Ransomware is the fasted-growing category of cybercrime. It’s estimated that over 4,000 ransomware attacks occur daily. Given the sheer volume of these attacks and the deep attack surface connections between organizations and their vendors, there’s a high likelihood that some of your employee credentials have already been compromised in a ransomware attack. Leaked credentials mean the keys to your corporate network could currently be published on a ransomware gang’s data leak site.
Without a strategy for mitigating ransomware attack success and a process for rapidly detecting compromised employee credentials, your sensitive data is at critical risk of compromise. To learn how to secure your corporate network from ransomware attacks and how to rapidly detect compromised employee credentials before they’re used to breach your network, read on.
The Lifecycle of a Ransomware Attack
An effective ransomware attack prevention strategy deploys security controls across each of the progression milestones of a typical ransomware attack.
At a high level, a ransomware attack lifecycle is comprised of eight phases:
Phase 1 - Phishing Attack
An email posing as a legitimate message from an authoritative sender is sent to a victim. These emails include malicious links leading to fraudulent websites designed to steal internal credentials. Phishing emails are the most popular initial attack vectors facilitating data breaches.
Phase 2 - Victim Interaction
The victim performs a critical interaction with the malicious email, i.e., clicks a link or downloads an attachment.
Learn more about Phishing scams >
Phase 3 - Account Compromise
The victim compromises their corporate credentials either by submitting them on a malicious website, directly sharing them, or by falling victim to a social engineering attack.
An example of a social engineering attack is a hacker posing as a member of the IT department, requesting confirmation of a two-factor authentication message. The cybercriminals responsible for the Uber data breach in September 2022 used a similar tactic to overcome the company’s 2FA security control.
Malware (malicious software) is often injected into a network at this point, initializing the installation of ransomware in a targeted system. More sophisticated hackers will progress to subsequent phases of the attack lifecycle.
Phase 4 - Lateral Movement
After settling in a sensitive network region, cybercriminals move laterally, looking for sensitive data to exfiltrate. Examples of the types of sensitive information that attract ransomware groups include:
- Personal data;
- Customer data;
- Social security numbers;
- Corporate email accounts details;
- Personal email account details, such as Gmail accounts;
- Any digital footprint details that could be used in an identity theft campaign (to potentially arm further, more targeted phishing attacks);
- Vulnerability disclosure and reports - an internal register of all computer system vulnerabilities security teams are yet to remediate.
Phase 5 - Privilege Escalation
Cyberattackers discover and compromise privileged corporate credentials to gain unauthorized access to sensitive network regions.
Learn more about privilege escalation >
Phase 6 - Data Exfiltration
When highly valuable data resources have been located, cybercriminals deploy trojan malware to establish backdoor connections to their servers (known as command and control servers). They then begin clandestinely transferring sensitive data from the victim's network through these backdoor connections.
This step supports the extortion tactics the ransomware criminals use to coerce victims to pay their demanded ransom in Phase 7. The exfiltration phase of this ransomware lifecycle also classifies most ransomware attacks as data breaches.
Learn about the differences between ransomware attacks and data breaches >
Cybercriminals are very careful to mask their data theft activities behind legitimate computer processes to avoid triggering antivirus software and other cybersecurity controls.
Phase 7 - Data Encryption
Ransomware criminals encrypt the victim’s operating systems and computer systems with the objective of inflicting maximum business disruption. A ransom demand is left on the victim’s computer (usually in a TXT file) outlining a ransom price to be paid in bitcoin. Cryptocurrency is the preferred style of payment by cybercrime groups because its movements are difficult for law enforcement and government agencies to track.
To incentify prompt payment, cybercriminals either delete increasing amounts of critical data or threaten to post increasing amounts of the victim’s stolen data on the dark web until the full ransom is paid.
To reduce the potential of discovery, cybercriminals could threaten to publish all stolen data if they detect any involvement by the FBI or cybersecurity firms.
Here’s an example of a real ransomware message.
See more ransomware demand examples >
Phase 8 - Data Dump
The final phase of the ransomware attack is the data dump. This is where cybercriminals publicize the entirety of a compromised database in a cybercriminal marketplace of forums.
Some ransomware cybercriminals permanently delete seized data to save themselves the effort of publishing it in a criminal marketplace and monitoring purchase requests. However, to maximize punishment against victims that don’t pay their ransom, cybercriminals usually publish it freely in cybercriminal forums or Telegram groups. The permanency and limitless availability of data hosted in such forums makes this outcome substantially worse than selling to a single cybercriminal group.
How to Reduce the Impact of Ransomware Attacks
Suggested security controls for each phase of the ransomware attack lifecycle are listed below.
Phase 1 Security Controls - Phishing Attacks
List of controls:
- Security Awareness Training
Ransomware is considerably harder to defeat after it enters your private network. If you can prevent infection, you ultimately rob ransomware criminals of their power. Staff are the usual facilitators of ransomware injections, not because of malicious motives but because they’re usually unaware of how to recognize or respond to such threats.
Security Awareness Training teaches staff how to avoid falling victim to phishing attacks - the most common initial attack vector for ransomware attacks.
Investing in Security Awareness Training is one of the best cybersecurity investments you can make - cybercriminals can inflict very little damage when locked outside a network.
Here’s a list of free cyber resources to support the efforts of Security Awareness Training:
Effective Security Awareness Training programs are coupled with simulated Phishing attacks to test the readiness of staff against real ransomware threats.
Phase 2 Security Controls - Victim Interactions
List of controls:
- Web proxy
- DNS Logs
- Endpoint Security
The most important user action to monitor for is whether a malicious link or email attachment was interacted with. This activity should be detected as quickly as possible to thwart the attack before it progresses to subsequent stages. Well-trained staff will instantly alert the IT security team when they notice an interaction with a malicious email. This will initiate a DNS log audit to identify the specific IP address and device that facilitated a ransomware infection.
This process can be automated with a web proxy system configured to filter or block potentially malicious connection requests. Some advanced VPNs include a built-in malware blocker that can block access to websites potentially hosting malware and ransomware.
Learn more about Proxy Servers >
Learn the difference between Proxy Servers and VPNs >
Phase 3 Security Controls - Account Compromise
List of controls:
- Multi-Factor Authentication
Multi-Factor Authentication (MFA) introduces a series of additional user-identify confirmation steps between a login request and access approval.
The most secure form of multi-factor authentication includes a biometric authentication method. Biometric data, such as fingerprints, or advanced forms of facial recognition, is very difficult for cybercriminals to steal or replicate.
Learn more about Multi-Factor Authentication (MFA) >
Phase 4 Security Controls - Lateral Movement
List of controls:
- SIEM
- Zero Trust
- Data Loss Prevention
To obfuscate lateral movement, sensitive network regions should be closed off or segmented from general user access. To maximize obfuscation, all user accounts with access to these closed regions should be guarded with Multi-Factor Authentication. All connection requests to these network regions should only be approved from within jump boxes (hardened machines in an isolated network hosting privileged credentials).
Phase 5 Security Controls - Privilege Escalation
List of controls:
- Privileged Access Management
- Zero-Trust Architecture
- Password Manager
- Multi-Factor Authentication
Several security controls work harmoniously to mitigate privileged escalation attempts. The bedrock of this phase of cyber security is Zero Trust. A Zero-Trust architecture assumes all internal traffic is malicious, so users are continuously required to authenticate their identity, especially when requesting access to sensitive resources.
A Zero Trust architecture includes other account compromise controls, such as Multi-Factor Authentication and privileged escalation management policies.
Learn how to deploy a Zero-Trust architecture >
To maximize the effectiveness of a Zero-Trust architecture, it’s important to have a strong password policy that prevents password recycling. If an administrator password is shared across multiple network segments or devices, any security controls guarding sensitive information could be circumvented from a single compromised account. Though the risk of such an occurrence is reduced with Multi-Factor authentication, the risk to customer data safety isn’t completely removed - an oversight that could result in a costly regulatory compliance violation.
Password recycling can be prevented with a password manager. Password managers store employee passwords in encrypted vaults and enforce the creation of strong, unique passwords for new accounts.
Learn more about network segmentation >
Phase 6 Security Controls - Data Exfiltration
List of controls:
- Network Segmentation
- Privileged Access Management
There are two components to a data exfiltration prevention strategy - detection and prevention.
Detecting data exfiltration activity isn’t easy because it’s strategically orchestrated to hide behind noiser traffic activity. Detection methods include:
- Using an SIEM to monitor network traffic in real time.
- Monitoring for foreign IP address connections.
- Monitoring for unusual outbound traffic patterns.
Data exfiltration prevention methods include:
- Secure protocols commonly used in data exfiltration, such as DNS, HTTP, and FTP.
- Patching software vulnerabilities commonly used as attack vectors in data exfiltration campaigns.
Learn how to detect and prevent data exfiltration >
Phase 7 Security Controls - Data Encryption
List of controls:
- Data backups
Ransomware attackers aim to inflict as much chaos on a business as possible. A business under maximum pressure is forced to make decisions quickly, and when the pressure is applied in the right areas, these decisions will favor the cybercriminal. Because ransomware criminals know that businesses are contractually bound to strict SLA agreements, they aim to force as many business systems offline as possible.
To minimize costly business disruption in the event of a ransomware attack, processes for rapidly switching operations to backup systems should be in place. These backup environments should be accessible with a unique set of credentials that are different from those for your usual IT environment.
The details of such a strategy, alongside instructions about its activation process, should be clearly outlined in an Incident Response Plan.
Learn how to design an Incident Response Plan >
Regularly rehearse system backup and data restoration processes to minimize the time required to complete them.
Phase 8 Security Controls - Data Dump
List of controls:
- Ransomware blog data leak detection
Though occurring at a point when sensitive data is irrevocably compromised, the establishment of security controls in phase 8 of the attack lifecycle is as crucial as it is for phase 1.
When employee credentials are publicized, cybercriminals can use them to circumvent phases 1 and 2 of the ransomware attack lifecycle, allowing them to commence their attack at phase 3 instead.
The resulting compression of the ransomware attack lifecycle means that the cyberattack is completed faster and that any resulting data breach damage costs are higher.
According to the 2022 Cost of a Data Breach report by IBM and the Ponemon Institute, victims that respond to data breaches in less than 200 days spend an average of $1.1 million less on data breach damages. Security teams need mechanisms for rapidly identifying compromised employee credentials so their accounts can be locked out before maliciously accessed.
To meet the critical requirement for speed, an ideal solution should be automated and not dependent upon manual dark web reconnaissance efforts.
An example of such an ideal solution is the Identify Breaches feature on the UpGuard platform. Ransomware criminals typically publicize compromised credentials in two ways:
- Through public announcements in ransomware blogs.
- Through data collection releases.
UpGuard’s ransomware leak search engine continuously monitors these data dump regions and notifies impacted organizations when a potential exposure is detected.
However, not all ransomware success announcements are legitimate. Cybercriminals often falsify such announcements in ransomware blogs to mislead and divert security investigations. Due to the high likelihood of this happening, the results of Identity Breach detection solutions should always be manually reviewed for false positives - either by internal IT security teams or externally if leveraging the support of managed data leak detection services.
Without an Identity Breach tool, employee credentials leaks can be discovered with manual efforts by referencing breach notification databases, hacker forums, and hacker marketplaces.
Some popular options are listed below.
- Have I been Pwned - A search engine for checking whether credentials have been compromised in historical breaches.
- Breached.io - A hacker marketplace for buying and selling stolen data. Data from the
- Dark Leak Market - A hacker marketplace selling data stolen in ransomware attacks. The items in this marketplace have been sourced from multiple ransomware data leak sites.
- Marketo Marketplace - A relatively new cybercriminal marketplace launched in August 2021.
- Industrial Spy - A malicious marketplace selling stolen trade secrets and employee credentials.
If you have security controls in place for safely accessing the dark web, this hidden internet region hosts databases exposing popular ransomware groups and their corresponding data leak websites. Here is one such example.
Warning: The Dark Web is very dangerous. It should only be accessed by Cybersecurity professionals with hardened machines designed to withstand the cyberattacks commonly occurring in this cybercriminal domain.
Ransomware gangs are increasingly using Telegram groups to publcize their data breach leaks. The expansion of the data leak ecosystem into messaging services like Telegram highlights the increasing difficulty of data leak detection. WIth the data leak landscape expaning so rapidly, timely detection of emerging data leaks is almost impossible if solely relying on manual efforts. Detecting data leaks with a degree of rapidity necesary to avoid further breaches, is only possible with the support of an automated data leak detection engine.
Watch the video below for an overview of UpGuard's data leak management feature.