Demystifying the five stages of ransomware

Ransomware, called malware which aims to “infect” and to encrypt critical data of the candidate victimdemanding payment for their release. The encrypted files remain on the systems of the organization or the individual user, but without being able to access them.

Once the victim’s critical data is encrypted, the attacker demands it ransom payment in exchange for release of infected data. To the victim, they are sent instructions for the method of payment of the price, in exchange for one decryption key. Attackers usually demand payment to Bitcoin.

Let’s briefly look at the five basic steps that govern a ransomware attack:

Stage 1: Initial exploitation

The first stage of a ransomware attack is initial explotation, ie the process in which the attacker invades the victim’s system or corporate network, respectively, in order to install the malware. There are several methods that intruders can potentially use for this initial step, with the most popular being phishing. Other methods are brute-forcing on vulnerable servers, h redirect of victims on malicious websites or even compromise a remote desktop connection.

Step 2: Installation

Once ransomware invades the victim’s system, the second stage, that of hers, takes place installation. Each time the victim’s system is started, the malicious code is executed so that it acquires substance in the network. At this stage, ransomware can also check the victim’s system and decide whether it is worth infecting and further attack or not. For example, if the target system is virtual machine the sandboxthe malware has the ability to exit the system without being noticed.

Step 3: Backup destruction

In the third stage of the attack, the ransomware checks for any backup files in the victim’s system and destroys them. This creates a sensation of fear to the victim and therefore increases the chance to pay the ransom required by the attacker.

Step 4: Encryption

In the fourth stage of the attack, the ransomware executes the malicious code and begins to encrypt the critical data of the victim. To achieve this, the ransomware installed creates a connection with a command and control server (command-and-control server), which holds the encryption key and instructions for it. It can also give instructions on what specific file formats the encryption should target.

Stage 5: Extortion or blackmail

In the final stage of the attack, the attacker requires payment in exchange for the decryption key used to recover the infected files. One appears on the victim screen message informing him that his files have been targeted and violated. This message also contains instructions on how to make the payment. Generally, it is usually identified specific time available to victims to make the payment and regain access to their critical data.

Tackling a ransomware attack

As can be seen from the above, a ransomware type attack is one sequence of events which is capable of causing major disastersespecially if held in broad scale. The key to fighting ransomware is awareness organizations and security teams on how this type of attack works. With his understanding life cycle ransomware, users and security teams can prevent such attacks, with the corresponding strategy.

ManageEngine SIEM solutions and Log360

The adoption of solutions SIEMAs the Log360 of ManageEngine, help detect signs of ransomware infection through real-time correlation of events, alerts, analysis, and anomaly detection. All of the above, make it possible combat an ongoing ransomware attack, at whatever stage it is. To evaluate its capabilities Log360 of ManageEngine download the trial version here.

Source: Digital Life! by

*The article has been translated based on the content of Digital Life! by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!