The Threat Lifecycle of a Ransomware Attack

21st August 2020


Ransomware has been prolific over the past year. Small businesses, big businesses, and those in the public sector have had their data held to ransom by cybercriminals.

There are a couple of interesting facts about ransomware which help us understand the attack vector:

  • 100% of studied ransomware uses the encrypted Remote Desktop Protocol (RDP)
  • On average ransomware has been 150 days in your network
  • Encryption often happens after hours on a Friday night when no one is there to notice

So, what does the lifecycle of a ransomware attack look like?

Ransomware lifecycle – the five-step process

  1. Gain access through a network.
  2. Establish a foothold by using RDP backdoors and SSH and DNS tunnels to move around in systems undetected.
  3. Deepen access by utilizing password cracking to source administrator rights. This provides greater control in the system and broadens access even further.
  4. Move laterally around the network to gain access to other services and parts of the network. Find the crown jewels!
  5. Look, learn, and remain on the network. Get an understanding of how the network works, its vulnerabilities, and where the sensitive data is that will be worth a ransom.

To pay or not to pay?

There has been constant debate over whether a ransomware demand should be paid. We agree with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA). Generally paying the ransom is not a good idea. Particularly when it does not actually guarantee you get your data back. For example, with‘wiper’ malwarefiles aren’t decrypted after the ransom is paid.

A much better strategy is defense in depth.

This means layers of defense with several mitigations at each level. Utilizing defense in the SIEM, at the endpoint, protecting critical assets with extra protection, as well as network security. By upping your ability to detect malware and stop it before it completes the full ransomware lifecycle, you are protecting the business with defense in depth. It will also make remediation much quicker and more effective.

And the most critical part of defense-in-depth when it comes to ransomware? Nothing beats backups. Having a recent offline backup of your most important files and data is critical if a ransomware attack takes hold as it means you won’t feel backed into a corner to pay the ransom.