Ransomware: attack and defences

Often part of a larger criminal group, he launches his attack by remote. His goal is encrypting and stealing organizations and individual data. If he succeeds, he can ask for a ransom (usually crypto-currency). Either the target pays to recover data or pays not to have their data made public.

Attack

Often part of a larger criminal group, he launches his attack by remote. His goal is encrypting and stealing organizations and individual data. If he succeeds, he can ask for a ransom (usually crypto-currency). Either the target pays to recover data or pays not to have their data made public.

Droppers

Kind of Trojan designed to “install” malware to a target system. The malware code can be contained within the dropper (single-stage) to avoid detection by virus scanners, or the dropper may download the malware to the target machine once activated (two-stage). To fool people, the attacker can hide and ship malware droppers in legitimate-like download wrappers, email attachments, links to malicious sites, etc.

First protection barrier

At this stage, user education, inbound email inspection, URL filtering, and proper endpoint protection constitute the most effective barrier to an attack. We conceived our privileged endpoint manager - Osirium PEM - embracing zero trust principles to provide IT leaders with a tool to enforce policy and manage privilege escalation seamlessly.

Ransomware

Kind of Trojan designed to “install” malware to a target system. The malware code can be contained within the dropper (single-stage) to avoid detection by virus scanners, or the dropper may download the malware to the target machine once activated (two-stage). To fool people, the attacker can hide and ship malware droppers in legitimate-like download wrappers, email attachments, links to malicious sites, etc.

First user

The most common entry points to attacks is via the people in the business. Even with good training, the attack can be sophisticated enough to fool anyone; some do not even need user action. When the ransomware infects the workstation, it can sit in wait for more valuable content and lay in wait for weeks or months before the encryption begins.

Credential and data exfiltration

Once the workstation is infected, the ransomware exfiltrates the user’s credentials. Later on, those can be used as gateways to other attacks. Once the workstation is infected, the ransomware exfiltrates the first user’s data. Valuable data, such as confidential or copyrighted information, is exfiltrated to treat the organization to make them public.

Second protection barrier

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Critical jump

Once the workstation is infected, the ransomware exfiltrates the user’s credentials. Later on, those can be used as gateways to other attacks. Once the workstation is infected, the ransomware exfiltrates the first user’s data. Valuable data, such as confidential or copyrighted information, is exfiltrated to treat the organization to make them public.

Shared drives

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Privileged users

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More valuable data and credentials

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.