Ransomware payouts are on track to make 2023 another banner year for criminals, netting more than $440 million since January, according to a recent analysis by Chainalysis. But there are ways for organizations to blunt the impact.

First, some background: One of the reasons for ransomware’s continuing success, according to Chainalysis, is the success of what is popularly called “big-game hunting,” or going after large enterprises with deep pockets and the promise of big ransom rewards. Witness the reach of the Clop gang with exploits of Progress Software Corp.’s MOVEit file transfer software. Chainalysis estimates an average payout of $1.7 million per victim.

But the trend has other contributing factors, such as an increased number of successful attacks on smaller targets. Also, as more victims refuse to pay some security analysts think this has motivated attackers to ask for higher ransoms across the board or use more extortion techniques to convince victims to pay. Ransomware continues to be a growth business opportunity for criminals, whether or not victims pay up, because stolen data carries a certain value on the dark web, the shady corner of the internet reachable with special software.

To bring more clarity to the rise in ransom payments, we examined reports by six security firms that tried to categorize the various steps involved in a typical ransomware attack:

• EJ2 Communications Inc. Flashpoint’s Anatomy of a Ransomware attack (seven stages, July 2023)
• Google LLC Mandiant’s m-Trends June 2023 report (which breaks down the recent Ukrainian cyberattacks into five stages)
• Palo Alto Networks Inc. Unit 42’s Stages of a Ransomware attack (five stages, February 2023)
• Blackberry Ltd.’s Anatomy of a Ransomware attack (eight stages, October 2022)
• JP Morgan Chase & Co.’s Anatomy of a Ransomware attack (five stages, September 2022)
• Darktrace PLC’s Nine Stages of Ransomware (it is really six discrete stages, December 2021)

Many of these companies have ulterior motives in laying out their ransomware models, in that they sell research based on their own telemetry (such as Palo Alto Networks and Mandiant) or products that can help find or mitigate malware (such as Blackberry, Darktrace and Flashpoint). Be that as it may, they are still useful documents to learn more about how the typical attack progresses.

And though the number of discrete steps is open to interpretation, it’s apparent from these sources that today’s ransomware attack is far from a simple digital smash-and-grab. Understanding these steps can be useful in figuring out how to detect an attack before it develops into a full-on multidimensional threat. We propose this nine-step model to provide this clarity:

1. Target selection. All attacks begin with some kind of research by the criminals where they collect information on a target’s size, the sophistication of its digital infrastructure and security defenses, willingness to pay, and the value of its private data. This could be done via various open-source and public reconnaissance, as well as scanning a potential target’s open network ports, types of access controls and whether or not a target’s network is segmented by firewalls and proxy servers.
2. Initial exploit delivery and access. This is usually done via phishing emails, but it could be accomplished using malware exploit kits or exploiting other weaknesses in server or supply chains.
3. Once the malware has established a beachhead on a victim’s endpoint, the attackers create a connection to their command and control servers to begin the attack. Oftentimes, attackers deliberately take their time. Unit 42 says a month is the average “dwell time” after the first penetration, for example.
4. The typical next step is to navigate across the target network, expanding their reach and seeking out new targets to gain control over multiple computers. This effort is to find the most critical data that could be used to compromise the victim. Common techniques here include using compromised credentials or exploiting unpatched software vulnerabilities.
5. Attackers will also attempt to escalate access privileges to continue to expand their reach and locate their ultimate data targets.
6. Next is the actual deployment of the actual ransomware, and then detonation of the encryption process. In some circumstances, attackers will also inflict damage on target systems, such as deleting backup data copies that are found during the recon phase.
7. Once this has been done, the attackers make offsite copies of the encrypted data.
8. In this step, the attackers finally send out ransom and extortion notes to the victim. Extortion can take multiple paths, such as posting information about the breach on the dark web and threats to release data. Communication can employ a variety of channels, including email, instant messaging or by identifying a web-based negotiation portal that the attacker sets up. “Remember, this is a negotiation,” Unit 42’s report says. “Most initial ransomware demands are not paid in full but rather negotiated down.”
9. Whether or not ransoms are paid, the last step is to recover data, mitigate the damages, restore and clean up equipment and patch as needed. There’s also post-mortem analysis of what went wrong and when, and how to prevent subsequent attacks.

A variety of tools come into play through these nine stages — for example, a way to monitor potential intrusions, which can often be as subtle as a few network packets, or a way to examine outbound data flows, which can be an indication of an attack in its later stages. By breaking the attack down into these stages, organizations can assess if their tool collection is adequate or if there are holes that need filling to shore up their defenses.

Flashpoint says in its report, “At each stage of a ransomware attack, robust threat intelligence can stop an emerging risk in its tracks and minimize — or even prevent — damage to your organization,” Flashpoint says in its report. And if all that isn’t enough, I covered some other suggestions on ways to harden networks to reduce the potential for a ransomware attack in this post earlier this summer.

Image: TheDigitalArtist/Pixabay