The question in the title of this article gets asked frequently. Those asking it often have two separate subjects in mind:
- How does ransomware initially infect an organization, and
- How does ransomware spread once it has infected an organization?
This article will cover both these questions, outline how Kemp Flowmon ADS can detect any spread during the second point in the list, and add a coda on removing ransomware.
We previously discussed ransomware in a blog post last month called What is Ransomware, and how do I stop it? In that blog we outlined why preventing ransomware attacks was important from a financial, reputational, and operational standpoint. As outlined in that post, the Sophos State of Ransomware Report 2021 shows that the average cost to deal with an attack in 2021 was $1.85 million. This was up from the 2020 average of $761,106. These costs cover all the activities required to recover from a ransomware attack, and are clearly something you want to avoid.
Can ransomware infect a network?
Ransomware gangs want to infect as many computers as possible on the network. The first stage of this is gaining an initial foothold on the network in some way. Analysis of attacks after the fact shows that the vast majority of successful infections and ransomware deployments involve a human in the organization at some point. Stating this fact is not meant to disparage anyone who falls for the cybercriminal’s believable tactics. Cybersecurity defense strategies need to presume that cybercriminals will breach perimeter defenses at some point.
Gaining a foothold on a device requires the ransomware cybercriminals to get access and then be able to run the ransomware installer. There are several ways they can achieve this initial foothold.
They infect using phishing emails
Phishing emails are a significant source of initial ransomware infections. The effort cybercriminals put into creating fake emails, websites, and other dummy digital assets to fool people ranges from the comically amateur through to others almost indistinguishable from the real thing. Phishing attacks also come via other modern communication channels in addition to email. Text messages and similar applications like WhatsApp, Apple Messages, and Snapchat are all used for social engineering to try and fool people into clicking malicious links or disclosing information that they shouldn’t. The links in phishing emails go to fake sites designed to trick people into running programs that install ransomware software. Ransomware types such as Cerber, Phobos, and Ryuk all use Phishing techniques to trick people into clicking links that spread the malicious code.
They infect by finding zero-day vulnerabilities
Zero-day vulnerabilities, or unpatched vulnerabilities, are another method that ransomware attackers use to do an initial infection. All software has bugs and vulnerabilities. The big and well-resourced cybercriminal gangs will pay a lot for newly discovered zero-day vulnerabilities that they can use to target organizations. These vulnerabilities allow attackers to install malicious software without tricking a human into making a mistake and are often included in phishing emails and email attachment attacks.
They infect by paying insiders to install the ransomware
It’s unfortunate, but another vector for initial infection is bribery. Often called pay-for-install attacks, cybercriminals use this method to target an individual with significant bribes to install ransomware directly, usually via an infected USB drive. This bypasses much of the network border security that organizations have in place. Another manifestation of the pay-for-install model occurs when devices are compromised already. Ransomware gangs often pay other cybercriminals to deploy ransomware using their existing access.
How does ransomware spread across a network?
Does ransomware “work” immediately? With an initial foothold on a network, the ransomware software will perform several telltale activities in an attempt to spread. Advanced ransomware variants will do this in ways that aim to avoid detection. But the signs are there if suitable detection technologies are in place.
The Kemp Flowmon Anomaly Detection System (ADS) is a machine learning-based system that monitors networks in real-time and detects the sort of anomalous network activity that ransomware generates. It uses 44 detectors for various attack activities and methods, combined with over 200 algorithms that use heuristics, machine learning, and other techniques to analyze the data collected by the 44 detectors. ADS can detect unusual network behavior specific to each network that are indicators of compromise (IOCs) in ransomware attacks.
The ransomware discovers other systems to access
When attackers first gain a foothold, they will look for other systems that they can access. They use various methods, including Port Scanning, ARP Scanning, or Vertical TCP SYN scans. Kemp Flowmon ADS will detect and alert on all of these activities so that system admins will be aware that something is scanning the network. ADS will highlight intruders attempting discovery within hours. This is a critical detection metric as the average time between compromise and detection for cyberattacks is usually weeks or months.
They infect via Wi-Fi
The network spread of ransomware and other malware variants isn’t restricted to wired connections in offices. With so many endpoint devices in use now connecting via Wi-Fi, cybercriminals have adapted their malicious software accordingly. There are many types of ransomware that can spread over wireless connections — WannaCry, Petya and SamSam all include network propagation as a tactic.
The move to home working over the last two years has meant that a lot of people are using home Wi-Fi systems that do not have the level of cybersecurity protections built into corporate Wi-Fi systems. This change to the way people work will not revert to the pre-pandemic model going forward. Rather a hybrid model is emerging that will see continued home working and working public spaces like coffee shops being much more common. Organizations will need to take steps to protect their systems from the dangers of public Wi-Fi systems. Possibly by preventing devices from connecting to public Wi-Fi and home Wi-Fi and supplying secured 5G/4G access for their staff.
The ransomware moves laterally across endpoint devices and servers
Any other devices or servers that ransomware discovers get targeted for infection. Ransomware will often use the Remote Desktop Protocol (RDP) to attack other nodes on the network. When attempting to connect to remote systems via RDP, ransomware often uses common password lists to try to guess the login credentials. This leads to multiple failed login attempts. ADS includes a monitoring service called RDPDICT that detects and alerts on unusual numbers of failed RDP login attempts. Phobos ransomware can use RDP and brute force attacks to spread (as well as the other methods outlined in this post.)
Detecting IOCs that indicate lateral spread activity of ransomware as soon as possible and then taking action is crucial to minimizing the damage and the costs associated with cleaning up after an attack. ADS does much more than this to combat ransomware attacks. We have focused on what it can do to highlight lateral spread on the network. See the Detecting Knock-On Security Breaches Due to Solarwinds & Other Supply Chain Attacks blog for more details.
How do you remove ransomware after detection?
This is not an exhaustive guide on removing ransomware. If systems are infected and encryption is triggered, then there are basically three options available to ransomware victims:
1. Make the ransom payments and trust that a decryption key is forthcoming. This is the least favored option. Paying the ransomware gangs perpetuates the cycle and keeps them mounting their attacks. Some organizations may decide they have no choice but to pay the ransom, which is fair enough. But before this option proceeds, they should bear in mind that studies of organizations that pay the ransom shows that 40% never receive a decryption key or tool to recover their files. Additionally, 73% of those who paid the ransom were victims of additional attacks — probably using information gained by the attackers in the primary attack or via back door trojans left to give them later access.
2. Delete the encrypted files and restore them from a recent backup. Depending on how the ransomware behaves, this may be an option. If it has selectively encrypted files, it may be possible to delete those files and replace them from a backup. The ransomware will also need removing to prevent further encryption. In reality, this selective cleaning will rarely be practical.
3. Thoroughly wipe the infected systems and build them from scratch. This is the only surefire way to get systems back to a clean state. Delete everything, install the operating system and applications from scratch, and restore the encrypted data from clean backups. The wiping of the system needs done in conjunction with security software that can find malware types that try to hide Trojan horse code that attackers can use to regain access later.
Recovering from a ransomware attack is an arduous and expensive undertaking. The Sophos State of Ransomware Report 2021 shows that the average price to deal with an attack is $1.85 million. It’s much better to detect an attack as it attempts lateral movement on the network and then stop it in its tracks. The Kemp Flowmon Anomaly Detection System will do this.
How do you detect ransomware quickly?
Ransomware is a blight in the current business landscape. The problem is widespread and acute. Preventing it is the best defense, and we outline steps all organizations should take in the previously mentioned blog post What Is Ransomware, and How Do I Stop It?
Deploying ADS to detect and respond to ransomware attacks quickly will help keep your organization safe.
