The Ransomware Attack Cycle: What All Businesses Need to Know to Defend Themselves

February 1, 2017 | By

Ransomware is a billion dollar problem.

Even worse? A full 43 percent of attacks hit small to midsized businesses, and often hit them hard. Recent statistics show ransomware attacks costing an average of $8,500 per hour in damages. This includes downtime, lost data, and the cost of the ransom itself. That can mean the end of days for a small business.

Without a proper plan for how to detect and protect against ransomware, small businesses have a hard time fighting back, which is why ransomware has been so successful to date. Emboldened by their success rates, coupled with very little risk, attackers are now scaling their ransomware operations. They’re doing so by automating attacks using exploit kits, which makes it possible to search for vulnerabilities automatically and find their targets without having to lift a finger.

In many cases, we’re not even talking about highly sophisticated actors launching these types of attacks. The skill requirements for ransomware are surprisingly low. Most ransomware operates as a franchise, believe it or not. Someone creates the ransom “product,” provides training on how to execute it, and develops a repeatable model so that anyone with basic coding knowledge can launch an attack and get a cut of the profit.

The barriers to entry become even lower with the help of exploit kits, a malicious toolkit that can automatically find security holes and inject malware, including ransomware, onto a device. This makes launching these attacks even easier and scalable.

Because of the rise in use of the “Dark web” and cryptocurrency to collect ransom, it’s become increasingly difficult for authorities to track and stop these attackers. But there is a way. It starts with understanding the four steps in the ransomware attack cycle and knowing what you can do to defend yourself at each stage.

Ransomware Attack Cycle & Your Defenses

Look at the below diagram (adapted from a recent talk I did at DataConnectors) to see the four stages of the ransomware attack cycle:

ransomware attack cycle

Succeeding at each stage is increasingly difficult for attackers, and with the right defenses layered on, it can actually become impossible.

Let’s take a look at each stage in the ransomware attack cycle and what you can do to protect and defend your network.

Stage 1: Targeting

What the attacker does
At this phase, attackers zero in on their victim(s) and decide on their method of attack, such as phishing or malvertising. They will send realistic looking e-mails to your staff, buy an ad on a highly-trafficked public site or upload an exploit kit to a vulnerable WordPress site. Their goal in this phase is to get your staff to take an action for them so they can start to do their dirty deeds.

What defenders (you) can do
The best way to protect your business at this stage is by being aware of these types of attacks and educating your employees about malware, including ransomware.

Conduct regular security training organization-wide to explain the dangers of ransomware and phishing, what these attacks look like, and how employees can report potential threats. With a process in place, you enable employees to become front-line defenders, an important layer of protection many companies overlook.

Because human error and oversight can and will happen, though, you ensure that your e-mail provider performs phishing and spam filtering along with having an automated malware protection solution that can be on the lookout for intrusions from all sources.

Stage 2: Distribution

What the attacker does
Next, the attacker will attempt to get the malware onto your machine(s). When users open that phishing e-mail, the action they take fetches and runs malware on their system. Clickless threats, a new technique that’s emerging, do not require users to do anything in order for the malware to install itself.

What defenders (you) can do
Despite sophisticated new methods, there are still ways businesses can effectively protect themselves.

First, it’s critical to patch vulnerabilities. This means keeping applications and operating systems up-to-date, and even automating these updates if possible so they are not forgotten. This is only basic hygiene.

By using web filtering like Strongarm, we can interrupt this step so employees never visit those sites and the malicious code never lands on your machines.

Stage 3: Encryption

What the attacker does
Once ransomware is on your machine, its goal is to encrypt your files and hold your data and systems hostage until you pay up.

What defenders (you) can do
Malware protection is paramount at this step. Once the ransomware makes it this far, you’re living in the danger zone. This is your last chance to protect yourself. If the malware is successful at this point, you’re going into expensive recovery mode.

Strongarm stops ransomware when it tries to fetch its keys from the attacker. By doing this, we can disarm the ransomware and prevent it from completing its final step.

Stage 4: Recovery

What the attacker does
The attacker has you cornered. They already have your data and are demanding you pay a ransom in exchange for getting your business back online.

What defenders (you) can do

If you don’t have malware protection and the attacker does get to this point, you have two options, pay up or refuse to pay up and instead restore from a backup (if you have one).

While many sources recommend just paying up, we actually recommend against this, because it’s what keeps these criminal operations in business. Not only that, but knowing that a victim is willing to pay up makes them a more attractive target in the future. Attackers will often take it so far as demanding a second ransom before returning your files because they know most businesses will do it—or they’ll hit you again a month later. What’s to stop you paying up a second time?

To counter this, we encourage people to take a more proactive approach by outlining their incident response plan in advance. This should include both frequent, redundant backups and an automated malware protection solution like Strongarm. This way, if and when an attack does come in, there is little more you need to do to eradicate it from your network and get back to business as usual.

Your Ransomware Protection Plan

While it becomes increasingly difficult (and expensive) for attackers to get past each stage in the attack cycle, as a business, it also gets more expensive to respond the further along they get. That’s why we encourage you to implement detection and protection at every step. Taking a proactive stance against ransomware, both through employee education and automated tools and processes, you can be better prepared against malware and save your money for building your business, not that of your adversaries.

Ready to protect your business against ransomware?