Infiltrate, Escalate, Exfiltrate: The Anatomy of a Ransomware Attack

Statistics indicate that ransomware attacks are escalating in frequency, sophistication, and financial impact. Cybercriminals increasingly leverage advanced encryption methods and automation to exploit known and unknown vulnerabilities in systems at scale, making these attacks more difficult to detect and mitigate. As these threats evolve, organizations across all sectors must enhance their cybersecurity measures to combat this pervasive and growing menace effectively.

Evolving Tactics

Ransomware is malicious software designed to block computer systems or data access until a ransom is paid. However, it has evolved to include double and multi-extortion ransomware tactics, which see malicious actors encrypt victims’ data and threaten to leak sensitive information publicly or launch additional attacks if their demands are unmet.

In addition, these attacks are not only carried out by skilled professionals. There’s also the Ransomware-as-a-Service (RaaS) model, in which individuals who may not have the skill or technical wherewithal to develop their tools can simply buy them on the dark web, which has lowered the barrier to entry.

Ransomware differs fundamentally from other types of malware because its primary objective is to disrupt an organization rather than remain undetected. Current cybersecurity investments often fail to address the unique challenges posed by ransomware. Once considered a niche threat, ransomware has become one of organizations’ most significant dangers. In 2023, 75% of organizations reported being targeted by at least one ransomware attack, with 26% facing four or more attacks.

Understanding is Critical to Defense

Although current endpoint protection solutions are robust and effective against many threats, they are not fully equipped to handle ransomware attacks, as they are designed to detect and block standard malware.  Ransomware-as-a-service (RaaS) operators and data extortion attackers are incorporating sophisticated evasion techniques into their payloads, allowing them to bypass traditional endpoint protection solutions altogether.

This is why understanding the anatomy of a ransomware attack is crucial for developing effective defense strategies and mitigating potential damage. Remember, every major ransomware attack against a big organization you see in the news bypassed a mature security stack that included EPP/EDR/XDR solutions and more.

The Stages of a Ransomware Attack

Complex, multi-stage ransomware attacks typically follow a similar progression, though specifics can vary depending on the attack group and target. The four stages of a ransomware attack generally include:

Initial Infection, Persistence, and Command and Control

Initial infections traditionally involve malicious attachments or links in phishing emails, drive-by attacks, or using stolen or brute-forced user credentials. Phishing emails often contain attachments or links designed to trick recipients into downloading malware or visiting malicious websites, while drive-by attacks exploit vulnerabilities in web browsers to deliver malware without the user’s knowledge. Additionally, cybercriminals may use stolen or brute-forced user credentials to gain unauthorized access to systems.

More advanced ransomware operators use automation to identify and exploit organizations that have not patched known vulnerabilities and compromised APIs. These operators use automated tools to scan for vulnerabilities across numerous systems and networks, quickly identifying and targeting those not up-to-date with security patches. 

By compromising APIs, they can exploit weaknesses in the communication protocols between different software components, gaining deeper access and control over the targeted entity’s infrastructure. This approach enables ransomware gangs to launch more sophisticated and widespread attacks more efficiently.

Privilege Escalation and Lateral Movement

Once they have a foothold on the network, ransomware operators move laterally and vertically through the network to access as much of the environment as possible. They carry out reconnaissance to locate sensitive data to exfiltrate and compromise additional users and systems before deploying the ransomware payload. Key to this progression is escalating user privileges through social engineering, credential theft, or exploiting vulnerabilities and misconfigurations in operating systems and applications. 

Other commonly used techniques are privilege escalation and lateral movement, such as brute-forcing weak passwords, credential spraying or stuffing techniques, and credential dumping, where the malefactor has gained access to a wide range of credential sets. At the end of this stage, the malicious actor usually has all the privileges a network administrator has. 

Data Exfiltration

Data exfiltration occurs when threat actors transfer data from a computer, server, or network system without the owner’s consent. The exfiltrated data will include personally identifiable information, payment processing information, business dealings, trade secrets, intellectual property, and other valuable data. 

Threat actors increasingly exfiltrate data in ransomware attacks before detonating the ransomware payload. This exfiltrated data can be used in double extortion schemes, where attackers threaten to expose the data if the ransom is not paid by a deadline.

Payload Detonation and Extortion

The delivery of the ransomware payload initiates the file encryption process, rendering data, devices, and systems inaccessible. This is usually accompanied by a ransom note informing the system owners of the attack and providing instructions on meeting the attackers’ demands to regain access, typically involving ransom payment. 

Ransomware has also evolved into double extortion attacks, where bad actors exfiltrate data and threaten to release it publicly if the ransom is not paid. In addition, some even stoop to multiple extortion methods, which employ multiple layers of attack to coerce victims to pay the ransom. Over and above encrypting files, this type of attack could include file exfiltration, distributed denial of service (DDoS) attacks, or even extending the ransom demand to third-party partners.

In an unexpected twist, the infamous ransomware group BlackCat/APLHV elevated its extortion tactics even further when it lodged a complaint with the US Securities and Exchange Commission (SEC) against one of its victims, software company MeridianLink. The victim allegedly did not respond to the gang’s demands, nor did it adhere to the four-day cyber-attack disclosure rule, prompting the attackers to publish a screenshot of the form they filled out on the SEC’s complaints page.

In all cases, there is no guarantee that payment will protect the stolen data from being exploited. 

Developing a Robust Ransomware Strategy

In complex ransomware attacks involving data exfiltration, there are often weeks or months of detectable activity on the network. By this point, the attacker has largely succeeded, and regardless of whether the organization pays the ransom or chooses to remediate without cooperation, significant disruption and damage have already occurred.

This highlights the importance of developing a ransomware defense strategy that emphasizes prevention, stopping the attack before the ransomware payload is delivered, and resilience by ensuring operations can return to normal swiftly with minimal disruption. 

The recovery time from a ransomware attack is estimated to be a staggering 24 days, too long to be acceptable. That’s why organizations need resilient solutions that leverage automated recovery of encryption keys, instant decryption of endpoints, and the means to protect system backups from being impacted by an attack.

Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data center. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at Bora.