What happens during a ransomware attack: Understanding stages of targeting and response

Today’s columnist, Darren Williams of BlackFog, argues for a more proactive approach to security to prevent ransomware attacks like the one earlier this year on Colonial Pipeline. (Photo by Drew Angerer/Getty Images)
The ransomware attack on Colonial Pipeline offers just one example of what organizations should expect when targeted. (Photo by Drew Angerer/Getty Images)

To prepare for and respond to ransomware attacks, it helps to understand the anatomy of a ransomware attack – that is, the sequence of events that typically occur, and what steps organizations should take for both responsible and effective response.

Of course, the potential fallout of ransomware attack was made clear in the last couple years, particularly as impact hit not only initial targets but supply chain partners as well. Challenges were laid bare in the findings of a recent survey of 300 IT and cybersecurity decision-makers and influencers, which found that 43% suffered at least one ransomware attack during the past two years. Among them, 58% paid a ransom, 29% found their stolen data on the dark web, and 44% suffered financial losses. Another 37% said they lack an adequate security budget, while 32% believe they're powerless to prevent ransomware attacks because threat actors are too well-funded and sophisticated.

So what do organizations need to know about the anatomy of ransomware attacks, to both help with preventative efforts and to ensure they are not caught blindsided? Here is a rundown on the stages of an attack, and of response.

Attack stages

Here are the three stages of a ransomware attack that most targeted organizations can expect:

  1. Initial infection. An initial attack occurs that enables access to an organization’s systems and devices. This can be accomplished through phishing, zero-day or other methods that lead to one or more users mistakenly downloading malware. Common scenarios include clicking on email attachments or links sent by unknown sources. Regardless of how the attack is carried out, this is the point where an organization has been compromised.
  2. Data hijacked. Attackers use the malware to gain access to devices and then lock and encrypt data stored on the systems. As noted by the Cybersecurity and Infrastructure Security Agency (CISA), which leads the national effort to understand, manage, and reduce risk to cyber and physical infrastructure, ransomware is designed to encrypt files on devices, rendering any files and the systems that rely on them unusable.
  3. Ransom demands. Once systems have been locked up via encryption or some other method, the malicious actors demand a ransom in exchange for decrypting the data. They often target and threaten double extortion – the selling or leaking of exfiltrated data or authentication information – to instill a sense of urgency. Ransoms are typically demanded in digital currencies that are difficult to trace, like Bitcoin or Monero.

Attack response

If your organization is compromised, these are the steps to take:

  • Find the cause and contact law enforcement. At any point following the initial attack but certainly by the time systems have been rendered inaccessible, an organization must identify the root cause of the attack and contain it if possible, also contacting law enforcement such as the FBI’s Internet Crime Complaint Center (IC3) to report the incident. Depending on the situation, the FBI might not be able to help the organization, but it does have resources available. Law enforcement can, for example, help assess the magnitude of the breach, guide the organization on how to proceed, and help communicate with the attackers.
  • Call the lawyers and insurers. It’s a good idea to connect with internal and external legal representatives and any appropriate regulatory bodies in case litigation results from the attack. The organization should engage external legal counsel that specializes in cyber security and incident response, and contact its cyber insurance provider if it has one, to put into motion a claim for any losses stemming from the attack.
  • Communicate with employees and other stakeholders. Communicating with employees, customers, business partners, members of the media, and the public at large about the attack is important – and delicate. Striking the right balance of sharing all needed actionable information, to ensure individuals and partner organizations can effectively respond to the threats to their own data and networks, while not jeopardizing the integrity of any investigation and recovery efforts can be complicated. This process should include input from various teams – communications, security, legal, HR, to name a few – and establishing a response plan ahead of an attack can help.
  • To pay or not? The organization must determine whether to pay the ransom in hopes of having systems and data restored. Together, law enforcement, legal and insurance entities can help counsel the organization about the best course of action. The discussion should include key executives from the organization, including the CEO, CFO, COO and others, and take into consideration the short-term and long-term impacts of paying or not paying the ransom. It's worth noting that law enforcement strongly discourages payment of ransoms, with potential legal implications if ransomware groups have ties to sanctioned entities.
  • Expect more trouble. The organization needs to be aware of the aforementioned double extortion attack, in which bad actors exfiltrate its sensitive data in addition to encrypting it, giving them additional leverage to collect ransom payments. Roger Grimes of KnowBe4 actually refers to  "quintuple extortion": stealing not only your data and emails, but also your employee and customer credentials, and then trying to find all sorts of other ways to extract value from your company. The point is that when attackers gain access to the organization’s network using methods such as phishing, malware, vulnerability exploits, and others, the threat remains even after system access is recovered, the threat remains.
  • Road to recovery. As part of the recovery process, compromised systems and encrypted data need to be restored and verified in an environment known to be free of ransomware. The verification process includes making sure backup copies of data are not contaminated. As soon as possible, the cyber security team should eradicate or remediate whatever vulnerabilities enabled the ransomware attack to be successful. Working with IT and others, the team needs to analyze what occurred before, during, and after the attack and make any needed changes. This includes reviewing detection and prevention security controls and evaluating the incident response plan as well as roles and responsibilities. Depending on the nature of the attack, the organization might need to conduct a formal investigation using an IT forensic investigator.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.