Ransomware Kill Chain
Part 1: Why ransomware is not a typical cyberattack
In general, most cyberattacks are hidden. The malware used in these types of attacks inconspicuously infiltrates the target system. Normally, the data theft remains undetected. This is especially true when the systems are insufficiently protected. But it is quite a different case with ransomware.
The main difference between a common cyberattack based on malware and an attack by ransomware is ransomware directly contacts the user of the affected system. This approach by cybercriminals seems understandable, considering that the offender has already taken control of the target system at this time and offers the victim access to the captured data only by paying a ransom.
In addition, ransomware attacks are automated. Once the cybercriminal starts the process of the attack, no further commands are needed to compromise the target system. It can be observed that individual companies are increasingly becoming the focus of ransomware attacks. And while this form of cyberattack is not new, recent events have shown that a variety of businesses cannot protect themselves from ransomware attacks. Often, corporate security officers face the challenge of detecting the attack at an early stage.
For this reason, it makes sense to take a closer look at ransomware as a less typical form of attack to gain a better understanding and deduce appropriate measures.
The Ransomware Kill Chain
If you browse online for information about ransomware, you will come across repeating content that sheds very few new insights, even after intensive research.
The process of ransomware in live mode, under practical conditions is therefore much more interesting. That’s why we’ve dedicated a full webcast to this topic which you can download for free below.
The basic structure of a ransomware attack
Phishing emails have been frequently used as bait in the past. These mostly contained infected file attachments or links to defective websites.
Once the email arrived in the inbox the recipient was just a click away from the infection. In addition to the opening of a defective file attachment such as an infected PDF, DOC or XLS file, a drive-by download is also possible.
Cybercriminals generally target a series of potential victims. Once a malicious file is opened. the installation on the respective system takes place. It should be noted that the installation can take place independently of the activation of the ransomware. A ransomware attack can be prepared in advance and started at a later date, from a few weeks to several months in advance.
After completing the malicious software installation, a key will be fetched to encrypt the data. This means that the key is kept on a server and after paying a ransom is ultimately the only way for the victim to regain access to their own files. However, there is no guarantee this will occur.
In this next step, the ransomware starts its core task, the process of encryption. It can encrypt individual files on one system or even multiple systems within a corporate network. This process denies the user access to their data. The user is locked out of their own system. The system is unusable for the user from this point on.
Now a corresponding notification appears on the screen of the victim. For this purpose the desktop background is simply replaced by a picture with payment request and further instructions. Once this process is completed, the attackers only must wait for the victim to make the ransom payment.
The coupling of the ransom demand to a deadline is a tried and tested method cybercriminals use to increase the pressure on those affected. The payment is often made via bitcoins, an online currency that is increasingly being criticized for its lack of transparency. The functionality of bitcoins and similar cryptocurrencies ultimately contributes to the fact that the recipients of the money rarely are found. If the system owners do not pay by the deadline either the ransom demand will be increased or file deletion will begin.
More often than not victims are dependent on their data. This is especially true for companies that rely on customer data (address data, invoices, project data, etc.) on a daily basis. Ransomware attacks often cause immense damage and even drive some companies into insolvency. Even though experts and investigating authorities advise against payment, the decision to pay a ransom is understandable on a human level.
Naturally, cybercriminals know how to exploit this fact for themselves. They are just waiting for the ransom money to be paid by the victims in order to provide them with a link to the key itself or to a decryption program. However, this happens on a voluntary basis And without warning.