Dissecting

Ransomware:
Understanding
Types, Stages,
and Prevention
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

While many new threats and emerging attack methods could significantly impact your organization, the more likely scenario is attackers will
apply tried and tested methods they already know to be effective. Attackers favor low-effort, high-value tactics – like ransomware – because
they are easy to pull off and profitable.

According to Verizon Research, no matter how many other threats are out there, ransomware continues to dominate as three of the top four
incident attack vectors. It’s no wonder ransomware is a staple, as attackers get approximately $170k per ransom on average. Considering how
easy it is to spread via phishing, email, and infected websites, ransomware is the very definition of low effort and high reward.

Preventing ransomware infections takes more than an antivirus (AV), as AV solutions are not perfect, and one failure can have significant
consequences. Organizations need a combination of awareness, prevention, and a cohesive strategy to combat this threat, building in layers of
protection.

The Types and Stages of Ransomware

To determine an effective strategy, it helps to understand the different types and stages of ransomware. With this information, you can select
appropriate controls to stop ransomware before a full-blown infection runs its course.

Ransomware Types
The most common types of ransomware used by attackers are Within these types exist different groups or families of
listed below. Encryptors and lockers lead the pack as the most ransomware. For example, Darkside is the group that uses a
used among them. RaaS model and is known for the attack on the Colonial Pipeline
in 2020.
• Crypto ransomware or encryptors - Encrypts files so
organizations cannot access them. • LockBit - Extremely active but prefers low-profile attacks.
• Lockers - Locks organizations out of their systems. Encrypts and exfiltrates files.

• Scareware - Disguised as a solution and mimics legitimate • Black Basta - Deploys DDoS attacks. Known to rely on
security tools. double extortion tactics.

• Doxware or leakware - Threatens to publish personal • Hive - Targets industrial and education targets, encrypting
information or impersonates law enforcement demanding data.
fines. • ALPHV/BlackCat - A RaaS model, it launches DDoS attacks.
• Ransomware as a Service (RaaS)- Malicious actors lease
ransomware strains and initial access to compromised
networks for a share the profits.

Fortra.com 2
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

Ransomware Stages
While there are more than 130 different ransomware families Stopping the cycle early is crucial for defending the business. Blocking
detected since 2020, most ransomware attacks follow the same ransomware in the earlier stages diminishes the overall impact on the
general process and are broken up into five major stages: organization including data loss and effort required to remediate.

1. Delivery - The start of the attack where the malware Post-attack Extortion
makes an appearance via a phishing email, use of an Despite ransomware having a direct cost of holding data hostage,
exploit, or accessing an infected external host. At this there is a secondary target in stealing the data. Once an attacker has
stage, the malware hasn’t taken root, but something or an endpoint infected, it is more efficient and profitable to steal data
someone has been exposed. simultaneously. This leads to double and triple extortion attacks that
2. Command and Control - Once the malware has found multiply beyond the initial cost of unlocking of the data with threats to
a place to run, it reaches back to its origin for further release or sell the data.
instructions. Usually, the initial installation is nothing more
With double extortion, attackers will extort the company itself not to have
than the groundwork to get embedded in a device. The
the data released or sold. The triple extortion attack has the attackers
later stages’ more complicated instructions, encryption
go a step further to contact those who have had their data stolen
keys, and code are downloaded here.
(customers or partners of the target business) and individually request
3. Credential Access - As the malware is already installed ransom from them. At this point, the breach becomes very public and
and running on a device, it starts investigating for stored much harder to contain.
credentials or saved access. The goal is to spread to
different accounts and devices across the network, so Ransomware Data Theft
anything discovered here will lead to more damage across Even for those who pay the additional extortion requests, it is still likely
the organization. This is where backdoors may be open to that the attacker will sell the data on the dark web. Sensitive information
allow attackers direct access to the network. such as social security numbers (SSNs), credit cards, bank accounts,
4. Canvasing - The malware looks for valuable files, driver’s licenses, and other personal data is valuable. Reselling this
especially those containing personal information, financial information is easy, and it is challenging for law enforcement to track
data, or research. Before these files are encrypted, they get down the sellers, making the risk to criminals extremely low.
sent back to the source for later attacks. In this stage, the Data theft results in a breach for organizations, which has direct
malware stretches its tendrils out to other shared storage consequences if a legal or regulatory compliance framework controls
and devices to infect them and repeat the process. the information. Not only must the organization report the breach in
5. Extortion - This step is the culmination of the attack. Data these cases, but in many cases, the company is liable for the breach.
has already been stolen and the device is fully encrypted. This can result in direct fines, corrective action plans, or lawsuits from
Attackers demand payment from victims to regain access affected customers. Beyond this is the residual reputational damage
to their data. If payment is made, the attackers might that will plague the company, decreasing the trust existing and future
provide a decryption key, but there are no guarantees. customers have in their security, resulting in lost business down the road.

Fortra.com 3
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

Building Barriers to Ransomware

To remain safe, organizations need several security layers to prevent malware from ever getting to the point where it starts to run. Targeted
malware circumvents specific types of controls, making it harder to detect and block. Multiple layers of controls ensure that protection
remains even if one is bypassed, maintaining your security.

Antivirus Isn’t Enough

Antivirus solutions alone are insufficient to protect against every strain of malware. Zero-day and unique permutations keep ahead of many
signature-based detections. By the time an AV has detected ransomware, it has already passed through numerous lines of defense. While
not as susceptible to the lag in detection as signature-based detection, behavior-based virus detection may not be enough either. By the
time AV observes risky behavior, the damage has already been done, or data is irrevocably lost.

AV should not be the only protection. Organizations must layer their security with proactive measures at the beginning of the attack
continuum – before the attack.

"AV SOLUTIONS ARE AN EXCELLENT LAST LINE OF DEFENSE BUT FENDING

OFF RANSOMWARE EARLIER IN THE ATTACK CYCLE MINIMIZES IMPACT"

Fortra.com 4
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

Code Vulnerability Discovery Find and Fix Vulnerabilities

Vulnerabilities exist not just in endpoints but also in the code One of the best ways to make your organization a more
created for software and applications. Custom applications challenging target for ransomware attacks is to remove
have vulnerabilities that stem from logical errors, third- accessible entrances for attackers to exploit. Attackers
party libraries, and coding mistakes. Much like managing often start their process by scanning their target for known
vulnerabilities on an endpoint, these issues need to be vulnerabilities that have not been detected or remediated.
discovered, prioritized, and remediated using the right tools. Using a known vulnerability makes the attack process less
complicated and allows them an easier path to install
Endpoint vulnerability scanning tools draw from publicly ransomware.
available databases of known vulnerabilities. Custom
applications require a combination of testing tools to evaluate Endpoint Vulnerability Scanning
the code and how it performs so they can uncover unknown Endpoints are often the target for attackers with ransomware,
vulnerabilities. especially since more people are working remotely and
using non-corporate devices. Malicious actors look for known
SAST - Static application security testing tools review the code exposures that they can easily compromise first, before getting
looking for logical errors and mistakes made by developers. more inventive. Proactive scans and testing help discover
problems before attackers do.
DAST - Dynamic application security testing tools test against
built software to determine exploitable paths in the software The effectiveness of the vulnerability evaluation process
when it runs. depends on the quality of the vulnerability scanning solution
employed. Not all scanners are made equally. They draw from
Fuzzing - Fuzzing tools are a form of DAST testing that tests different databases of known vulnerabilities, have different
software inputs and interfaces using malformed and random levels of accuracy, and scan at varying rates. Even for solutions
information to induce errors. that seem identical across these lines, not every solution is
made for every platform. Some work well for on-premises
Using a combination of testing solutions during the software resources but have no capacity for the cloud, while others are
development lifecycle (SDLC) can determine the security built with a cloud-first approach.
posture of custom software and applications and prevent
costly breaches.

Fortra.com 5
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

Managing Vulnerability with Limited Resources

There is more to vulnerability management than identifying and fixing what exposures exist. Organizations have limited resources, so
addressing everything is impossible. An organized and standardized plan is crucial for this process. It allows organizations to reduce as much of
their risk as possible without overtaxing their current staff.

Personalize Prioritization not only function as expected but also that they are not easily
Prioritization is the most critical step to successful vulnerability circumvented. They do this by thinking and behaving as
management. Some organizations believe that simply malicious attackers do, but without damaging or stealing your
squashing all vulnerabilities that are scored high or critical data. An example of this is their ability to chain together several
by CVSS is sufficient to protect themselves, but in reality, this vulnerabilities of lower risks to determine if, in combination, they
approach is highly inefficient and leaves them exposed. can elevate to a more impactful exposure.

In CVSS scores, general vulnerability exploitability is factored Having this functionality is not easy for every organization, as
in, but it is not organization-specific. The way each company skilled testers can be costly to maintain and hard to hire. In
implements its technology can create controls that make it these cases, there are alternatives to having a permanent on-
harder or easier for an attacker to leverage a vulnerability. site team.
Knowing this infrastructure-specific information and adjusting
the scoring accordingly helps personalize prioritization for Outsourcing - Using an external team or vendor allows your
a risk-based approach that optimizes team efficiency and organization to get many benefits of penetration testing
effectiveness. without keeping them on staff full-time. External testers can
also augment existing teams with specialized skills, helping in
Test and Validate focused testing.
The existence of exploitable vulnerabilities can be further
validated through penetration testing. Sharing vulnerability Self-Service - Using specialized toolsets, organizations can
scanning results with a pen testing team or pen testing accomplish some of the same testing that a penetration
software can confirm if any of these vulnerabilities can be tester can do with less experienced individuals. Self-testing
exploited and identify what business-critical assets and data can remove some data-gathering steps in validating controls,
can be accessed through that exploit. streamlining a future pen testing engagement.

Additionally remediation verification pen testing can validate No matter how an organization wishes to approach it, the
that implemented fixes are effective for resolving the vital step is to test against the control to validate that it is
vulnerability. Penetration testers can validate that new controls functioning correctly.

Fortra.com 6
 Dissecting Ransomware: Understanding Types, Stages, and Prevention

Monitoring Infrastructure
Monitoring for anomalous utilization is essential for discovering ransomware’s presence. Ransomware comes with telltale signs, such as dialing
home to known malicious locations or network probing that can serve as early indicators of an attack. Watching for these indicators can give
your organization a head start in stopping an infection from spreading.

Knowing When Attackers are Knocking

Automated threat detection tools monitor asset behavior to identify malware infection. These attacks come with known indicators such as
elevations in hardware utilization, network probing, and attempts to access external resources. Monitoring this information and leveraging
machine learning (ML) to determine variations from expected behavior can raise alerts early in the infection process. This approach can be tied
into automated alerting and blocking access, cutting off paths for malware to propagate, and reducing the overall blast radius of infection.

Layers of Protection
Reducing your ransomware risk requires a complete toolset to create multiple layers of protection. However layered doesn’t have to mean
complicated. Working with organizations that offer interoperable solutions can help simplify your efforts to establish layered security. We offer
high-powered security solutions that are bundled together to help reduce dashboard fatigue and prevent data silos.

Learn more about our offensive security bundles – including penetration testing, adversary simulation, and vulnerability management - and
see how they can help simplify and strengthen your organization’s security.

Fortra.com 7
 About Fortra
Fortra is a cybersecurity company like no other. We’re creating a simpler, stronger future for our
customers. Our trusted experts and portfolio of integrated, scalable solutions bring balance and
control to organizations around the world. We’re the positive changemakers and your relentless ally
to provide peace of mind through every step of your cybersecurity journey. Learn more at fortra.com.

© Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. fta-gd-1122-vm-r1