Ransomware continues to be a significant threat to organizations of all sizes. Victims of an attack are denied access to their data. Many times, files are encrypted, and a ransom is demanded to restore access. If hit, the best-case scenario is that you have clean backups to restore your systems and can avoid paying the ransom. However, downtime is often more detrimental than ransom costs. Recovery is expensive, and there is a significant cost in system downtime, emergency response, and reputation damage.
Ransomware continues to evolve, and more sophisticated variants are being introduced all the time, offering better encryption and new features. Detecting a ransomware attack before encryption begins is difficult. However, if you know what to look for, it is possible to identify an infection before encryption even starts.
Stages of a Ransomware Attack
In order to understand what to look for, we must first understand the stages of typical ransomware attack.
Stage 1: Campaign
There are a variety of delivery channels for ransomware, but a phishing email is the most popular. Say you receive an email from an online retailer, stating that you were overcharged and are due a refund. You absentmindedly click the link, without noticing that the URL is a little off or the typos the message contains, and BAM! The ransomware attack in underway.
Stage 2: Infection
In this stage the malicious code is downloaded and code execution begins. At this point your system has been infected with ransomware, however none of your files are encrypted yet. Encryption is a reversible mathematical calculation that is a rather high CPU intensive task. In a typical ransomware attack, It doesn’t occur immediately because it takes time for the malware to determine the scope of data to encrypt.
It's important to note that at this point, all your automated detection controls have failed. Your firewall, proxy, antivirus solution, and intrusion detection system have all allowed the traffic.
Stage 3: Staging
At this stage the malicious code ensures connectivity with its command and control (C2) server. A C2 server is controlled by the attacker and is typically used to send commands to the compromised system. However, with ransomware, the primary C2 communications is to obtain the encryption key. At this point, various systems changes are made, and persistence is established. The attacker now “owns” the system.
Stage 4: Scanning
Here is when things start to slow down a little bit. First the malware scans your local computer to find files to encrypt. This can take seconds to minutes. It also scans for data stored in the cloud, which is synced via folders and appears as local data. Then it looks for file shares. This can take hours depending on how many shares you have on your network. The goal is to investigate what data is available and determine which level of permissions the compromised user has (e.g., list, write, delete).
Stage 5: Encryption
Once all data is inventoried, encryption begins. Local file encryption can occur in minutes; however, network file encryption can take many hours. This is because in most ransomware attacks, data on network file shares are copied down and encrypted locally. Then the encrypted files must be uploaded and the original files deleted. This process gives you some time. Say you've got a 25 GB file share. It's going to take the local computer a while to encrypt that data and then push it back up.
State 6: Pay Day
Once you’ve reached this stage, your data is gone, and the attacker is demanding payment. And you are now in recovery mode.
Detecting a Ransomware Infection
The number of successful ransomware attacks continues to grow, and it’s time to take a proactive stance to detect them. Automated systems just don’t work because it’s easy for hackers to create unique code that gets through undetected. You can’t sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network.
Threat hunting is a proven methodology for identifying ransomware, so the threat can be contained before encryption begins. A threat hunter analyzes network traffic and endpoint activity looking for indicators of compromise. In the case of most malware, including ransomware, a persistence mechanism is the best clue.
To be successful, all malware must persist. Hackers need their malware to survive a reboot, so they can remain in control. As we noted earlier, during a ransomware attack, persistence is established relatively early in the attack timeline. In most cases, this give you time to detect the infection, and stop it before any damage is done.
Using threat hunting techniques, analysts can find and analyze all unique or suspicious persistence mechanisms on a device.