Demystifying Ransomware: Anatomy of an Attack

June 08, 2021 7 min Read

This post is part of our Demystifying Ransomware series. Read the rest.


Ransomware attacks have become so common that it’s no longer a matter of how many cyberattacks happen per day — that metric is now measured in seconds. A new company will be hit by a ransomware attack every 11 seconds this year.

Making matters worse, in the past five years, the average ransom demand has shot up from $15,000 to $175,000 – an almost twelve-fold increase – according to the NetDiligence® 2021 Ransomware Spotlight Report. This has also led to a rise in cyber insurance premiums of between 35 - 40% in the past year alone, according to Ari Giller, Vice President of Cyber & Tech Underwriting at Tokio Marine HCC – Cyber & Professional Lines Group.

These statistics should create a sense of urgency while sending a chill down your spine—and not just for the CISO, but for the entire C-Suite and IT leadership team. It only appears to be a matter of time before cybercriminals target your organization.

The reason ransomware attacks are skyrocketing is that people are willing to pay. That’s not to say everything is all is doom and gloom! Preventative measures can be taken, but before we discuss those let’s discuss the anatomy of a typical ransomware attack. I’ll break down how ransomware attacks infiltrate and spread, and why they are such a significant ongoing concern.

What is a ransomware attack?

A ransomware attack is an attempt to hijack and extort a corporation’s vital data. Most attacks start off with an employee downloading or clicking on a link to some malware. Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including adware, Trojan horses, spyware, and of course ransomware. The end goal of a ransomware attack is to prevent access to mission-critical data and systems and then to demand payment to restore access.

The idea is simple. Losing access to your data and operational IT systems means losing control of your business. Few would argue that data is the lifeblood of any organization. But it isn’t only user data that can be targeted in a ransomware attack, applications and IT server infrastructure are also vulnerable. Your entire business can grind to a complete halt in hours.

To get an idea of how devastating a ransomware attack can be, consider what happened to Expedient client National Auto Care in October of last year. At 6:30 on a Friday morning, employees started noticing the network was not accessible. An hour later, the first helpdesk ticket was submitted. At 8:28, it was confirmed that there had been a ransomware attack and by 8:30, a call had been placed to the FBI and the affected servers were shut down, effectively paralyzing the organization.

Fortunately, National Auto Care was prepared for such an incident. They had daily backups and a plan in place for executing a disaster recovery that was tested and reliable. In under 48 hours, they were back up and running.

Hear how they did it from CTO Pankaj Singh.

How is it spread?

The most common ways ransomware spreads are through malicious email attachments and links, browser exploits, and server vulnerabilities. Most ransomware is orchestrated by cybercriminals in countries like Russia, Iran, China, and North Korea, with organizations in the US being the primary target. They will target a group of users with a phishing scam for example. This is where cybercriminals impersonate legitimate organizations via email, text message, advertisement, or other means in order to trick users into opening the door to malware. You only need one domino (employee/desktop) to fall to set off a chain reaction.

Endpoint devices such as employee desktops and laptops are usually the most susceptible to an initial ransomware infection. That’s because of the human element involved. Just one bad click or download, and you get the picture. At this early stage you can detect and prevent the attack if you implement a modern behavioral-based malware solution (such as Elastic’s Endgame). This first line of defense should not only detect the attack and prevent infection, but also notify IT administrators and trigger an action to segregate the desktop from interacting with other systems on the network.

Infecting server infrastructure

The next phase of a ransomware attack deals with server infrastructure. Once a desktop has been compromised, the malware will try to find more vulnerable systems and more valuable data. It will try to spread to the server infrastructure, where most of the high-value data and systems reside.

If a ransomware attack is successful and spreads onto your server infrastructure, that’s when real problems occur. The malware has the sophistication to scan, identify and lock high-value files and data. When servers get infected with malware the impact, scale, and severity of a ransomware attack can quickly amplify—access to applications and data across all departments can be impacted.

Mitigating risks and putting a plan together

So, what can be done? How can you best prepare and mitigate the risks of a ransomware attack? A modern behavioral-based detection and response solution is a good place to start. If ransomware can’t get its foot in the door, it can’t take hold of your business. Additionally, properly controlling access to applications through a robust identity and access management policy and solution further reduces chances of an initial infection. Finally, a robust micro-segmentation strategy can make it much more difficult for an attack to spread, should it find a way in the door. All three of these areas of focus share a common goal – explicitly grant access to known good entities (i.e. code execution, network paths, or access policies) and block everything else by default.

Data backups and a moment of truth

Protecting your infrastructure against attack, even when approached from multiple angles as discussed above, still cannot guarantee an attacker won’t find his way into your business. For this reason, it is also critical to have a backup and Disaster Recovery (DR) plan in place. Whether a single server or your entire infrastructure becomes compromised, you can be prepared to recover – quickly, efficiently, and with a known outcome.

If you are ready to pay for a ransomware attack you have failed on many levels. You missed several options along the way to prevent your organization from getting into this situation. Even if you are completely locked out you still should be in a position to not pay the cybercriminals. The final line of defense in a ransomware attack is proper data backup and DR solutions in place. This is your contingency plan for when the worst-case scenario comes true. You have a disruption in service, but you can recover.

To put this all-in perspective an interesting stat comes to mind. According to the Cybersecurity Ventures 2019 Official Annual Cybercrime Report, the total damages caused by malware, including downtime costs, recovery time, and lost revenue are expected to reach over $6 trillion by 2021.

In my next blog post on ransomware, I’ll take a deep look at endpoint security solutions. In the meantime, if you have any questions, reach out to me directly: Anthony.Jackman@expedient.com.

Anthony Jackman Anthony Jackman

Subscribe to Our Blog