Understanding Ransomware: The Most Common Attack Pattern
Digital transformation is now a number one strategic business goal. From Sydney to San Francisco, boardrooms are working out how best to harness the power of the cloud, AI, IoT and more to drive success. Their efforts are not only vital to create new customer experiences and streamline business processes. They are also critical to supporting the new hybrid working model rapidly emerging from the ashes of the pandemic.
However, the price organizations often pay for growing their digital footprint is expanding the cyberattack surface. This invites cyber risk — particularly the threat of damaging ransomware breaches.
Scores of ransomware developers and affiliate groups are currently operating around the globe. That means there are also a wide variety of attack tactics, techniques and procedures in circulation. But that doesn’t mean we can’t discern a primary modus operandi. Even better, we can take this general attack pattern and apply a simple three-step process to help mitigate ransomware risk.
This is the value of micro-segmentation based on comprehensive visibility into the communications of network assets and the common pathways used by threat actors.
This blog post will answer common questions about how ransomware works — and how to stop it.
Why does ransomware matter?
Ransomware reached record-breaking levels within the first three quarters of 2021, with one vendor recording close to 500 million compromise attempts globally. Attacks have evolved in recent years to the point where data exfiltration is now the norm, adding a whole new element of business risk. It means organizations can’t simply back-up data and cross their fingers. There’s a real risk of financial and reputational damage stemming from the data breach alone.
Today, so-called “double extortion” attacks could result in:
- Regulatory fines
- Lost productivity
- Lost sales
- IT overtime costs to recover and investigate
- Legal fees (e.g., class action suits in the event of a data breach)
- Customer churn
- Declining share price
Every organization and every attack is different. While some commentators estimate the average financial impact at nearly $2 million today, some raids have cost victims hundreds of millions. That makes it essential to take proactive steps to counter the threat.
How does ransomware work?
The good news is that, despite the many variants and affiliate groups in operation today, we can discern a basic pattern to most attacks. In short, threat actors:
- Hide inside networks for months before striking.
- Exploit common pathways for initial network access and ongoing lateral movement.
- Perform actions across multiple stages to achieve their goals.
Let's go deeper into each of these.
How do attackers go undetected for so long?
The goal for attackers is to stay hidden until they have built a strong enough presence inside a victim’s network to steal large volumes of sensitive data and deploy ransomware everywhere.
To do so, they:
- Breach an asset that the organization didn’t know was vulnerable or exposed — be that a device, application or workload with an open connection to the internet and other network assets
- Use pathways/data flows the organization didn’t know were open, and which should be closed according to best practice security policy
- Compromise multiple systems spanning multiple functions, which makes it hard for teams to trace everything back to a single incident
How do attackers exploit common pathways?
Most ransomware arrives via phishing emails, RDP compromise or exploitation of software vulnerabilities. To increase the chances of success, attackers look for:
- A small set of high-risk, popular pathways such as RDP or SMB. These are usually organization-wide, easily mapped, and often misconfigured.
- Open ports and exploitable assets, via automated scans using scripts and crawlers.
- Ways to move laterally at speed, using these high-risk pathways to spread organization-wide in just minutes.
How do multi-stage attacks work?
Most attacks begin with compromising a low-value asset, as these are usually easier to hijack. The trick for threat actors is then to move through additional stages to reach valuable assets that they can steal data from or encrypt, providing leverage when extorting the victim organization.
To do so, attackers usually:
- Take advantage of an organization’s poor visibility, policy controls and segmentation.
- Connect to the internet in order to download additional tooling to help with the next stages of an attack or exfiltrate data to a server under their control.
- Cause most damage through lateral movement — which is the process of jumping around in the network from asset to asset.
Three simple steps to stop ransomware
With this typical attack pattern in mind, CISOs can begin to devise a response — a new security architecture based around three simple components:
1. Develop comprehensive visibility of communication flows across your environment
This will leave your attackers with nowhere to hide, unmasking them as they try to compromise the initial asset or during lateral movement.
To do so, you must:
- Develop real-time visibility into all assets, enabling you to address any unessential or anomalous data flows.
- Build a real-time map of the environment to identify which workloads, applications and endpoints must stay open and which can be closed.
- Create a unified view of comms flows and risk data that all ops teams can work from, reducing internal friction.
2. Build ransomware-blocking capabilities
It’s not good enough to merely map communication flows and understand which assets can be closed. You need to take action to reduce the attack surface and block in-progress raids.
Do this by:
- Closing as many high-risk pathways as possible and monitoring the ones remaining open in real-time.
- Closing any ports that don’t need to be open, reducing the chances that automated scans will find exposed assets.
- Creating an emergency containment switch that can be launched in seconds to restrict network comms in the event of an attack.
3. Isolate critical assets
The final stage is to prevent attackers from reaching critical assets, forcing them to take easier-to-detect actions to progress.
This will involve:
- Ring-fencing applications to prevent high-value assets from being compromised.
- Closing outbound connections to untrusted IPs, permitting only those on an approved “allowlist."
- Developing post-breach security measures to protect critical assets and stop attacks from spreading.
The fightback starts here
No organization can be 100% breach-proof today — attackers are too determined, well resourced and great in numbers for that. But with the right focus on network visibility, policy controls and segmentation, you can build a smarter security architecture more likely to isolate the threat.
Most threat actors are opportunistic, looking for a quick and easy ROI. Take these three steps to disrupt their plans, and you stand a great chance of avoiding serious compromise.
- Go deeper into each step in the ebook, How to Stop Ransomware Attacks
- Learn how Illumio can help: 9 Reasons to Use Illumio to Fight Ransomware