What Does Ransomware Do to an Endpoint Device?

What does ransomware do to an endpoint device? Ransomware attacks have been increasing in number and severity lately — and without awareness of the issue, the problem will only get worse.

In the first half of 2021, for example, the FBI's Internet Crime Complaint Center (IC3) received more than 2,000 ransomware complaints totaling $16.8 million in damages. This represents an increase of 62 percent in reports, and 20 percent in damages, compared to the same time period in 2020.

To know how to guard against ransomware, you first need to understand how this form of malware operates. From the definition of "ransomware attack" to what ransomware does to an endpoint device, in this article, we'll go over everything you need to know.

What is computer ransomware?

How can we define ransomware? A quick computer ransomware definition would be malicious software that encrypts data and files on a victim's computer, preventing users from accessing them without the corresponding decryption key. The attackers ask users for a ransom to gain access to their information again; data loss is very likely without paying the ransom.

There are several modern ransomware variants, each one more insidious than the next. In May 2017, for example, the WannaCry ransomware made global news by infecting people and organizations in more than 150 countries, causing an estimated $4 billion in damages. In 2021, the Colonial Pipeline gasoline pipeline system was struck by a ransomware attack and went offline for several days. To deal with the attack's impact, the U.S. government issued an emergency declaration for states in the southern and eastern United States to keep fuel supply lines open.

Related Content: Should you pay the ransomware fee?

How does a ransomware attack work?

There are essentially four stages of a ransomware attack:

  1. Infection: To enter a network, ransomware must find an initial means of attack. One common point of weakness is Microsoft's Remote Desktop Protocol (RDP) software, which allows users to connect to and control another computer remotely. Another popular attack vector is phishing emails, which use social engineering to trick users into revealing sensitive data or downloading a malicious application. Yet another method is an "exploit kit": automated software that redirects traffic on a compromised website to another page, where the attacker tries to take advantage of vulnerabilities in the user's web browser.
  2. Reconnaissance: The malware usually does not make its presence known immediately after a ransomware infection. Instead, it remains lying in wait, collecting information on the environment such as the network hierarchy, the operating systems running, and the potential locations of valuable data. This information will then be exploited during the attack for maximum effect.
  3. Credential dumping and privilege escalation: On a single infected computer, ransomware will have little impact. To inflict maximum damage, the malware seeks to spread itself to other connected devices in the network, a phenomenon known as "lateral movement." Here, the ransomware needs to obtain login credentials of other devices by installing keylogger software or stealing passwords so that it remains undetected while accessing them.
  4. Gaining access and locking down: After the ransomware has collected enough information, it attempts to spread itself to as many infected computers on the network as possible simultaneously. Users may even unintentionally spread the malware themselves through file sharing if the application appears benign. The ransomware then seeks to encrypt the files and lock down each device, displaying a message to users that they will need to pay a ransom to regain access.

Related Content: Can EDR stop ransomware?

What does ransomware do to an endpoint device?

What happens in detail when ransomware infects an endpoint device (such as a desktop, laptop, smartphone, or tablet)? As mentioned above, much of ransomware's lifetime is spent in surveillance, gathering information for the most effective attack. The malware uses lateral movement to prolong its lifetime, stealthily propagating itself to other computers throughout the network—much as a biological virus replicates itself by finding new hosts.

If a computer becomes infected by ransomware, the organization has only a limited time to respond. The term "breakout time" refers to the amount of time between the malware first entering the system and spreading to other computers. Many ransomware attackers appear to be getting more sophisticated: the average ransomware breakout time was 9 hours in 2019, but less than 5 hours in 2020.

Once the attacker decides to strike, things rapidly escalate. The ransomware uses a secret encryption algorithm to scramble the contents of the device's files and data. The precise method in which the algorithm encrypts data is known to the attacker, but not the user, creating an information imbalance that is essential to the attack's success.

Without the matching decryption key, it will be nearly impossible for the user to recover the encrypted data. The good news is that it's not always a lost cause. Initiatives such as No More Ransom and Kaspersky's No Ransom have cataloged the ransomware variants for which there is a decryption tool available. If you get hit with a ransomware attack, one of the first steps should be to diagnose the variant and check if there is a corresponding ransomware decryptor available.

If you have no such luck, the next question is whether you should pay the ransom in the hopes that you can regain access to your files. Unfortunately, given their unscrupulous morals, to begin with, there's no guarantee that the attackers will decrypt your system after making the ransomware payment.

During the WannaCry attack, for example, users were told to send their ransomware payments (either $300 or $600) to one of just three Bitcoin wallets. In other words, the attackers had no way to distinguish which victims had sent in a payment since many people were told to send Bitcoins to the same address (and Bitcoin is by design, an anonymous payment system). Multiple security researchers stated that they had not heard of any WannaCry victims successfully recovering their data.

What's more, the aims of the attackers may not even be primarily financial ones. Countries such as Russia, Iran, China, and North Korea are known to have sophisticated cyber warfare programs, including ransomware. The Colonial Pipeline ransomware is an example of attackers aiming at high-profile targets such as infrastructure or governments, although the attack, in this case, is not believed to be political.

How to get started with ransomware defense

Unless organizations begin to take ransomware seriously, the threat posed by this malicious software will only continue to increase. The good news is that there are several effective methods of ransomware protection, including:

  • Backups: It's essential that companies maintain a recent data backup that can be swiftly accessed after an attack. If you store backups in an offline location regularly, you can limit the amount of data loss you suffer by restoring to the most recent backup before the attack.
  • EDR and XDR platforms: Endpoint detection and response (EDR) platforms continuously monitor endpoint computers for suspicious activity, sending alerts if something seems amiss. XDR (extended detection and response) platforms include not only endpoint protection but also monitoring of other IT assets such as networks, servers, and cloud deployments.
  • Firewalls and EPP: Detecting ransomware in your network is invaluable, but it's just as important to prevent malware from entering your IT environment in the first place. Firewalls help guard against unauthorized traffic at your network perimeter, while EPPs (endpoint protection platforms) combine firewalls with other defenses such as anti-malware tools.

Businesses concerned about ransomware should begin to build a robust, comprehensive tech stack that covers all these bases. That's why UncommonX has developed the BOSS XDR platform for advanced cyber threat detection and response. The BOSS XDR platform helps our clients with everything from protecting against threats to reacting and recovering after an incident.

Want to see the power of best-in-breed technology for defending against ransomware and other cyber threats? UncommonX is here to assist. Contact our team of IT security experts today for a chat about your business goals and requirements and to see a demo of the BOSS XDR solution.

 

About the Author

At the center of our U.S.-based Security Operations Center (SOC) is a distinctly skilled team of security architects, engineers, analysts, and data scientists. Each is an expert in their respective field and dedicated to protecting our customers 24/7.