The Anatomy of a Ransomware Attack

“Ransomware attacks are increasing dramatically.” As threats from cyber-criminals become part of the reality of doing business, that statement is becoming all too familiar and personal for small businesses.  By the end of this year, it’s projected that ransomware attacks alone will net cyber-criminals more than $1 billion made possible in part because small businesses are easy targets and have little option other than to pay ransoms or risk closing their doors.

So you probably know that a “ransomware attack” is used to extort money from you by literally holding your data and computer systems hostage.  But, what does this attack look like and what can you do to defend your business from them?

First, let’s take a look at how a ransomware attack progresses:

1)      Though ransomware attacks can be initiated by visiting an infected website, most businesses will find that attacks are going to be launched on them through an increase of emails which contain attachments. The messages usually evoke a sense of urgency to open the attachment (such as with an unpaid invoice, a “Final Notice,” or a package delivery notification). The file may appear to be just a Word document or PDF file.

2)      After clicking on the attachment, the user is prompted to “enable content” or possibly decompress a zip file. Once that message is clicked on, the malware is activated and released into your system.

3)      Depending on the file type, an icon may appear on your desktop, but only for a brief time before disappearing. It is at this point the malware sends a message to a computer system outside of your network for an encryption key to use on your computer system.

4)      Once that key is communicated back, the ransomware begins encrypting your files and programs. Since encryption is a time consuming and resource intensive process you may notice that your computer system slows down or starts acting “quirky.” However, you may not notice any outward sign of infection.

5)      Depending on the amount of information being encrypted it could take several hours for all files on your computers and attached or networked drives to be encrypted. So just because it doesn’t happen quickly doesn’t mean you have nothing to worry about.

6)      While all of this is happening, you may notice that you are still able to access some files, but other files are not accessible. File names will change. You may receive messages that the “file is corrupt” or has an “unknown extension.” Ultimately, files you had been able to access become inaccessible. Depending on the attack, entire programs may become unusable.

7)      Finally, the background on your screen will change and a message will display explaining that your files have been encrypted along with a demand that you must pay within a set amount of time or else your data will be lost. These demands are usually for payment in the form of Bitcoin (which is a process of and by itself that most Americans are not familiar with).

8)      Once the ransom is paid, the victim is supposed to receive an alpha-numeric key for decrypting the files. However, because these hackers are criminals, there is no real guarantee that a key will be sent, or if one is, that they won’t simply attack again later. It isn’t unusual that a victim is repeatedly attacked once they have proven they are easy targets and willing to pay.

Because these hackers are criminals, there is no real guarantee that a key will be sent, or if one is, that they won’t simply attack again later.

So what is a business supposed to do to avoid these attacks?  If you look at the points above you will see where different points of failure exist. Here’s what you can do about them:

  1. Be sure your employees understand the threats posed and tactics used by these criminals. Reinforce the need to be cautious when clicking on attachments in emails from people whom they are not expecting anything. Help them recognize that emails that use urgency as a tactic to get them to open attachments are suspect. And attachments that require an additional step of “unzipping” or “enabling content” need to be scrutinized carefully before doing so.
  2. It’s crucial to invest in the right kind of security solutions like a robust next generation firewall so that ransomware doesn’t infiltrate systems to begin with and cause irreparable damage.  If you are using an older firewall or one that isn’t updated daily, you are leaving yourself open to attacks.  Also, be sure you are using powerful and updated virus and malware scanning software.
  3. Always, always, always keep your operating systems and software updated with the most recent patches and hotfixes.
  4. Have a good backup strategy, which includes monitoring your backup status and testing your restore process to ensure that restored files are usable. A backup process without testing may not be worth much.
  5. Take this threat seriously! It’s real and it’s growing.

If you have been a victim of a ransomware attack, Axiom Cyber Solutions may be able to help. Give us a call at 800-519-5070, or drop me an email (without any attachments – we won’t open them) at info@axiomcyber.com.

About the Author