Defending Against the 4 Stages of a Ransomware Attack (Industry Perspective)

Each stage of the ransomware cycle gets harder — and more expensive — to resolve. Here's how to stop an attack before it gets out of hand.

by Todd O’Boyle, CTO, Strongarm / July 27, 2017

Cybersecurity threats, like ransomware, are a growing concern for the government sector. While the recent Petya ransomware attack hasn’t impacted the U.S., there are plenty of reports of ransomware attacks against police departments across the U.S. and local government municipalities.

Ransomware is a cybersecurity threat where the attacker seeks to make money by unlocking data held hostage only if victims pay a hefty fee.  Let’s take a look at each stage in the ransomware attack cycle and what you can do to protect and defend your network.

Stage 1: Targeting

At this phase, attackers zero in on their victim(s) and decide on their method of attack. They will send realistic looking emails to your staff disguised as phishing attacks, buy an ad on a highly trafficked public site (this is called malvertising) or upload an exploit kit to a vulnerable WordPress site. Their goal is to get your staff to click on a link for them so they can start to do their dirty deeds.

The best way to protect your organization at this stage is by being aware of these types of attacks and educating your users about phishing and malware, including ransomware.

Conduct regular security training organizationwide to explain the dangers of ransomware and phishing, what these attacks look like, and how employees can report potential threats. With a process in place, you enable employees to become front-line defenders, an important layer of protection many organizations overlook.

Because human error and oversight can and will happen, you should also ensure that your email provider performs phishing and spam filtering, along with having a malware protection solution that can automatically be on the lookout for intrusions from all sources.

Stage 2: Distribution

Next, the attacker will attempt to get the malware onto your machine(s). When users open a phishing email, the action they take runs malware on their system. Clickless threats, a new technique that’s emerging, do not require users to do anything in order for the malware to install itself.

Despite sophisticated new methods, there are still ways organizations can effectively protect themselves.

First, it’s critical to patch software vulnerabilities. This means keeping applications and operating systems up-to-date, and even automating these updates if possible so they are not forgotten. This is basic information security hygiene.

Next, by using Web filtering, your organization can interrupt this distribution phase so employees never visit those malicious sites and the malicious code never lands on their machines.

Stage 3: Encryption

Once ransomware is on a user’s machine, its goal is to encrypt the files and hold the data and systems hostage until you pay up.

Malware protection, such as antivirus software, is paramount at this step. Once the ransomware makes it this far, you’re living in the danger zone. This is your last chance to protect yourself by disarming the ransomware and preventing it from completing its final step. If the malware is successful at this point, you’re going into expensive recovery mode.

Stage 4: Recovery

The attacker has you cornered. They already have your data and are demanding you pay a ransom in exchange for getting your organization back online. If the attacker does get to this point, you have two options: pay up or refuse to pay and instead restore from a backup (if you have one).

While many sources recommend just paying up, we actually recommend against this, because it’s what keeps these criminal operations in business. Not only that, but knowing that a victim is willing to pay up makes them a more attractive target in the future. Attackers will often take it so far as demanding a second ransom before returning your files because they know most organizations will do it — or they’ll hit you again a month later. What’s to stop you paying up a second time?

To counter this, we encourage people to take a more proactive approach by developing a comprehensive incident response plan in advance of a ransomware attack. Three steps you need to do to prepare for a ransomware attack include identifying files and systems critical to your organization, backing these files up every day and testing the restore process at least once a month.  When investing in malware protection, make sure you investigate how the solution neutralizes threats like ransomware, if employee devices are locked down and how much time you need to spend on cleaning up any infections.

Your Ransomware Protection Plan

While it becomes increasingly difficult (and expensive) for attackers to get past each stage in the ransomware attack cycle, it also gets more expensive for your agency to respond the further along the attacker gets. That’s why we encourage you to implement detection and protection at every step, particularly in the public sector, where funds are often limited. By taking a proactive stance against ransomware, both through employee education and automated tools and processes, you can be better prepared against these ever-present cybersecurity threats.

Todd O’Boyle is the CTO and co-founder of Strongarm. Prior to Strongarm, Todd spent 15 years at The MITRE Corporation, providing technical support to the U.S. Department of Defense and the Intelligence Community. He also served as principal investigator for a project developing methods to improve how operators respond to adversaries. He can be reached at todd@strongarm.io.