The Anatomy of A Ransomware Attack, And How To Protect Your Data

Ransomware attacks are becoming increasingly common. The FBI reported a nearly 21% increase in ransomware complaints in 2020 over 2019. The 2,474 complaints the agency received last year had adjusted losses of more than $29.1 million. 

This year we’ve also seen some of the most notable ransomware attacks to date, including the Colonial Pipeline attack that caused the United State’s largest fuel pipeline to shut down for the first time in its 57-year history and caused shortages along the East Coast, an attack on JBS Foods and the Kaseya ransomware attack.

We’ve also seen an increase in double extortion ransomware attacks, in which unauthorized users transfer, copy or retrieve data and threaten to leak it or sell it to the highest bidder in addition to encrypting it. In the latest threat, triple extortion ransomware attacks, attackers launch distributed denial-of-service (DDoS) attacks against a company’s networks if they don’t respond to demands for ransom after encrypting and exfiltrating data.

The threat of ransomware attacks is something the head of the U.S. Cyber Command and director of the National Security Agency anticipates the country will face every day for years to come.

Here’s a closer look at how ransomware attacks work and how to safeguard your enterprise data.

The anatomy of a ransomware attack

Ransomware is a type of malware that uses encryption methods to make the data on your computer unusable. High-profile ransomware attacks typically target industries with sensitive data, including those in the financial, government, legal, healthcare and life sciences sectors. The attackers hold the data hostage until the company pays a ransom, causing significant disruption to operations.

They often pressure the organization to pay the ransom by threatening to destroy data or release it to the public.

Cybercriminals use different techniques, but the FBI notes there are a few common elements in the anatomy of a ransomware attack.

Exploiting vulnerabilities

Email phishing campaigns may be the most well-known ransomware attack. Attackers send emails containing a malicious file or link, which deploys malware when the recipient clicks. Historically, cybercriminals have used generic, broad-based spamming strategies to deploy malware. Recent campaigns have been more targeted and sophisticated, however. Cybercriminals may also compromise a victim’s email account by using precursor malware. This enables them to use the victim’s email account to further spread the infection.

Exploiting Remote Desktop Protocol (RDP) vulnerabilities is another common method. RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cybercriminals have used both brute force methods—using trial-and-error to obtain user credentials—and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. 

Once they have RDP access, they can deploy a range of malware, including ransomware. In the Colonial Pipeline attack, cybercriminals gained entry into the company’s networks through a VPN account that was no longer being used but still active. Following the attack, the account’s password was discovered in a batch of leaked passwords on the dark web. That means a Colonial Pipeline employee may have used the same password on another account that was previously hacked.  It is likely in this case that the employee was not implementing a password manager, which is a simple solution for this problem.

Cybercriminals also attempt to take advantage of security weaknesses in widely used software programs to gain control of victims’ systems and deploy ransomware.

A ransom note

After exploiting a vulnerability, attackers typically leave a ransom note. This could be an email to company executives or a text file left unencrypted on a computer. In Colonial’s case, it was a note left on a computer screen. Usually, these notes contain instructions on how to access a website on the dark web. On the dark web, the attackers will demand a price and how much time the company has to pay before the asking price rises.

A ransom payment in exchange for returning enterprise data

Authorities like the FBI do not encourage paying the ransom. The FBI argues that paying a ransom may embolden cybercriminals to target additional companies as well as encourage others to engage in ransomware. They also argue that paying the ransom does not guarantee files will be recovered.  

Some companies do decide to pay the ransom. Colonial Pipeline paid $5 million, while JBS, the world’s largest meat processor, paid $11 million. The CEO of JBS USA said they made this difficult decision to prevent any potential risk to its customers. Whether or not a company opts to pay the ransom, the FBI urges companies to report the incident to the local FBI field office or the federal agency’s Internet Crime Complaint Center. Doing so provides investigators with the critical information they need to track down the cybercriminals and hold them accountable.

The price attackers demand in exchange for returning enterprise data varies depending on the company size and information retrieved from stolen financial statements.

Companies may even hire negotiators to bring down the asking price.

How to recover from a ransomware attack

It takes an average of 287 days for a company to fully recover from a ransomware attack, according to the US Chamber of Commerce. The actual ransom payment may not even be the most expensive part of the attack. Victims of ransomware attacks have to restore data backups and rebuild entire systems. They may have to work with forensic investigators and ensure cybercriminals are truly locked out. And they typically need to implement new technology, policies and procedures to prevent future attacks.

While no single solution can guarantee protection against ransomware attacks, the best defense is to render your enterprise data unusable to attackers and enable immediate recovery of your most important files.

Myota’s converged data security platform combines best practices for data encryption, data sharding, data dispersion and resiliency to help your company avoid the high costs and downtime of ransomware attacks. Your company can easily apply it to any of your existing storage platforms to protect critical data and restore previous file versions immediately.

Discover how Myota helps businesses recover faster from ransomware attacks. Learn more about how it works.