Anatomy of a Ransomware Attack

It begins with a screen. Perhaps plain, maybe embellished with a skull and crossbones. Appearing before you in a flash-  “Whoa” you say “Hang on, this isn’t right”. The first line reads “You have been infected with ransomware. To get your data back you must follow these steps”. And then the payment info, and the tears, the frustration, the fear. Once you’ve seen the screen, chances are the ransomware virus has already been on the system for a while and has done the damage it was designed to do. 

We’d like to hope you never see this happen for real on any of your devices, but this is how a ransomware attack usually goes:

The Initial Compromise

The first stage in a ransomware attack is where the virus actually gets onto your system. (See our first article in the series here where we cover this in more detail). 

However, if you didn’t bother reading that, here’s the cliff notes: the initial compromise stage usually comes down to phishing emails or malicious websites.  You click on something that you shouldn’t, and, BAM RANSOMWARE!

 

Consolidating Access

After the ransomware gets onto your system, it typically takes some time to make sure that it has the permissions and abilities necessary to do its thing.  In order to really mess up a computer, it’s usually necessary to have Administrator-level access (on Windows) or root access (on Linux systems)- this means getting deeper into the operation system and to the files and configurations that control the whole device.  If the user whose account was originally compromised doesn’t have that level of power, the malware might try to get access to it.

File Encryption

This is the stage where the ransomware really has fun and feels at home. So the whole point of it is to deny access to a computer or its files by encrypting every one of them. Which means, unless you have the specific encryption key, you won’t be able to read the files after encryption. And since backup habits are somewhat lacking for most of the general population… this means you can’t access anything you were just working on, financial records, pitch proposals, research projects, or even 10 years of pictures of your kids …. And then you are desperate to pay the ransom.

Some ransomware variants are especially cruel and take additional steps to ensure you will never get your files back.  All ransomware variants will delete the original files from memory, but some will try to make sure that they’re really gone (since deleted files can often be recovered if you act fast).

 

Command and Control

What’s funny, (not funny ha ha but funny/interesting/strange) is that the whole business model for ransomware is based on trust between the cybercriminal and the target (that’s you).  You are somewhat “incentivized” to pay the ransom because you have a shred of hope and believe that the hacker will most likely give you the encryption key in return. TBH, most of the time you’d be right. ( But you will notice that doesn’t say all the time.) It’s a gamble. 

For this exchange to be possible, the hacker needs to know the particular encryption key used to encrypt your family photos.  This is typically accomplished by the malware sending the key to the hacker in Command and Control (C2) communications.

What’s worse is that the malware, if its the extra-bad kind, can do things beyond locking up your files, such as…. stealing all your passwords. And then send all your data back to the cybercriminal using that C2 channel.  C2 can occur throughout the process, but ransomware often waits until the end. Many cybersecurity solutions operate on the network, and, if you notice a computer being oddly chatty, you may investigate and shut down the malware before it’s encrypted all of your files.  Staying quiet until it’s too late is a better bet for the malware.

 

Ransom Demand

If you’ve been hit by ransomware before, this stage needs no explanation.  There’s the horrified shock while reading the message, followed by manic clicking to verify that your files are in fact lost, and finally acceptance and the hard decision between losing the data or paying the ransom.

If you decide to pay, then you’ll probably, maybe, might just get the encryption key in return.  The key can be used to decrypt your data, leaving you sadder, poorer, and wiser about ransomware. But it doesn’t always work, and your passwords might be gone too.

Stopping the Cycle

The longer that you wait before detecting and responding to a ransomware attack, the worse it’s going to be.  Most stages execute pretty quickly, so the best way to protect yourself is to ensure that the initial infection never happens.  With good cybersecurity hygiene and behaviors, the chances of clicking on a bad link or opening up a malware laden attachment are greatly reduced. Nothing is foolproof in this world (which is why coffee mugs are labelled with warnings of hot beverages inside), but building awareness and care into your security culture helps drive the habits that can keep most ransomware at bay.

Next In The Series

Ransomware 3: 5 Things You Can Do to Protect Yourself from Ransomware

Previously...

Ransomware 1: How Ransomware Gets In