Ransomware is a type of malicious software that cybercriminals use to hold a victim’s files, data, or systems hostage until a ransom demand is paid. Ransomware attacks have been rapidly rising over the past several years, with both individuals and organizations being targeted. So how does ransomware typically work and how do attackers gain access to systems in order to infect them with ransomware?
Common Attack Vectors for Ransomware
Cybercriminals use a variety of techniques to distribute ransomware and infect vulnerable systems. Some of the most common attack vectors include:
- Phishing emails – Malicious emails containing links or attachments that download the ransomware when opened or clicked on. These emails are designed to look legitimate to trick the recipient.
- Compromised websites – Websites that have been hacked to distribute ransomware via malicious ads, pop-ups, or drive-by downloads that exploit browser vulnerabilities.
- Remote Desktop Protocol (RDP) – Brute forcing weak RDP credentials to gain access to systems and manually install ransomware.
- Software vulnerabilities – Exploiting unpatched vulnerabilities in operating systems, applications, and network devices to distribute and execute ransomware.
- Malvertising – Malicious ads on legitimate websites that redirect to sites hosting ransomware.
- Drive-by downloads – Visiting compromised websites that automatically download and execute ransomware on the victim’s system.
These are some of the most common ways that ransomware initially infiltrates a system before executing its encryption or locking payload. However, adversaries may use multiple methods within an attack chain to distribute ransomware and escalate privileges on a system or network.
Phishing Emails and How They Work
One of the most prevalent methods of distributing ransomware is through phishing emails. Phishing involves sending authentic looking emails under the guise of a legitimate organization in order to trick the recipient into opening a malicious attachment or clicking on a link. Here is a closer look at how phishing emails work as an attack vector:
- The attacker spoofs the “From” email address to appear as a legitimate company, government agency, bank, etc. that the victim may recognize and trust.
- The subject line is crafted to motivate the user to open the email, often conveying a sense of urgency, an important notification, a request to take action, etc.
- The email body is made to look as authentic as possible, using logos, formatting, and language mimicking the spoofed organization.
- A malicious link or attachment is included that will trigger the download and installation of ransomware when clicked or opened by the victim.
- The link may direct to a phishing site that requests login credentials or serves malicious code. The attachment is often a document file, script, or executable.
- If credentials are collected, attackers may leverage them to gain further access and distribute ransomware laterally across a network.
Even security-savvy users can be fooled by carefully crafted phishing emails. The request they convey triggers psychological and emotional responses that bypass logical reasoning. For example, an email allegedly from the IT department that states there is a problem with your email account that requires urgent confirmation will motivate action.
Drives-by Downloads
Drive-by downloads enable attackers to silently install ransomware on victim’s computers without any action required on the user’s part. This is accomplished by exploiting browser or software vulnerabilities using malicious code hosted on hacked websites:
- Attacker identifies a vulnerable internet-facing system and exploits it to install a malicious payload.
- The payload adds the compromised server as a command and control point and modifies it to distribute ransomware.
- When a victim visits the website it checks their browser type and OS version to identify potential vulnerabilities.
- A browser or plugin exploit targeted to the victim’s system is used to silently download and execute the ransomware in the background.
- No user interaction is required beyond visiting the website for the infection process to be triggered.
- The ransomware then carries out file encryption, locking, and ransom payment instructions.
This attack method allows ransomware to infect large numbers of website visitors rapidly. Using exploit kits containing known exploits, attackers can compromise systems on a massive scale to maximize infections and ransom payouts.
Malvertising
Cybercriminals have become adept at hijacking online advertising networks to deliver ransomware through malicious ads, known as malvertising. This technique works as follows:
- Attacker infiltrates an ad network using purchased ad space or by compromising a real advertiser’s account.
- Malicious ads are created containing code that will query the visitor’s browser, OS and installed software.
- The malicious ad code identifies potential vulnerabilities and redirects the browser to a site hosting an exploit kit tuned to the victim’s system.
- Exploits are triggered silently to install the ransomware payload from the compromised site.
- A separate malvertising campaign may be used to distribute the decryption keys to victims that pay.
These attacks exploit the trust users have in legitimate websites they frequent that unknowingly distribute malicious ads through ad networks. Ad blockers provide some defense against malvertising ransomware attacks.
Software Vulnerabilities
Cybercriminals are continuously scanning for and developing exploits for vulnerabilities in common software such as:
- Operating systems – Windows, Linux, macOS
- Web browsers – Internet Explorer, Chrome, Firefox
- Plugins – Adobe Flash, Java, Adobe Reader
- Office applications
- Networking devices and hardware drivers
When organizations and users fail to patch known vulnerabilities in these technologies, it provides an opportunity for attackers to distribute and install ransomware. Some examples include:
- Exploiting an unpatched Windows SMBv1 vulnerability to spread ransomware laterally across an organization.
- Leveraging a vulnerability in an outdated version of Firefox to infect systems with a drive-by download.
- Taking advantage of vulnerabilities in hardware drivers and firmware to inject ransomware into the boot processes.
Regular patching, updating, and upgrading software is critical to closing off vulnerabilities that may enable ransomware attacks across systems and networks.
Other Infection Methods
In addition to the attack vectors outlined above, ransomware perpetrators may use other infection methods including:
- Brute force attacks – Attacking remote access services like RDP and SSH to gain access using cracked credentials and manually installing ransomware across systems.
- Unpatched VPNs – Exploiting vulnerabilities in VPN servers to tunnel into corporate networks and compromise endpoint systems.
- Physical access – Infecting systems via USB drives, hard drive installations, or plugging directly into the physical system if access can be obtained.
Attackers will use any means necessary to distribute ransomware. Initially compromising a single system provides a foothold to traverse networks using exploited vulnerabilities and compromised credentials in order to infect as many systems as possible.
Multi-Stage Infection Process
Distributing the ransomware executable is often just the first step in a multi-stage infection process. Attackers use various tactics to escalate privileges, spread laterally, and impede recovery efforts:
- Initial compromise via phishing, drive-by, malvertising, or exploiting vulnerabilities.
- Establish persistence mechanisms to maintain access such as scheduled tasks, services, startup items.
- Privilege escalation exploits to gain admin access to systems and network resources.
- Network reconnaissance and credential theft to enable lateral movement across systems.
- Disable security tools, backups, and remove volume shadow copies.
- Deploy ransomware payload across all accessible systems and networks.
This multi-pronged approach allows adversaries to maximize the impact of the ransomware attack against the organization. Even if the initial infection vector is detected, attackers may have already gained a strong foothold from which to spread the ransomware extensively.
How Attackers Evade Detection
Cybercriminals use various techniques to try and evade detection by security tools and IT teams during reconnaissance, network traversal, and deployment of the ransomware payload:
- Using legitimate tools like PowerShell, WMI, and Windows Admin tools for system access and lateral movement.
- Impersonating valid user accounts and abusing built-in permissions.
- Disabling endpoint and network security tools or tampering with event logging.
- Encrypting or obfuscating payloads, commands, and network traffic.
- Operating within inherent windows of vulnerability such as weekends, holidays, or off-hours.
- Rapid propagation throughout networks before detections can occur to minimize disruption.
- Incremental increases in the number of systems compromised to avoid triggering alerts.
Defenders must implement layered security controls, actively monitor for suspicious activity, and proactively hunt for adversaries that may be evading existing preventative defenses.
Maximizing the Impact of the Attack
Once attackers have successfully infiltrated a network, compromised credentials, escalated privileges, and evaded detection, they use various techniques to inflict maximum damage by deploying ransomware across all accessible systems:
- Use credential dumps, shared drives and databases to identify critical data, servers, and infrastructure to target.
- Scan internal network segments and systems to map the environment.
- Check for backups and delete or encrypt them to limit recovery options.
- Turn off security software or tamper with tools to prevent detections during encryption.
- Use native system tools and scripts to automate ransomware deployment across multiple systems and servers.
- Target high value systems and data first to increase ransom demands.
- Schedule ransomware to deploy during low-usage times or weekends to maximize time to encrypt.
The goal is to inflict maximum damage and make timely recovery difficult before the organization even detects the attack is underway. This forces victims into paying the ransom to regain access to critical data and systems.
Ransomware Execution and Encryption
Once positioned on systems and ready for execution, most ransomware performs a similar process to encrypt files and hold them for ransom:
- Create encryption keys to be used for encrypting files and communications with command and control servers.
- Identify files and data to encrypt based on file types, locations, size, etc.
- Encrypt files using algorithms like AES-256 or RSA-4096 and the generated encryption keys.
- Delete or encrypt volume shadow copies and backups to restrict recovery options.
- Connect to command and control servers to transfer data and encryption keys.
- Display ransom payment demands and encryption instructions.
Modern ransomware strains encrypt hundreds of different file types across mapped drives, removable media, and network shares rapidly. Systems are left encrypted and inaccessible in a matter of minutes up to a few hours maximum.
Ransom Demands and Payment
With files encrypted and systems locked down, victims must choose between paying the ransom or attempting data recovery:
- A ransom note is displayed with demands for payment, usually in cryptocurrency like Bitcoin.
- Payment amounts often range from a few hundred to thousands of dollars depending on the size of the organization.
- Ransoms may increase if demands are not paid within a short timeframe.
- Instructions are provided for setting up cryptocurrency wallets to pay the ransom.
- Once payment is received, attackers send the decryption keys to recover files.
Attackers often give short timeframes ranging from 24-48 hours to pay the ransom before deletion of keys or increase in payment. Paying the ransom is no guarantee files can be recovered, however.
Post-Infection Activity
Following a ransomware attack, adversaries may continue to operate within compromised networks to monitor communications and ensure payment. Post-infection cybercriminal activity may include:
- Tracking communications and network activity to gauge detection of the attack.
- Further compromising IT systems and accounts to maintain persistence.
- Exfiltrating additional data prior to detection.
- Monitoring email inboxes for ransom negotiations.
- Threatening increased ransom demands or file deletion if payment is delayed.
- Restoring decryption keys after payment and verifying files can be decrypted.
- Removing malware and other evidence from systems to avoid attribution.
Active monitoring of compromised networks gives attackers insight into incident response efforts and facilitates ransom negotiations. Users should be aware that threat actors may still be operating within systems after ransomware deployment.
Recovery Without Paying the Ransom
Organizations that choose not to pay ransom demands do have options for restoring data and returning to normal operations, although the process is typically long and costly:
- Isolate and contain infected systems to prevent continued spread of ransomware.
- Investigate attack vectors to understand the full scope of the breach.
- Restore data from clean offline backups maintained for disaster recovery.
- Leverage tools that find and recover duplicate files to reconstruct missing data.
- Rebuild systems from the ground up, reinstalling the OS and software.
- Some security firms offer free decryption tools for common ransomware strains.
- With effort, encrypted files may sometimes be decrypted without the keys.
While tedious and expensive, with the right precautions organizations can recover from ransomware without paying ransoms. Maintaining offline backups of critical data is key.
How to Defend Against Ransomware Attacks
Defending against ransomware comes down to security basics combined with backups and planning for response and recovery when infections occur. Key defensive measures include:
- Educating staff on cybersecurity best practices and how to identify potential phishing attempts or malicious links.
- Keeping all software up-to-date with the latest patches and security fixes.
- Using powerful endpoint security tools and robust firewalls.
- Regularly backing up and securing critical data offline.
- Restricting permissions and limiting lateral movement across networked systems.
- Monitoring systems and network activity for signs of compromise.
- Having an incident response plan for isolating infections and restoring data.
Ransomware resilience requires a layered defense of technology, processes, and educated users. However, attackers periodically find ways of bypassing defenses which is why reliable backups are essential as the last line of defense.
Conclusion
Ransomware attacks have rapidly become one of the top cyber threats facing organizations and consumers alike. As outlined in this article, cybercriminals employ a wide array of infection vectors to distribute ransomware, often in multi-stage campaigns that evade detection and inflict maximum damage. Understanding how ransomware attacks unfold and where organizations are vulnerable is key to effectively preventing, detecting, and responding to incidents. Implementing strong technical defenses, secure backups, and educated users offers the best safeguards against ransomware outbreaks and data loss.