Anatomy of a ransomware attack
For this year's European Cyber Security Month (ECSM), Ireland’s National Cyber Security Centre is focussing on two main themes, ‘Being Cyber Secure from Home’ and ‘Ransomware’.
Last month, Secora Consulting released a guide on how you can secure your organisation's remote workforce. The guide provided insight into what organisations and employees need to do to create a robust cyber security posture for remote and hybrid working options.
This blog has a specific focus on the other main theme of this year's ECSM, Ransomware. There is a notable increase in ransomware attacks within the last 12 months, with numerous organisations such as the Irish Health Service Executive (HSE) and Miami-based IT management company Kaseya both being targeted.
Successful ransomware attacks often lead to financial gains for attackers. As rewards can be large, ransomware continues to evolve, becoming more advanced. However, the more we understand about the process of a ransomware attack the better we can defend against attacks.
Most ransomware attacks are made up of the following seven steps:
All ransomware has to initially gain access to your corporate network. The most common ingress point for a ransomware attack is through human error. An employee could open a phishing email and click on a link or download an attachment that contains a ransomware dropper.
Once the ransomware is downloaded onto a machine the infection begins. This initial infection can often be hard to detect.
3. Command and Control Server
Once the ransomware has infected its initial hosting machine, it will then execute its malicious code and embed itself in your network. Once embedded it will attempt to make contact with the attackers servers and wait for instructions
The ransomware will begin searching for company data to encrypt across any networks it can access.
5. Lateral Movement and Credential Stealing
Some ransomware will move throughout your network, stealing credentials and escalating privileges to compromise more and more systems. The more data an attacker can collect for encryption the better for them.
Once an attacker has gathered and identified which files are most sensitive to your organisation, they will begin to encrypt them. If an attacker has managed to access an organisation's back-ups and encrypt these also.
This is the part many of us would be most familiar with. We have all heard about the messages organisations have received from an attacker demanding a ransom to have their organisations file unencrypted. Once an attacker has successfully encrypted an organisation's files they issue a ransom demand. This ransom demand is typically a payment to be made via a digital currency such as Bitcoin in exchange for the decryption key so an organisation can retrieve their files.
How can Secora Consulting help you?
We offer a wide range of services which are tailored to your requirements. We can help you prepare for the worst-case scenario by simulating threats to your organisation.
Should you ever be on the unfortunate end of a cyber attack our in-depth knowledge and Incident Response service will have your organisation ransomware free and up and running in no time.
Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:
- Validating implemented security controls.
- Prioritising your risks based on their exploitability and impact.
- Providing expert and effective advice to immediately improve your cyber security posture.
- Understanding how uncovered issues will affect your organisation, operations availability and profitability.
- Recovery from incidents and cyber attacks.
If you have any questions regarding ransomware or are unsure if the steps you are taking to help keep your organisation secure are working. Get in touch!
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.