6 stages of the ransomware lifecycle
Know thy enemy. By understanding the nuances of the ransomware lifecycle, enterprise security teams can best protect their organizations from attacks.
Ransomware has been a thorn in the side of IT security practitioners for the better part of three decades, and it shows no signs of dissipating. This form of data theft extortion continues to run rampant through organizations of all types and sizes.
Although ransomware methods and tactics have grown increasingly sophisticated in recent years, the typical attack still follows a consistent series of steps, beginning with malware distribution and culminating in extortion. A thorough understanding of the ransomware lifecycle can give security teams important insight into defending against such attacks.
The ransomware lifecycle usually includes the following stages.
1. Malware distribution and infection
To launch the ransomware lifecycle, operators must distribute malware that lets them access an organization's data and eventually hold it hostage.
The most common method of ransomware distribution is email -- specifically, malicious attached documents and embedded URLs in phishing emails. Cybercriminals use social engineering tactics to make these emails appear legitimate. When an unsuspecting user downloads and opens an attached file or clicks on a malicious link, it initiates the endpoint infection process.
This article is part of
What is ransomware? How it works and how to remove it
Other ransomware distribution methods include exploitation of unpatched software vulnerabilities; exploitation of Remote Desktop Protocol; credential theft; infection of removable devices, such as USB thumb drives; and infection of pirated software.
2. Command and control
Once malware has successfully infected a target device, it typically begins communicating with what's known as a command-and-control server (C&C server), located externally on the internet. This server, which threat actors control, is responsible for sending encryption keys to the target device. It might also download additional malware and network-probing software to facilitate discovery and lateral movement activity in the next phase of the attack.
The time between the initial infection stage and the command-and-control stage varies. In some cases, operators might purposely delay the malware's initial communication with the C&C server to avoid attracting the attention of malware prevention tools.
3. Discovery and lateral movement
In a sophisticated ransomware lifecycle, a compromised device begins unobtrusively reaching out to other targets to spread the infection. This phase is known as discovery -- in which the attackers gather information about the IT environment and how to best attack it -- and lateral movement -- in which they infiltrate additional devices and try to elevate their access privileges to gain access to the network's most valuable digital assets. The more the malware spreads, the more effective threat actors' eventual extortion efforts are likely to be.
To achieve lateral movement and privilege escalation, threat actors often take advantage of stolen credentials, software vulnerabilities and network misconfigurations. This phase of the ransomware kill chain may last months, as attackers try to establish a persistent foothold and gain access to critical resources without revealing their presence.
4. Malicious data theft and file encryption
Using the C&C server as a file repository, attackers scan infected devices and upload any data they deem valuable. As in the discovery and lateral movement phase, ransomware operators could perform data exfiltration slowly and over a period of weeks or months to avoid attracting attention with unusual network activity.
When data exfiltration is complete, the ransomware encrypts the local data on the targeted devices, using the keys provided by the C&C server.
5. Extortion
Once the malware has encrypted files on the target devices, the extortion process begins. At this point, users typically see a message that includes the following information:
- Notification of infection.
- The amount of money the criminals demand in exchange for the decryption key.
- Instructions for submitting payment.
- A countdown timer that indicates the amount of time the user or business has to pay before permanently losing the data or seeing the ransom amount increase.
If the cybercriminals uploaded files to the C&C server, they may also threaten to publicly release the data in a tactic known as double-extortion ransomware. Triple-extortion ransomware involves a third element, such as a DDoS attack or parallel extortion of the organization's customers or partners.
6. Resolution
Upon learning of an active ransomware attack, the security team must act quickly to isolate the infection by disconnecting and shutting down any affected devices. Depending on the sophistication of the attack, the ransomware could have been lurking and spreading throughout the IT environment for many months.
At this point, an organization often has limited options. In an ideal scenario, offline backups and a ransomware recovery plan enable restoration of critical data and resumption of business operations with no need to engage the attackers.
In many cases, however, executives must choose to pay the ransom, negotiate with the attackers or rebuild their IT systems from scratch. Note that paying a ransom is no guarantee an organization gets all -- or any -- of its data back.
Experts generally advise all organizations report ransomware attacks to the authorities, such as CISA or their local FBI office. Depending on their sectors and the type of data involved, some organizations are legally required to do so.
How to defend against ransomware
Protecting an organization against ransomware is not an easy feat. It requires defense-in-depth cybersecurity, starting with foundational, enterprise-grade security measures, including firewalls, intrusion prevention systems, off-site backups and multifactor authentication.
Advanced security tools and techniques can significantly reduce the risk of intrusion and increase the chances of uncovering and disrupting a ransomware attack if one is underway. Consider the following:
- Automated patch management. Malware often exploits unpatched vulnerabilities in a device's OS or applications. Patch management tools that automatically remediate known software security bugs can dramatically reduce the odds of a ransomware attack.
- Antimalware and antivirus software. Antimalware and antivirus software help identify and protect against known ransomware variants. When installed on devices and within email applications, these tools stop communication with known malicious domains and prevent installation of recognizable malware.
- Anomaly detection software. AI-based anomaly detection capabilities, such as those in user behavior analytics software, continuously scan network traffic to identify suspicious activity. Upon confirming a ransomware intrusion, the security team can quarantine infected devices to prevent further lateral movement and infection.
- Network microsegmentation. Microsegmentation lets IT teams restrict lateral movement. Logical separation of networks into granular subnetworks, each with tailored access control rules, prevents malware infections from spreading.
Finally, and most importantly, businesses should provide thorough and continuous cybersecurity awareness training for every employee. Even in IT environments with all the right security tools in place, ransomware attempts unquestionably still reach end users. They must be able to identify and resist threat actors' best efforts to trick them into installing malware -- stopping the ransomware lifecycle before it begins.