Phases of a ransomware campaign

Phases of a ransomware campaign

There’s a general perception among Canadian business owners and managers that ransomware attacks are get-rich-quick schemes — and this appears to be pretty accurate. For instance, in December 2019, hackers ran off with over a million dollars in one ransom payment by an unnamed Canadian insurance company. And just a few months before that, SentinelLABS tracked a particular security breach and found that hackers were able to launch their ransomware in just two weeks.

Two weeks? Don’t ransomware attacks happen in a snap?

This may happen in theory, but not if cybercriminals want their assault to be effective. Think of cyberwarfare as actual warfare. Army generals surveil unfamiliar landscapes, neutralize enemy outposts, and find which enemy assets they must destroy or can subvert prior to launching large-scale attacks against well-defended cities.

In a similar fashion, hackers scope out unfamiliar networks, neutralize cybersecurity programs, and look for valuable data before pulling the trigger on their data encrypting malware. They may even stagger their activities and remain dormant for weeks at a time to avoid being detected by network monitoring tools.

Cybersecurity specialists have investigated how cybercriminals launch ransomware attacks and found a common methodology among them. Let’s take a closer look at the phases of a ransomware campaign:

Phase 1: Distribution campaign

Phishing emails are by far the most popular media for spreading ransomware, but other channels include:

  • Websites that contain malvertisements – online ads that lead users to landing pages that deliver malware
  • Unsecured remote desktop protocol links – links that allow remote workers to gain access to your corporate network but are not protected by multifactor authentication and/or virtual private network connections

Phase 2: Infection

Often, the malware delivered in the initial breach is not the ransomware itself, but rather code for downloading and assembling it. This piecemeal method allows hackers to bypass most perimeter defenses, such as firewalls, intrusion detection systems, and anti-malware programs.

Phase 3: Setting the stage

Similar to how deployed army regiments establish supply and communication lines back to home base or other stations, the malware that’s building the ransomware establishes a connection between the ransomware and the hacker’s command and control (C2) server. The malware also establishes persistence — that is, the ability to stick around and remain functional despite the user rebooting the infected machine.

Phase 4: Scanning and valuation

Once the connection with the C2 is solidified, the hacker then hijacks legitimate system tools to continue their dirty work while virtually hiding in plain sight. However, unlike in the previous two phases wherein the interlopers are barely noticeable, this phase is where cybercriminals are the most exposed.

First, cybercriminals will use network scanners to figure out where their malware actually landed. That is, they’ll look for:

  • The name of the organization
  • The organization’s domain
  • The admin rights of the machine they infected (and which admin/system level controls are unsecured and therefore exploitable)

Once hackers have established where they are, they’ll:

  • Explore the network they’re in
  • Inventory the data they can get to and estimate its value

To further entrench themselves in your network, hackers will:

  • Steal access credentials and login details of other computers in your network
  • Create admin accounts of their own to disable and remove anti-malware protections

Phase 5: Encryption

This is where cybercriminals lay siege to your data. Encryption usually follows these processes:

Location of files Encryption process Process speed
Local machine files
  • Original files are encrypted where they are
Takes seconds or minutes
Network file shares
  • Original files are copied onto the infected machine
  • Copy is encrypted locally
  • Encrypted files are uploaded into the network server
  • Original files are deleted
Takes minutes or hours
Cloud storage
  • Local files are encrypted
  • When files are synced, the cloud will end up having encrypted files, too
Depends on sync frequency

Phase 6: Ransom is demanded

By this point, all of the hard work of our villains will practically pay off. They’ve locked your data away; and since they have the decryption keys, they can do whatever they want with it. If you pay the ransom, the hackers may hand over those keys — or choose to be extra evil by giving you the wrong ones.

But if you don’t pay the ransom, they can twist your arm by deleting a few files at a time or gradually releasing these to the public. If you still refuse to pay after that, they can still make money by selling your data on the dark web.

Beyond obtaining a basic roadmap of a ransomware campaign, cybersecurity specialists have also discovered the tell-tale signs of when a business may already be under siege. This will be covered in an upcoming post, so stay tuned!

Don’t let cybercriminals have their way with your data. Turn to XBASE for Exponentially Better™ cybersecurity services. Drop us a line to learn more.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts