5 Stages of a ransomware attack

5 Stages of a ransomware attack

Ransomware threats have skyrocketed in 2021. Check Point’s Cyber Attack Trends 2021 Mid Year Report revealed that there were 93% more ransomware attacks in the first half of 2021 than in the same period last year. Just halfway through 2021, SonicWall’s Cyber Threat Report 2021 Mid-Year Update already declared the year as the worst one to date in terms of the number of recorded ransomware attempts. In fact, in June 2021 alone, SonicWall recorded 78.4 million ransomware attempts — more than Q2 2020’s and almost half of 2019’s.

2021 is the worst year for ransomware in terms of the number of recorded attempts.

A great start to building your company’s defenses against ransomware is to learn how an attack unfolds. Understanding each stage of a ransomware attack will help you prevent it from happening and bringing damage to your business.

Stage 1: Delivery

Ransomware can be delivered to IT systems in many ways:

  • Phishing email – Cybercriminals use legitimate-looking emails to trick users into opening a malicious attachment or link.
  • Remote Desk Protocol (RDP) – Hackers attack exposed ports used for RDP — a communications protocol for accessing systems remotely — to crack the system’s login credentials and log in as an administrator.
  • Drive-by download – A user unwittingly visits an infected website, which leads to the download and installation of ransomware in the background.
  • Pirated software – Attackers repackage a malicious version of unlicensed software, then upload it to torrent websites for unsuspecting users to download and install.
  • Removable media – Cybercriminals inject malicious software into removable devices (e.g., USB flash drives, memory sticks) and wait for unknowing users to connect these to computers.

Read also: What is a phishing attack, and how can you avoid it?

Stage 2: Staging

Once ransomware has executed its malicious code and embedded itself in the system, it connects to the attacker’s command-and-control (C2) server and awaits instructions. This enables the attacker to send commands to the compromised system.

During this stage, the attacker typically makes various system changes that give them control over the system. Afterward, they may opt to keep the ransomware hidden and dormant for a while, waiting for the perfect moment to launch the attack.

Stage 3: Scanning

Over time, the ransomware moves laterally across the system. It scans the infected local machine, as well as any connected network or local storage, taking stock of all the data that can be encrypted upon its activation. As the ransomware spreads throughout the network, it could also steal credentials and escalate the perpetrators’ privileges.

Stage 4: Encryption

Ransomware holds data hostage by encrypting it, rendering data indecipherable to anyone who does not possess the decryption key. Not only will your files become inaccessible, but critical applications and entire systems may also be disabled.

Some ransomware variants encrypt and delete data backups as well, preventing these from being used for data recovery.

Stage 5: Ransom request

In this stage, the attacker demands ransom in exchange for the decryption key. The victim then receives instructions on how to pay the ransom, which is typically via a cryptocurrency (e.g., Bitcoin) transaction. The average ransom demand in the first half of 2021 was $5.3 million, which is a massive jump from the 2020 average of $847,000.

The FBI discourages ransomware victims from paying the ransom since there is no guarantee that data will be restored. What’s more, ransom payment encourages more ransomware attacks. Unfortunately, the number of organizations that paid the ransom has increased to 32% in 2021 from 26% in 2020. Despite paying up, only 8% of these organizations got all their data back and 29% were not able to recover more than half the encrypted data.

Partner with security experts

Keep your data and IT systems safe from ransomware and other cyberthreats by working with Healthy IT. With us at your side, you can be sure that your cybersecurity measures are effective and ready for even the latest threats. We will monitor your systems 24/7 so we can respond to security events right away, keeping your company safe. Schedule a FREE consultation today.