Stages of ransomware attacks – How do they work?


Ransomware attacks have emerged as a significant cyber-security threat, encrypting user data upon system infection, causing business disruption and financial loss.

Ransomware is malware that infects a computer or a network of computers, encrypting files and folders and rendering them inaccessible. Users are then prompted to pay a ransom, typically done in cryptocurrency.

Ransomware is not a new threat, but its use is increasing and causing significant financial losses worldwide. Due to its polymorphic nature, typical ransomware is not detected by anti-virus software, posing a significant challenge for cyber-security analysts and reverse engineers. According to studies, nearly 51% of organizations worldwide will be targeted by highly sophisticated Ransomware attacks in 2020. These attacks used sophisticated command and control servers, making them difficult to reverse engineer.

According to FortiGuard Labs’ 2021 1H Global Threat Landscape report, ransomware increased 1070 percent between July 2020 and June 2021. While several high-profile incidents have made international headlines, the true impact is felt by tens of thousands of organizations, ranging from large corporations to small businesses and federal agencies to local governments.

Two factors are driving the explosive growth of ransomware. For starters, tools such as Ransomware-as-a-Service and the sale of the names of companies that have already been compromised have commoditized the process. Novice criminals can now successfully target organizations with little or no technical skills by acting as a franchisee for a cybercriminal organization. All back-end processes, from target acquisition to pricing to collecting funds, are provided as a service (for a fee) by sophisticated criminal enterprises, which even offer help desk services to their customers. The second reason is that ransomware’s massive payouts have been widely discussed in the news and online forums, resulting in nothing short of a feeding frenzy.

This post will explore how ransomware attacks work and the four key stages of ransomware attacks.

1. Infection

The first stage involves the ransomware spreading to the victim’s device. As previously discussed, ransomware can obtain an infection vector from various sources. The attacker’s strategy at this point is to get their ransomware downloaded on the victim’s machine. This stage is heavily influenced by the victim’s actions and overall Cyber-hygiene. If the potential victim is cyber-savvy, likely, the ransomware will not be able to infect the system.

2. Encryption/Locking

The ransomware begins its pre-programmed sequence of actions when infected, depending on its type. The ability of recent Ransomware strains to communicate with a central command-and-control (C2C) server simplifies the attacker’s automation process. The C2C server also serves as a repository for victims to download their decryption keys after paying. Following the first stage, the cryptographic keys are generated on either the victim’s PC or the C2C server. The attacker then locks the files and folders or immediately changes the master boot record, preventing the victim from accessing their device.

3. Demand

During the third stage, a message appears on the screen demanding a ransom payment from the victim for them to regain access to their system. The attacker provides a Bitcoin address for a ransom payment. This makes it more difficult for law enforcement to trace the payment back to the attacker.

4. Result

After the third stage, it is up to the user whether or not to pay the ransom. At this point, three outcomes are possible. If the victim decides to pay the ransom, they will be given a decryption key that will allow them to regain access to their devices. Another possibility is that the victim has strong technical skills or can enlist the assistance of reverse engineers to reverse the Ransomware operations and recover the files. The third outcome occurs when the victim is unable to pay the ransom. This causes permanent damage and complete data loss.

To conclude, ransomware is ubiquitous; everyone is a target, and it is driving investments in strategies, training, and technologies because no one expects it to go away any time soon. More needs to be done to educate organizations about the critical value of advanced email security, segmentation, sandboxing, and similar tools and strategies to detect, prevent, and limit ransomware.