Some ransomware are strategically designed to cause as much damage as possible while producing large profits for cybercriminals. And the ransom demands for these Advanced Ransomware Threats (ARTs) far exceed those for a typical ransomware attack. ARTs hold your most valuable assets for ransom and ensure that copies of the data are not available for restoration. There are typically six phases of an ART attack, including:
This process begins with reconnaissance. The attacker reviews information on the company and may even make a list of employees mentioned on the company website. Next, they crawl the internet searching for their email addresses.
This might lead the cybercriminal to social media posts, blog comments and other information that could be used to trick employees into clicking on a malicious link or opening a dangerous attachment. Attackers retrieve job postings, press releases and company reports. They build a dossier on key employees and organizational processes from the information they gathered. This may also include information contractors, suppliers and other third parties that collaborate with the target company.
During the penetration phase, attackers launch spear phishing, social engineering or whaling attacks on individuals in the business. Using knowledge gleaned from the internet, the attacker creates emails that sound legitimate because they refer to people, businesses or services the target is familiar with. They also construct a malicious payload designed specifically to circumvent security controls. The attacker is just trying to establish a foothold at this point. High-value targets are best—CEOs or CFOs, for example—but ARTs can accomplish their objectives by exploiting lower-level employees as well.
Once inside the network, attackers hide evidence of their entry and search for additional ways to access company devices, as well as methods to re-infect machines with ransomware over time. They may even go so far as to protect certain devices from other attacks so that another hacker does not inadvertently call attention to their activities.
Attackers in the infiltration stage target higher-value accounts to gain access to additional sensitive information as well as to assets that can be used to disrupt backup and archival processes. Attackers perform an internal reconnaissance to identify additional accounts to exploit and technical controls to bypass. They may also review process documentation to understand backup or incident response procedures. Some cybercriminals steal data at this phase to be sold or used in additional attacks. Additionally, administrator credentials are frequently stolen.
In the spoliation phase, attackers alter backup routines so that backups appear to operate but do not protect the target data. Attackers may purge some data at this point. But they also take precautions to avoid calling attention to themselves. Data may be removed from container files, but the container files themselves are left in place. They introduce flaws into the software to make it harder to conduct a restore and they modify backup documentation so that restoration teams cannot locate the correct information.
In the ransom phase, attackers deploy ransomware to data stores where target business data resides. The ransom is timed for the date when it will have the most impact, such as just before a major announcement, during mergers and acquisitions, or surrounding audits. They may use any flavor of ransomware as long as it effectively makes the data unavailable and gives the attacker the only keys to decrypt it. Attackers wipe archive copies of the data and ensure that all target data is encrypted when data is distributed across many servers, devices or locations. They clean up any remaining evidence of their presence, potentially leaving some avenues for a return visit and then make their ransom demand. After that, the victim typically realizes their data is irretrievable and cannot be restored.
ARTs don’t make the news often because many companies prefer to keep ransomware attacks quiet. However, a recent ART resulted in NAYANA paying over $1 million in ransom. As mentioned, there is no single form of ransomware used in ARTs. Attackers may perform the encryption using custom programs or they may use a combination of ransomware variants to encrypt data on different types of devices such as Macs or Linux servers.
Finally, be aware that some attackers use ARTs as a diversion. The attackers may have already stolen the data they wanted, so they manually infect the systems with ransomware, counting on the company to wipe machines and restore from backup, thus erasing any remaining evidence of the cybercriminal’s presence.