Ransomware attacks explained: 5 stages of attack

Ransomware attacks explained: 5 stages of attack is profiled by BTW Media because public-source evidence links it to internet infrastructure, governance, operational dependencies, or market visibility.

• Malware known as “ransomware” encrypts a victim’s data and then demands a “ransom,” or payment, from the victim to unlock the files and network.
• A ransomware attack is a form of malware attack in which an attacker seises the user’s data, folders, or entire device until a “ransom” fee is paid.
• A ransomware attack typically proceeds through 5 stages.

Ransomware is a type of malware that encrypts a victim’s data where the attacker demands a “ransom”, or payment, to restore access to files and network. Typically, the victim receives a decryption key once payment is made to restore access to their files. If the ransom payment is not made, the threat actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.

Ransomware has become one of the most prominent types of malware targeting a wide variety of sectors including government, education, financial, and healthcare sectors, with millions of dollars extorted worldwide every year.

What is ransomware attack?

A ransomware attack is a type of malware attack where the attacker encrypts and holds onto the user’s files, folders, or entire device until they receive a ransom payment. A ransomware attack uses phishing attacks or malicious websites to infect a computer or network to take advantage of open security vulnerabilities. A ransomware attack compromises a user’s computer by encrypting the files on it or locking the user out, and then requesting payment (often in Bitcoin) to unlock the files or restore the system.

This type of attack uses software vulnerabilities to infect and take control of the victim’s device, taking advantage of system networks and users. A computer, smartphone, wearable technology, point-of-sale (POS) electronic equipment, or any other endpoint terminal could be the victim’s device.

An individual, an organisation, or a network of organisations and business processes may be the target of a ransomware attack. A network of computers can be infected with malware by the attacker through a variety of methods, including links or attachments from phishing emails and compromised websites. Drive-by downloads, compromised USB sticks, pop-up windows, social media, malicious advertising, compromised software, traffic distribution systems (TDS), self-propagation, and other methods are used to accomplish this.

Also read: What is open banking? A short guide

Stages of ransomware attack

A ransomware attack typically proceeds through these stages.

Stage 1: Initial access

The most common access vectors for ransomware attacks continue to be phishing and vulnerability exploitation.

Stage 2: Post-exploitation

Depending on the initial access vector, this second stage may involve an intermediary remote access tool (RAT) or malware before establishing interactive access.

Stage 3: Understand and expand

During this third stage of the attack, attackers focus on understanding the local system and domain that they currently have access to. The attackers also work on gaining access to other systems and domains (called lateral movement).

Also read: How many Regional Internet Registries (RIRs) are there?

Stage 4: Data collection and exfiltration

Here the ransomware operators switch focus to identifying valuable data and exfiltrating (stealing) it, usually by downloading or exporting a copy for themselves. While attackers might exfiltrate any of the data they can access, they usually focus on especially valuable data—login credentials, customers’ personal information, intellectual property—that they can use for double extortion.

Stage 5: Deployment and sending the note

Crypto ransomware begins identifying and encrypting files. Some crypto ransomware also disables system restore features or deletes or encrypts backups on the victim’s computer or network to increase the pressure to pay for the decryption key. Non-encrypting ransomware locks the device screen, floods the device with pop-ups or otherwise prevents the victim from using the device.

Once files have been encrypted or the device has been disabled, the ransomware alerts the victim of the infection. This notification often comes through a .txt file deposited on the computer’s desktop or through a pop-up. The ransom note contains instructions on how to pay the ransom, usually in cryptocurrency or a similarly untraceable method. Payment is in exchange for a decryption key or restoration of standard operations.

A ransomware attack is a dangerous malware attack that locks a user’s computer by encrypting the data using various encryption techniques and demands a ransom fee to restore the encrypted files or the computer.