The 3 key stages of ransomware attacks and useful indicators of compromise

For SOC teams to be able to defend their organization against ransomware attacks, they need to have the right security toolset, but also an understanding of the three primary ransomware attack stages. In this article, we will dive into those key stages, look at how they unfold and what signs indicate an attack, and review what can be done to mitigate any damage.

When it comes to ransomware attacks, most of the time there isn’t a “smoking gun” to clue defenders into what’s happened. Instead, there are often many different indicators of compromise (IoCs) at different stages of the attack that seem benign when looked at individually. As a result, it is important to identify as many IoCs as early as possible and then determine if they are associated. This allows analysts to piece together the initial stages of a ransomware attack early enough in the attack chain.

This is critical to prevent an attack, as SOC teams must act before a ransomware attack has progressed too far and well before data exfiltration and encryption. Unfortunately, it takes a lot of manual threat hunting and investigation effort for SOC teams to identify the early stages of a ransomware attack, let alone determine if the indicators they are seeing are related. This delays the ability of the team to get a chance to stop the attack before it matures and the ransomware is “detonated”.

What are those crucial stages and how can you and your SOC team detect ransomware in each? Let’s dive in.

Stage 1 – Establish a foothold

The first stage in a ransomware attack is establishing a foothold. The attack enters this stage after the attackers have gained initial access to the network. Initial intrusion can be achieved in many different ways, but often starts with email phishing. Hackers can also obtain data from public Wi-Fi centers like hotels or employee hotspots. This ultimately leads to them installing the initial ransomware components on corporate devices, with the expectation that an employee will reconnect to the main corporate network where the attack can progress and establish a foothold.

Next, the ransomware will establish a connection back to a command and control (C2) server, and then determine how to penetrate further into the network and move laterally to find where critical or sensitive data is held. For example, a hacker could use a remote access trojan to gain access to a host. The hacker will then explore the network, identify host services, and try to map those connections back to a centralized application like a database. Even better if the attacker can circumvent current access rules or steal credentials to move around the network more effectively.

How can you both detect and stop ransomware from progressing at this early stage? It requires identifying strange or out-of-the-ordinary user and entity behavior across the network, such as accessing files outside their scope of work, installing external non-company approved software on the network, looking at DNS queries, and more.

Many of these activities could indicate normal IT administrator activity, so the key is being able to identify deviations from how a user normally behaves. To do that, SOC teams need to deploy security solutions that pair user behavioral analytics and machine learning (for example a next-gen SIEM solution). If the SOC cannot see this activity, they cannot stop ransomware at this early stage.

Stage 2 – Escalate privileges and move laterally

The privilege escalation and lateral movement stage involves getting further access to other systems on a network. After gaining access to an organization’s network, hackers will map out all the places where they can install ransomware. This process involves hackers scouting the network for sensitive information, files, applications, or anything that might result in damage to the company so that they can exploit it for a large payout. Gaining access to a bigger database that potentially has more sensitive information will result in a more severe ransomware attack and for the hacker, a bigger payout.

Once hackers gain access to a database with a lot of sensitive information or have control over the network, attackers will begin deploying software like PuTTY across different areas, further establishing their foothold and creating backups for their ransomware in case they are detected.

The most recent example of this type of incident was in Las Vegas, where hacker group Scattered Spider staged a ransomware attack on MGM properties. The hackers impersonated an MGM employee they found on LinkedIn and got access to the inner systems and networks of MGM by calling the company’s IT help desk and pretending to be that employee. After gaining access to the network through forged credentials, the hackers then detonated ransomware and shut down slot machines, locked guests out of rooms and inflicted other damage to the company’s networks and applications.

How can you detect if privilege escalation and lateral movement is occurring? A tell-tale sign that this is happening is the installation of new, unauthorized applications across your network. If applications such as PuTTY are downloaded, this could be a major red flag. The application could be in the process of transferring dangerous files to the network. Other indicators of compromise include:

• Accessing website infrastructure
• Looking for specific DNS addresses
• Connecting to external cloud services like Dropbox

Again, these signs can be difficult to distinguish because these actions may look like they are being made by someone who has authorized access to sensitive data, but is actually a hacker imitating them on the network.

Stage 3 – Install ransomware

Once hackers find key data, they will begin to download the actual ransomware payload. They may exfiltrate data, set up an encryption key, and then encrypt the vital data. IoCs at this stage include communication with a C2 server, data movement (if the attacker is exfiltrating important data before they encrypt it) and unusual activity around encrypted traffic.

Detecting at this stage involves more advanced security products working in unison. Model chaining different types of analytics together is an efficient way to catch minor indicators of compromise when it comes to ransomware because they gather context on the network in real-time, allowing SOC teams to identify anomalous behavior when it occurs.

If a security alert is triggered, these other analytics can provide more context to help piece together if and how a larger attack is occurring. But many successful ransomware attacks will not trip antivirus at all, so assembling an accurate picture of user behaviors and compiling the numerous indicators into a coherent timeline is vital.

While detecting ransomware attacks may be difficult for organizations, being able to identify all the subtle IoCs of a ransomware attack will help your organization understand in which stage the attack is and what you can do to stop it from progressing. While these IoCs may be minor, the ability to connect all of these together is critical. By using machine learning technology along with behavior analytics and model chaining, your organization will be equipped with the tools it needs to detect and mitigate damage done by ransomware attacks.