The 6 Phases of an Advanced Ransomware ThreatThe vast majority of ransomware attacks target a region or demographic, but there are some that are strategically selected to do the most damage and make the largest profit.  Extortionists go through great effort to penetrate a business, and the ransom demands for these Advanced Ransomware Threats (ARTs) far exceed those for a typical attack.

The goal of the ART is to hold your most valuable assets for ransom and ensure that copies of the data are not available for restoration.  The ART can be broken down into six phases.    


This process begins with reconnaissance.  The attacker reviews information on the company.  They might start by enumerating all the employees mentioned on the company web site and then crawl the Internet for email addresses  This might provide them with forum posts, blog comments, site registrations, and other information on employees.  Attackers also search social media for people who work at the company.  Attackers retrieve job postings, press releases, and company reports.  They build a dossier on key employees and organizational processes from the information they gathered.  This may also include contractors, partners, and other third parties that interface with the target company.


In the penetration phase, attackers launch spear phishing or whaling attacks on individuals in the business.  The attacker’s knowledge of employees enables them to craft an email that sounds legitimate, referring to people and services the target knows or routinely engages.  They construct a malicious payload designed specifically designed to circumvent controls based on their analysis of technical data gathered in the previous stage.

The attacker is just trying to establish a foothold at this point.  High-value targets are best, but ARTs can accomplish their objectives by exploiting other individuals as well.  The attacker’s malicious code allows access to one or more machines once targets fall for the phish.


Attackers hide evidence of their entry, establish redundant methods of accessing the device, and methods to reinfect components in the fortification stage.  They may also protect the acquired asset from other attacks so that another hacker does not target the same machine and inadvertently call attention to their activities.


Attackers in the infiltrations stage target higher value accounts to gain access to additional sensitive information as well as assets that can be used to disrupt backup and archival processes.  Attackers perform an internal reconnaissance to identify additional accounts to exploit and technical controls to bypass.  Attackers may review process documentation, to understand backup or incident response procedures.  Some attackers may steal data at this phase to be sold or used in additional attacks.  Credentials are frequently stolen and archived in many stages of the assault.


In the spoliation phase, attackers alter backup routines, removing the configuration for target data so that backups appear to operate but do not backup the target data.  Attackers may purge some data at this point, but they take precautions not to call attention to themselves so data may be removed from container files, but the files themselves left in place.  They may introduce flaws into software to make it harder to conduct a restore or modify backup documentation so that restoration teams cannot locate the correct data.


In the ransom phase, attackers deploy ransomware to data stores where target data resides.  The ransom is timed for the date when it will have the most impact, such as just before a major announcement, during mergers and acquisitions, or surrounding audits.  They may use any flavor of ransomware as long as it effectively makes the data unavailable and gives them the only keys to decrypt it.  Their presence on the network allows them to utilize their existing foothold to deliver the keys back to themselves securely.  Attackers wipe archive copies of the data and ensure that all target data is encrypted when data is distributed across many servers, devices, or locations.  They clean up any remaining evidence of their presence, potentially leaving some avenues for a return visit and then make their ransom demand.  The only thing then remaining is to wait for their victim to realize that their data is irretrievable and they cannot restore it.

ARTs do not often make the news because companies want to keep the event quiet.  However,  a recent ART resulted in NAYANA paying over $1 million in ransom.  As mentioned, there is no single ransomware used in ARTs.  Attackers may perform the encryption using custom programs or utilize a combination of ransomware to encrypt data on different types of devices such as Macs or Linux servers.

Some attackers use ransomware as a diversion from their real intent.  The attackers may have already stolen the data they wanted, so they manually infect the systems with ransomware, counting on the company to wipe machines and restore from backup, thus erasing any remaining evidence of their presence and distracting incident responders from the actual attack.


This post is Part 3 of 4 of a series discussing Ransomware: Part 1: The Economics of Ransomware, Part 2: They Psychology Behind Infamous Ransomware, and Part 4: A Timeline of Ransomware Advances.  To learn more about what ransomware is and how it is distributed, please visit our blog post The Five W’s (and How) of Ransomware.