The Threat Lifecycle of Ransomware

Ransomware has been prolific over the past year. Businesses of all shapes and sizes have had their data held to ransom by cybercriminals.

There are a couple of factors CyGlass have identified to help us understand the ransomware attack vector:

• • 100% of studied ransomware uses the encrypted Remote Desktop Protocol (RDP).
  • On average ransomware has been 150 days in your network.
  • Encryption often happens after hours on a Friday night when no one is there to notice.

So, what does the lifecycle of a ransomware attack look like? 

CyGlass have broken it down into a 5 step process…

1. 1. Gain access through a network.
   2. Establish a foothold by using RDP backdoors and SSH and DNS tunnels to move around in systems undetected.
   3. Deepen access by utilising password cracking to source administrator rights. This provides greater control in the system and broadens access even further.
   4. Move laterally around the network to gain access to other services and parts of the network. (Find the crown jewels!)
   5. Look, learn, and remain on the network. Get an understanding of how the network works, its vulnerabilities, and where the sensitive data is that will be worth a ransom.

To pay or not to pay?

There has been constant debate over whether a ransomware demand should be paid. We agree with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA). Generally paying the ransom is not a good idea. Particularly when it does not actually guarantee you get your data back. For example, with ‘wiper’ malware files aren’t decrypted after the ransom is paid.

A much better strategy is defence in depth.

This means layers of defence with several mitigations at each level. Utilizing defence in the SIEM, at the endpoint, protecting critical assets with extra protection, as well as network security. By upping your ability to detect malware and stop it before it completes the full ransomware lifecycle, you are protecting the business with defence in depth. It will also make remediation much quicker and more effective.

And the most critical part of defence-in-depth when it comes to ransomware? Nothing beats backups. Having a recent offline backup of your most important files and data is critical if a ransomware attack takes hold as it means you won’t feel backed into a corner to pay the ransom.

Join our upcoming webinar on December 2nd, hosted with CyGlass where we will be exploring ransomware trends and predictions going into the New Year and discussing the findings from CyGlass' recent ransomware survey. You can save your seat here.