The specialist Sophos knows the process and the consequences of a successful ransomware attack only too well. From the victim's perspective: This is how a ransomware attack works.
No organization wants to become a victim of cyber crime. But if there are security holes, it is likely that attackers will find them and exploit them. And it can be months or even longer before the victim even notices the condition. So-called incident responders help companies to identify, block and mitigate attacks and their effects. This monitoring by specialists also enables a precise analysis of attack patterns and, as a result, a close look at how cybercrime actually affects the victims.
The real opponent is man, not machine
Attackers are always more adept at disguising themselves so as not to arouse suspicions among security teams and to remain undetected. Therefore, different security levels are necessary, which break the chain of attacks in different places. While the initial breach is automated, hackers then use legitimate IT tools, such as network scanners, for their illegal purposes to circumvent security technologies and move laterally through the network. The challenge for victims is that IT security teams need to be particularly vigilant when evaluating tools that are legitimate and therefore popular and often used by attackers. In addition, attackers regularly compromise existing administrator accounts in order to hide from everyone. If they are stopped in their attacks, try something else. And this is where one of the most important aspects of cybercrime that is still underestimated by the victims reveals itself: you don't fight against malware code, you fight against people.
Ransomware is the finale of a cyber attack
According to incident responders, many victims believe that an attack occurred shortly before it was visible - for example through the ransomware report. However, this is very rarely the case. In fact, attackers have generally been in the network for a long time before this point in time. They operate under the radar, scan the system, install back doors and steal information. All of these activities are markers that need to be examined to facilitate full recovery from the attack. The part of the attack that raises the alarm bells the most is launching ransomware. At this point, the attacker succeeds in all of the above-mentioned methods in the victim network (see graphic on different ransomware behavior), so that he can come out of cover and be present. In other words, the implementation of ransomware marks the end of an attack, not its beginning.
Victims and attackers are exposed to great stress
Around ninety percent of the attacks seen by incident responders involve ransomware, and the effects of these attacks are often devastating. This is especially true for systemically important organizations, such as healthcare facilities, where a successful attack can mean canceled operations, missing x-rays, encrypted results from cancer screenings, and more.
Some victims feel powerless and consider paying a ransom to be the only option, for example to regain access to data backups that were hijacked by the attackers. Other organizations choose not to pay. Still others are more concerned about the damage to their reputation (disclosure of the stolen data) than about ransom money for decryption codes. Ransomware itself varies from businesslike and sophisticated to inferior and sloppy. Ransomware analyzes have shown that attacks are not only stressful and intimidating for the victims, but that criminals are also increasingly under "success stress": They are increasingly harassing companies that refuse to pay.
Reconstruction challenge: find the source
The incident responder data also suggests that many victims are having a hard time tracking the movement of ransomware through the organization. There is a general assumption that it automatically expands in all directions of the network from its starting point - when in reality it is strategically focused on a preselected list of devices and network areas. It also shows that the attackers not only target documents and other data, but simply want to make the devices and systems inoperable to such an extent that they only have enough resources to start the ransomware notification.
For the victims of an attack, this means that the restoration of the system does not start with the restoration of a backup and the search for what the attackers have still done. The recovery process often starts with the significant challenge of rebuilding all affected machines. And with it the difficult task of identification: where did the attack originate and are the criminals perhaps still in the system?
Defense only with machine and human
Surveillance cameras can record crimes and may deter perpetrators, but they cannot stop the break-in. The decisive factor is the intervention of the security force, who follows the recordings live and takes appropriate action. As cyber gangsters have become more and more stealthy and have improved their skills in using legitimate tools and processes, the value of the human factor in threat hunting has increased. This method combines advanced algorithms from state-of-the-art security software with daily human expertise capable of assessing the nuances of an attack - a skill that software does not (yet) have.
More on this at Sophos.com[starboxid=15]