The recent fluctuations in gas prices have caused significant concern for Brazilians, as an increase in fuel costs translates to higher prices for various services and products. Imagine waking up to the news that nearly 50% of the country's gasoline supply could literally disappear from the market.

This news frightened American consumers in May 2021 when the Colonial Pipeline Company, a major fuel pipeline company supplying a large swath of the southeastern to northern US, became a victim of a ransomware attack that disrupted fuel supplies.

Dangerous and highly profitable for its perpetrators, ransomware is one of the fastest-growing categories of cybercrime, potentially costing $265 billion by 2031, according to Cybersecurity Ventures.

The consequences of this digital hostage taker are alarming for business security. It is crucial to understand the stages, methods, and objectives of these attacks and the tactics that can be used to mitigate this threat. Let's dive into these aspects.

Step-by-Step of a Ransomware Attack

Discussing ransomware involves talking about malware, a term used to broadly define malicious programs developed to steal user or system data. Besides stealing data, malware comes in various forms, each with different strategies:

• Trojans: Malicious programs that disguise themselves as legitimate software or apps, infiltrating machines and mobile devices to steal information, recruit botnets, and even spy on user activities.
• Worms: The oldest type of malware, used for proliferation, infecting as many machines as possible, potentially adding other malicious programs or simply overloading networks with bandwidth demands.
• Adware: This malware is responsible for annoying and persistent website ads, collecting personal data from users to personalize ads and generate revenue.
  
  

Ransomware is a category of malware that holds digital data hostage, demanding payment in cryptocurrencies for its release. The digital hostage taker can operate in two ways:

• Through encryption, making information inaccessible to legitimate users
• Blocking user access to the system
  
  

However, ransomware involves more than encryption or blocking; the attacks encompass several execution stages, making it even more dangerous and deserving of attention.

Target Reconnaissance

Cybercrimes occur through strategies, intelligence, and tools (malware). The first stage of ransomware execution involves target reconnaissance, which means researching the company, its revenue, sector, website, and market value. This information guides the criminal's definition of the ransom amount and approach.

During this stage, attackers gather information about the target, mostly available on social media, IP address details, and, notably, previously leaked credential histories.

In 2021, the history of leaked credentials was extremely high, with about 43.3 million recorded worldwide.

What Can a Cybercriminal Do with a Corporate Credential?

Administrative privileged credentials grant high levels of access to the user, allowing system configuration changes, administrative account alterations, program installations, etc. Essentially, if the user is the system administrator, they can modify and replace its functionalities.

In summary, if cyber criminals obtain administrative privileged credentials, they will be highly successful in their malicious actions, especially ransomware attacks.

The more information collected, the more accurate the following stages will be. Thus, attackers compile a dossier with data about employees, suppliers, and third parties connected to the target company.

This reconnaissance and information gathering guide the attack planning, analyzing the best path for the subsequent stages.

Planning

After completing the reconnaissance, it’s time to plan to use the collected information to gain access to the desired target. This stage involves developing well-crafted fake emails with convincing elements to deceive the victim into executing the necessary action for the attack to occur.

If the attacker has corporate credentials, they can create more targeted campaigns and fake pages.

The criminal may also use fake pages identical to a supplier or bank page, capturing more victim information such as username and password, and offering the download of a malware-infected file.

The goal is to plan the best way to achieve a successful attack and deliver the malicious payload.

Payload Delivery

At this stage, the attack execution takes place. As malware, ransomware must be installed on the machine to infiltrate and spread within the target system. As observed in the planning stage, this malicious delivery can occur through various channels and vulnerabilities.

The most commonly used channel is phishing emails, with embedded malware that allows access to the victim's systems. Since the attacker has information about their target, they can craft convincing emails and a well-designed payload to gain control and escalate privileges.

Lateral Movement

Once installed in the system, the attacker escalates administrative privileges, gaining more ground and power. They can find and access files for exfiltration and encryption through this lateral movement. The attacker scans the network, identifying devices and locating the most valuable assets.

Lateral movement involves infecting more devices, increasing their privileges, and obtaining administrator credentials. After gaining more access and space in this movement, the attacker can proceed to the final stages of the ransomware attack.

Installing a Backdoor

With privileged access to the victim's system, the attacker can install a backdoor that maintains continuous access to the network. This backdoor creates administrator accounts and then disables firewall rules, ensuring remote desktop access to other servers and systems on the network.

Command and Control

At this stage, the attacker’s control is complete, allowing them to see and do anything, from impersonating any user on the network to sending emails from the CEO to all employees and even preventing IT professionals from accessing the systems.

Data Exfiltration

Data exfiltration is an advanced strategy in recent ransomware attacks. Previously, the goal was to encrypt an operating system and network files. With companies' new defensive measures, cybercriminals have adopted new tactics to ensure profitability and success in attacks.

Here, exfiltration (or extrusion) of data comes into play, extracting and transferring confidential information. If the ransom is unpaid, attackers can publish this information on open sources or auction it on the web's sublayers.

In 2020, criminals used REvil ransomware to steal databases from Canadian agricultural companies, auctioning the information on the dark web.

Data and Environment Encryption

Finally, we reach the stage where the attacker encrypts the victim's data. At this stage, the attacker can apply two types of encryption:

• Symmetric Encryption: Uses a single key to encrypt and decrypt data
• Asymmetric Encryption: Applies a public key to encrypt information and a private key to decrypt it
  
  

The objective is to render as much of the company's network data useless. Once done, they wipe archived copies of the data and ensure all target data is encrypted when distributed across multiple servers, devices, or locations. Once this stage is complete, the attacker can demand the ransom payment.

Extortion

In this final stage, ransomware lives up to its name. Extortion occurs when the victim realizes that data is inaccessible and is then notified by the attacker, who provides payment information for a cryptocurrency ransom in exchange for data release.

By this point, chaos has already ensued, as data is inaccessible and entire applications and systems may be disabled by encryption.

Another side effect is the threat of public data leaks, on dark web forums, auctions, or even on the surface web.

Mitigating Ransomware Actions

Given all these stages and strategies, is it possible to mitigate the actions of digital hostage-takers? Here are some potential paths:

Monitoring: Gaining Cyber Intelligence for Prevention

Analyzing the stages of a ransomware attack teaches us that there is intelligence and logic in cybercriminal actions. Of course, not all stages are always followed with precision and dedication by the attacker, but understanding them is crucial for developing more proactive and effective security measures.

But how can we work on broader security actions beyond an organization's internal network perimeter, devices, network, and IT infrastructure?

Some key points in this process:

• Monitoring Data Leaks and Brand Impersonation: If you do not monitor data leaks and fraud online, know that attackers constantly seek information from these sources. As revealed by the Verizon Data Breach Investigations Report, 2017: 81% of attacks start with stolen employee credentials. Thus, it is crucial to monitor exposed credentials and be aware of other illegal practices that harm the brand and facilitate ransomware actions.
• Corporate and Executive Credential Monitoring: Privileged credentials must be monitored, as many leaks occur intentionally or through cybercriminal actions. According to the Verizon Data Breach, about 34% of data breach incidents involved internal actors.
• Brand Monitoring on the Deep & Dark Web: The deep and dark web are scenarios where the illegal trade of company data occurs. In these deeper layers, you can verify leaks, frauds, and criminal uses that affect companies and consumers.
  
  

The risks are everywhere, and cyber criminals are ready to use the most cunning tactics like ransomware to attack organizations.

The Crucial Role of MSSPs in Ransomware Defense

Managed Security Service Providers (MSSPs) are indispensable in the fight against ransomware attacks. By leveraging advanced cybersecurity tools and threat intelligence platforms, MSSPs provide continuous monitoring and real-time threat detection, ensuring rapid response to potential ransomware incidents. When utilizing platforms like Axur's, MSSPs can proactively identify vulnerabilities, mitigate risks, and implement robust security measures to protect their clients' critical data and systems. This proactive approach not only safeguards confidential information but also helps maintain the trust of their clients. The expertise and resources provided by MSSPs are essential for navigating the complex landscape of modern cyber threats, ensuring comprehensive protection against ransomware and other malicious activities.