Ransomware is malicious code that encrypts information on the systems it infects. As the name indicates, ransomware is an extortion virus and is used by the attacker to encrypt information so it becomes inaccessible to its owner. The information owner is then blackmailed by the attacker, who demands a ransom payment for decryption keys that will render the information accessible again. A ransomware attack can affect not just computers, but mobile devices, servers, and other systems, too.
As with all cyberattacks, the threat actor needs a way into a system or a computer where they can then delve deeper and implement their attack. There are no specific modus operandi for ransomware attacks: attackers are opportunistic and search far and wide for vulnerable systems, striking where the chances look good. Vulnerabilities can, in this case, be anything from faulty configurations or unpatched devices – although mistakes on the part of the user are often exploited, too.
One common modus operandi involves using different types of phishing to tempt users into clicking on an attachment containing malicious code, or planting links that lead to malicious code in downloadable software. When users click on a link in an email or approve a download, the attacker is given immediate access to the computer or the system. Once the threat actor has found a way in, they make sure there is a route that they can use on a recurring basis to access the environment. They also, if possible, create additional routes in. Once the attacker has established these routes, they start mapping the environment, looking for interesting targets containing valuable information, such as file servers and ERP systems.
Once they have mapped the environment, they can also start planning the implementation of the actual attack. The threat actors behind ransomware attacks often operate as large companies with varying degrees of organisation and with several actors involved. Just as in other organisations, these actors specialise in different things: one group looks for potential targets to exploit vulnerabilities, while another specialises in ensuring that the malicious code spreads as quickly as possible without being detected.
Their combined experience often enables them to find valuable information relatively quickly – information that they then encrypt as efficiently as possible. We are also increasingly often seeing threat actors copy the information before it is encrypted, and then use the copy as a way of blackmailing the information owner by threatening to publish the information online if the ransom is not paid.
The threat actors behind ransomware attacks are more or less well-organised groups that are run like other companies, with their primary focus on making a profit. Ransomware attacks are, therefore, primarily carried out with a sole purpose – to make money through extortion. But once they’ve broken in, they often also take the opportunity to steal valuable information. The information the attacker looks for differs from one company and sector to another but can involve anything from sensitive personal data to pricing information or plans of important buildings. More sophisticated threat actors will, of course, carry out a pilot study, where they look at the nature of the victim’s operations and guess, on the basis thereof, what sort of information could be of interest.
One common misapprehension is that none of your information is sufficiently valuable for anyone to be interested in stealing it. But in ransomware attacks, it’s enough for the attacker if the information is of sufficient value to the person from whom they’ve stolen it. Because that increases the likelihood of the ransom being paid.
Discovering ransomware attacks in time can be difficult. It’s not uncommon for them to remain undetected until the attack is more or less complete, and you receive a notification that your information has been encrypted and a ransom must be paid to recover it. If attacks are to be detected before things go this far, monitoring and a robust environment are a must. Systems such as EDR (End point Detection and Response) and SIEM (Security Information and Event Management) can help ensure effective monitoring of security-related events in your environment. They can, for example, see when suspicious code is executed, analyse it, detect deviations and anomalies, and immediately isolate the affected system or systems. The security systems can also correlate numerous different events which do not, individually, constitute a serious threat, but which collectively can build an atypical pattern.
The systems also allow you to create your own alarm and monitoring points – quite simply, to monitor or block events for which there is no legitimate justification, ever, within your company. You also, over and above this kind of monitoring system, need logs from all your operations’ systems, because even if EDR and SIEM can give you an indication when something is happening, logs with detailed information on what actually happened are a must. The more log information you have available, the better your basis for analysing and investigating, and for improving your protection.
Once the attack is completed and you no longer have access to your data, there are only two alternatives: to pay the ransom, or to restore the information with the help of backups. Before you do either, however, you need to understand what has happened and where the vulnerability lies – and to fix it. If you don’t, you risk the threat actor returning and doing the same thing all over again.
To regain control, you need to disconnect all your systems from the outside world, which means your entire operations will be affected and at risk of remaining down until you have regained control over the situation. The time element is, therefore, important. And the more experience you have of handling this type of situation, the quicker you can solve the problem, so it’s always worth getting help from an expert.
During an attack, you, as the information owner, lose access to your data and face the risk of the information being leaked online. And whether you decide to pay the ransom the attacker demands, or to restore your data through your own backups, both alternatives pose a substantial risk of data loss. A decryption key from the attacker will, in principle, never give you 100% of your data back, and by paying the attacker, you are supporting their criminal activities.
If your backups are not taken in real time, there is also a risk of important data being lost. And not only that, but many operations nowadays are completely impotent without their IT systems – a situation which obviously has massive consequences.
The most important thing when it comes to protecting yourself against ransomware is building a robust and resilient IT environment with good monitoring. The motto of the people behind these sorts of attacks is to take the line of “least possible resistance”, so building your IT system in such a way that it delays the attacker for as long as possible is a strong and important defence mechanism.
Think of it as using a fence, alarms, and walls to protect a physical environment. The goal is to delay the attacker as much as possible to optimise your chances of detecting the attack via your monitoring systems and thereby, hopefully, stopping the attack before it really gets started.