The 5 Phases
Of A Ransomware Attack
There are 5 distinct phases of a ransomware attack. Understanding what happens at each phase and recognizing the indicators of compromises (IOCs) can increase your likelihood of succesfully defending againts or at least mitigating effect of an attack.
The timeline of an attack is very compressed. You often have as little as 15 minutes from the exploitation and infection to receiving the ransom note. Recognizing the early indicators is critical to your success in stopping an attack.
Phase 1 : Exploitation and Infection (T – 00:00)
In order for attack be successful the malicious ransomware file needs to execute on a computer. This is often through a phising email or an exploit kit. In the case og the Cryptolocker malware, the Angler Exploit Kit is preferred method to gain execution.
Phase 2 : Delivery and Execution (T – 00:05)
During this phase, the actual ransomware executables are delivered to the victims system. Upon execution, persistence mechanisms will be put into place.
Phase 3 : Backup Spoliation (T – 00:10)
A few seconds later, the ransomware targets the backup files and folders in the victim’s system and remove them to preverent restoring from backup. This is unique to ransomware other types of crimeware don’t bother to delete backup files.
Phase 4 : File Encryption (T – 002:00)
Once the backups are completely removed, the malware will perform a secure key exchange with the command and control (C2) server, estabilishing those encryption keys that will be used on the local system.
Phase 5 : User Notification and Cleanup (T – 15:00)
With the backup files removed and the encryption dirty work done, the demand instructions for extortion and payment are presented. Quite often, the victim is given a few days to pay. After that time, the ransom increases.
Finally, like Mission Imposible recording that self destruct, the malware cleans itself off the system so as not to leave behinddignificant forensic evidence thet would help to build better defenses against the malware.
Ransomware attacks are just starting to ramp up. Because these attacjs are so lucrative for the perpetrators, they are certain to become more common, more damaging and expensive.
Your organization’s success in defending against a ransomware attack is largely dependent on your level of preparation and the tools you deploy to monitor your system to detect, respond to and neutralize suspicious activity.