The stages of a ransomware attack uncovered

Many of us associate ransomware with the clandestine. We conjure images of mysterious figures in dimly lit rooms, tapping away as pages of code rush by, or ominous messages from unknown sources locking our screens without warning. Inexplicable as this activity may seem, ransomware isn’t as vague as news reporting, movies and stock images would have you believe.

As it stands, we can chunk ransomware into five distinct phases, which, more often than not, repeat to the letter. This doesn’t reduce the threat, but it does help you prepare, react and resolve efficiently, to protect your business and customers.

Understanding how each phase of a ransomware attack works can reveal the security measures your business requires and where you’re taking unnecessary risks. You can increase your resilience against cyberattack, hopefully preventing a breach entirely or at least mitigating the aftermath.

Here, we take you on a step-by-step, behind the scenes walkthrough of ransomware.


Research and exploitation:

Cybercriminals aren’t moral, but they are shrewd. Any cybercriminal worth their salt spends significant time – sometimes months – sizing up a target for opportunities and inroads. Those with hopes of securing larger ransom payments pinpoint backup cycles to hit a victim at their most vulnerable and cause maximum damage.

Dormant malware, spyware or exploit kits are deployed to silently (and illegally) gather critical information and lay in wait until an attack trigger is released. Without website, database and server scanning and monitoring software, you’ll be none the wiser until it’s too late.


Delivery and infection:

Once cybercriminals have established a valid target, meaning cybersecurity (or lack thereof) is penetrable, the ransomware is installed on the victim’s system with persistence measures in place. At this point, it’s still unlikely you’d realise anything was wrong unless you have anti-ransomware software.


Backup file theft:

As mentioned, a ransomware attack may strike at the most vital point in a backup cycle. Therefore, any business which isn’t continually replicating to cloud backup is particularly vulnerable in terms of disaster recovery and business continuity.

Immediately after the ransomware is delivered, it targets backup files and removes them to prevent restoration. This provides a means for demanding a ransom. This tactic is unique to ransomware and highlights just how important it is to back up regularly to a robust server which is ideally cloud-based.


File encryption:

Now, things get even more sinister. Once your backups are wiped, the ransomware applies the encryption keys to lock your local system. Businesses that have a failover server and skeleton system as part of their disaster recovery and business continuity infrastructure can continue to trade, but those without such measures are frozen in time.


Demands and extortion:

Finally, you’re faced with the on-screen message we all dread. Your systems have been accessed and locked, and your files are wiped – but you can get them back for a costly sum. The message may also relay additional threats, and you can feel incredibly pressurised to act.

However, it’s worth us mentioning that the UK Government’s National Crime Agency encourages businesses and the public not to pay ransoms to cybercriminals. They advise that if you pay, there’s no guarantee you’ll get what’s promised in return, your system may still be infected, and you may be retargeted. For more information, click here.

Worried about ransomware? We don’t blame you! Here are some useful mitigating actions we recommend you take:

  • Draft in a specialist to undertake a comprehensive IT audit. They will uncover weak spots, areas for improvement and serve as the foundation for where your cybersecurity budget is spent
  • Set up various preventative tech such as web, email, server and database filtering and monitoring software and antivirus and anti-malware software.
  • Switch to a robust cloud-based backup system, and revisit your disaster recovery plan
  • Give ransomware education a voice in your business and ensure that everybody – including the senior management team – is aware of warning signs, best practice and emerging threats.

If you need help protecting your business from the growing threat of ransomware, contact Sentis Managed Solutions on 0345 862 2930 or click here.