Ransomware attacks aren’t hypothetical threats for public safety any more. While they’re often mistakenly thought of as a problem primarily affecting enterprise companies, they’re being actively deployed against emergency call centers, law enforcement agencies and public safety infrastructure, as cyber criminals look for organizations with mission-critical operations and cybersecurity gaps.
Understanding the stages of ransomware attacks and how they progress can help security analysts prevent and respond more effectively to them, however, and improve overall cyber defenses.
A Nightmare Scenario: Ransomware Attack Takes Down 9-1-1 Call Center
The impact of a ransomware attack can be immediate and costly. Consider this nightmare scenario: it’s a late fall evening, and a frantic employee at a county public safety answering point (PSAP) notices that someone has logged into their dispatch center workstation through a remote access software tool.
Cyber criminals have launched a ransomware attack against the 9-1-1 center, and a message pops up to warn the employee that multiple files have already been locked. The ransom note demands payment in bitcoin for a key to decrypt them. If the employee doesn’t pay the ransom, they threaten, they won’t get your files or system back.
As the attack spreads to other workstations, tension grows. The operations manager shuts down servers and workstations, trying to minimize the impact of the attack, and the computer-aided dispatch (CAD) system goes offline. Response times quickly increase as dispatchers go back to pen and paper methods to handle emergency calls.
It’s now 1 AM, and the IT team struggles to recover systems from backups. When asked about it later, the information security says, “We got some obscure alerts from our security tools, but we didn’t have the expertise to understand them, much less react to them fast enough to stop the attack. Before we could do anything, the attackers had encrypted our files and systems.”
Unfortunately, this sentiment resonates with IT and security professionals working in retail, finance, healthcare and education, as well as manufacturing and other industries that are routinely hit by ransomware.
Let’s take a look at how an attack like this might progress, and what security analysts can do at each step to mitigate the damages.
Stage I: Compromise
Ransomware attacks have several different stages where an experienced Security Operations Center (SOC) analyst can detect them. The most common attacks typically involve phishing attacks and compromised websites.
In the first stage, compromise, malicious actors send mass or targeted phishing emails with documents containing macros or links to websites that look like legitimate businesses or organizations. The attacker’s goal is to get a foot into your network without being detected. Phishing links can convince people to enter their credentials (like usernames and passwords) on the fake website so attackers can steal them.
Over the years, attackers have become adept at crafting very convincing phishing emails. They can also download and execute malicious software to the victim’s system via innocent-looking attachments or website ads. This malicious code will then call back to the attacker’s command and control (C2) server and download a weaponized piece of software. This is the first step in establishing persistence.
At this stage of an attack, some of the indicators and red flags a SOC analyst will review are unusual network connections to where the download is occurring, fileless scripts running, scheduled tasks created, registry modifications, unusual logon patterns and others. An experienced analyst will investigate to determine if the activity is benign or malicious. If it’s indeed malicious, the SOC can step in and initiate a response to shut down the threat using an endpoint detection and response (EDR) tool.
Stage II: Privilege Escalation
If the attack isn’t detected in the first stage, the attacker moves on to stage II. Once the attacker is in your network and establishes persistence, the next step is to attempt to get access to a user account that has permissions to do more in the network, such as an Administrator or root account. This is known as privilege escalation.
Once they’ve established Administrator privileges, the attacker then scans the network to identify the agency or company’s cyber infrastructure to locate critical systems and data. At this point the attacker wants to ensure they have access to as much of the network as possible. The more systems they encrypt, the higher the ransom and likelihood of the victim paying it.
If the attack gets to this stage, a SOC analyst might see unusual activity such as scanning that originates from within the network, newly created accounts, unexpected network connections and other indicators. The analyst will investigate to determine if the activity is normal user behavior or consistent with known software and applications. If not, the SOC will again step in and initiate a response to shut down the threat.
Stage III: Lateral Movement
If the threat actor hasn’t been found and stopped by this point, they can now potentially move freely throughout the network, also known as lateral movement. They can disable security tools, such as antivirus, and gain full access to drives to encrypt them. The attacker’s objective here is to prepare the environment so that when they introduce ransomware to the network, there are few barriers to it propagating to be more effective.
One important thing to note here is many traditional and even next generation antivirus programs will not detect malicious activity, since there may not be a signature to detect the activity in the first three stages.
As the attack progresses to this stage, a SOC analyst will be alerted to and recognize changes made to assets to disable or modify security settings. The SOC analyst will also investigate and determine if there is unusual activity or movement throughout the network. If needed, they can escalate suspicious files to the incident response team for forensic analysis (static and dynamic).
Stage IV: Delivery
The attacker will now download the ransomware, which starts to encrypt the systems and data on the network. Once ransomware delivery and encryption has taken place, the attacker will demand payment for decryption keys. They may also threaten the release of sensitive agency or company data if payment isn’t made through data exfiltration in what’s referred to as double extortion methods.
Many organizations don’t identify the attacker and associated ransomware until this point, though. There should never be a time where an attack gets this far, but it’s quite common. At this stage, however, it’s very difficult to stop the attack and minimize the impact.
The adversaries are using legitimate tools such as PowerShell or wscript, a software component of Microsoft Windows, to execute attacks. This makes it that much harder to detect a ransomware threat. They know most IT staff using common tools can’t spot malicious behavior amidst the flows of normal activity. However, well-trained SOC analysts can identify it, and stop the attack in the early stages. As we discussed in our previous blog on detecting an early-stage SocGholish malware attack, the sooner you can detect a threat, the better the odds are of limiting potential harm.
A recent guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Cyber Risks to Land Mobile Radio (LMR) urged public safety agencies to adopt comprehensive cybersecurity best practices to plan for and mitigate cyber threats. While this advice was specific to LMR, the guidance is sound for anyone concerned about improving their cyber defenses.
In reality, this means that security teams are often busy with day-to-day work such as compliance requirements, audits, identity and access, security tooling, patching, security awareness, and the other basic security controls. These tasks typically take priority since they are key to managing your overall security program and risk.
Although these are all important, one key capability that many organizations find they need help with is 24/7 monitoring of IT networks, cloud apps, security tools and endpoints. To level the playing field with the attackers, we recommend engaging a highly skilled SOC that has experience identifying and responding to sophisticated threats like the ransomware attack we discussed here.
Motorola Solutions Managed Detection and Response (MDR) Services provide access to a 24/7 team of cybersecurity experts in our SOC who’ve identified and stopped thousands of security incidents, as well as our co-managed ActiveEye security platform, which enables you to see everything our analysts are doing in real-time. When it comes to fighting threats like ransomware, the combination of preventative measures, assessments, ongoing monitoring and expert advice is critical to protecting your organization.
Contact us to learn more about how we can help you improve your cyber defenses while detecting and remediating threats.