Understanding the anatomy of cyberattacks can be difficult. Luckily, during a recent webinar David Duncan, Technical Director at Redpoint Cybersecurity, and our very own VP Strategy, Michael Calev, took the time to guide us through the backend of a ransomware attack. Duncan came to the webinar equipped with over a decade of experience, acquired in both the military and private cybersecurity sectors. In conversation with Calev, Duncan discussed how his work in offensive cybersecurity intersects with combatting and analyzing ransomware campaigns.
Read on to learn more about what lies behind a ransomware attack.
The real cost of ransomware
Most people automatically associate ransomware with money. While money is certainly involved in ransomware, it is not the only consequence. A company’s reputation, image, and public relations are all impacted by the gravity of a ransomware attack.
When small to medium-sized businesses (SMBs) are hit with ransomware, approximately 60 percent of them shut down. This seemingly jarring statistic consists of the failure to recover backups and the inability to pay ransom. Without their data and sufficient funds to cover the ransom, a business is checkmated – they have to close.
Some businesses budget for a multi-million dollar payout if hit with a ransomware attack. The majority of SMBs, however, cannot afford to instantly lose that amount of money. They need a plan that will protect, prevent, and prepare them for a ransomware attack.
Inside a ransomware attack
Now that we have reviewed the cost of ransomware, let’s go back to the beginning, to the moment when someone in your organization clicks the wrong link or unknowingly opens a malicious file. Upon gaining access, most threat actors begin lurking on your network 50-90 days before they make contact. Threat actors take this time to identify critical assets that they will eventually extort.
Before we dive deeper into the types of ransomware, let’s establish a definition: ransomware is a type of malicious software (malware) designed to block access to (encrypt) data until the ransom (money) is paid.
But who develops the malware and sets the ransom? Those responsibilities fall to a ransomware “organization” and the threat actor.
A ransomware “organization” consists of cybercriminals that operate like a business. As such, they aim to generate revenue. One of the ways they do this is through executing ransomware attacks. However, more recently these organizations have found it more lucrative to develop the ransomware and then sell it to a threat actor.
Threat actors take on the role of a reseller, purchasing ransomware from developers and then distributing it via the methods we discuss below. This keeps ransomware developers removed from the cyberattack itself while still benefiting from the ransom. The threat actor takes a cut of the ransom, assuming the attack is successful, but the bulk is paid back to the developers.
While it may seem like threat actors have the easier end of the deal, purchasing ransomware rather than developing it, their strengths lie in social engineering. To begin their reconnaissance, threat actors must gain access to the network. While this is sometimes possible without social engineering, most threat actors opt to begin their attacks by targeting an organization’s greatest vulnerability: people.
In 2021, 78% of ransomware attacks began with email. Threat actors email individuals and execute phishing campaigns, first building a rapport with the victim. Sometimes this manifests over a series of emails before the threat actor sends anything malicious. Once they establish the victim’s trust, threat actors then send a link or file with a malicious executable that serves as a key into an organization’s network.
Double Extortion vs Triple Extortion
Once a threat actor has entered your organization’s network and spent enough time surveilling your organization, they can then decide how to best extort your business. Ransomware developers and threat actors alike aim to optimize “earnings”. To do this, they employ two techniques: double extortion and triple extortion. These innovative methods help shorten the cycle, from ransomware to payment, allowing attackers to more quickly move on to the next victim.
Double extortion happens when cyber attackers take your data, encrypt it, and then analyze it. By already having a copy of your organization’s data, they are able to pinpoint how to extort your business for the most money possible. They know your revenue, your employees, your industry, your partners, and your clients. With this understanding of your organization, attackers only have to take and leverage your most critical data to extort your business.
Triple extortion is double extortion notched up. What makes it different is the addition of an active and aggressive threat actor. They utilize their knowledge of your employees, partners, and clients to harass them through incessant emails, texts, and phone calls.
How to prepare for a ransomware attack
Now that we understand an attacker’s role in a ransomware campaign, let’s discuss what you can do to prepare your organization for this type of cyberattack.
Educating your team is the most fundamental action your organization can take to prepare for a ransomware attack. If your employees are not aware that such an attack can occur, how will they know what to look for when a malicious file appears in their inbox? End-user training is critical in any organization’s preparedness plan, but in order to be effective it must also be continuous; run periodic phishing tests and ensure that your employees maintain their cybersecurity alertness, awareness, and knowledge.
During the webinar, Duncan stressed the importance of educating not just end-users, but also the SOC teams themselves. He recommends outsourcing to a third party to conduct penetration tests, red teaming, and tabletop exercises. Bringing in a third party that specializes in cybersecurity, like Redpoint Cybersecurity, lends an added layer of scrutiny to bolster your IT services.
When a threat actor gains network access, they go through a series of steps: enumeration; attempt to elevate privileges; create persistence. Your organization’s response should be equally as methodical and structured. Here are some tips Duncan and Calev recommend in the webinar:
- Don’t skip the small stuff. Each event matters and it is better to be more alert than less. This process begins the moment you or someone in your organization notices something unusual on your network.
- Have a playbook. Know what to do and how to execute your incident response framework. This will mitigate some of your initial stress and save time because you already know what to do – it’s in the playbook.
- Ask for professional help. Bring in a third party expert to negotiate and handle the attack. They’re the professionals – they know what to do.
There is no cure-all when it comes to cybersecurity. Unfortunately, you can’t just implement one security solution and hope that it will remedy all of your cybersecurity concerns. Rather, cyber technology solutions must be layered to ensure optimal coverage. A multilayered approach is essential in preventing ransomware. This means that as cyberattacks become more sophisticated, so too should the tools you use to prevent them. Having multiple tools in place, like email security, Multi Factor Authentication (MFA), and EDR/XDR, gives your organization holistic defense ready to prevent ransomware.
Ransomware isn’t going anywhere anytime soon. As the reliance on professional collaboration channels increases, so does the cyberattack surface area. As we have discussed, no one item will magically prevent ransomware attacks, which is why it is important to employ a combination of strong solutions – it lends an extra perception point to your cybersecurity plan. Since tools won’t secure you alone, we recommend pairing those tools with experts. Having the tools and the experts early on is going to help your organization down the road.
For more on this topic, watch the full webinar on demand here!