6 Steps Ransomware Attackers Use – and How to Defend Against Them

In my previous post, I looked at the soaring increase in ransomware attacks. Now let’s take a look at how attackers extort money from companies – so you know exactly how to protect your business.

Attackers are looking to make money quickly, so they’ve checked out the Ransomware-as-a-Service sites and picked a distro. They’ve crafted their business model – they’re going to target companies that can pay large sums of money for a single attack. They’ve even calculated ROI, how much the disruption will cost the business, what ransom they can reasonably get the company to pay, and so on. 

So, how can you protect your company against this type of attack?

Here are six steps that you need to prepare for, along with actions you can take to reduce the risks. 

Step 1: Infection. Often attackers send the ransomware strain in an email attachment, with a click-bait subject line – something urgent that needs immediate action. Often attackers use social engineering tactics like claiming to be a friend or relative in need or a compliance officer with an urgent notification. In other cases, the ransomware strain is delivered through “drive-by download” by infecting a seemingly harmless site like a help forum. You need to ensure that all possible entry systems are locked down, and you should educate your employees, contractors, and partners about these types of attacks. They need to know what to look for and how to report any suspicious activity immediately, so your team can investigate.

Step 2: Secure Key Generation. Once the attackers have installed the ransomware distro on the target system, it connects with the server to get a secure key, which is then stored on remote servers. At this point, you may not even be aware that your system has been breached. That’s why it’s critical to have a DR strategy that allows you to pick a point-in-time backup to recover your data.

Step 3: Data Encryption. The ransomware software begins the process of encryption, which locks your system. Attackers want the encryption process to be slow because while the system remains active, they can continue to add more data to the already infected datastore. That, in turn, reduces the chance of you getting a clean recovery. That’s why it’s essential to have a DR solution that can keep your data safe and secure by doing continuous compliance checks, so you can confidently execute failover and failback.

Step 4: Payment Demand. After the encryption is complete, attackers may delay the ransom demand, so more and more data is added to the infected servers – inflicting maximum damage. When they’re ready, the attackers demand payment and make sure they can collect the funds without any risk of getting caught. Many companies don’t discover there’s been a breach for months. That’s why it’s essential to recover from point-in-time snapshots that are hours to years old. Without a fail-proof DR solution, you’ll be in a very difficult position that could cost your company a lot of money, lost revenue, and customer trust.

Step 5: Timer Starts. After the attackers send the ransom demand , they will start a timer – the time limit for the victim to pay or face consequences. You want to have a well-tested DR strategy that keeps you in control of the situation, so you don’t have to react to an attack.

Step 6: Data Decryption. Once the attack is successful, the attackers provide the target with the decryption keys, so they can reclaim their systems, files, and data. The attack is now complete, but the extortion may be just beginning. When victims pay, attackers know they have a target for life. When you use a DR strategy that you test regularly, you won’t be in this position. 

To learn more about how to protect your company from ransomware, check out these resources: