attachment an advanced persistent threat embedded in it will be executed, releasing the malware on the network.
Phase three: Recovery
If a ransomware attack is successfully executed within the network, prevention is no longer an option and attention must instead turn to containment and recovery. In this phase, businesses must stop the malware spreading, remove it from the network, check for any additional malware that may enable further infection, and test the endpoint antivirus.
Once the network has been thoroughly cleaned and hardened, backups can be used to recover files. In order to be effective, an organisation's network and endpoint protection has to be up-to-date and working properly so no infected files are inadvertently restored, reinvigorating the malware.
The actions required in this phase will differ from business to business. Potential actions include examining data logs, interviewing employees, comparing before/after states and evaluating existing disaster recovery solutions. However, it's important that management and IT work together to determine what is most appropriate during the post-infection recovery phase.
Ransomware may not be a new threat, but it is still an extremely potent one. A successful attack can cause downtime, user frustration, lost productivity, lost business, and more. Properly understanding the threat faced will give businesses a far greater chance of recognising and stopping an attack before it is too late. However, relying solely on preventative measures can be dangerous. Investing in a robust backup and recovery solution will ensure that even if the worst happens, all is not lost.