Anatomy of a Breach: What Happens Behind the Scenes of a Ransomware Attack

Of course, this is quickly followed up with “How did this happen? Why didn’t my antivirus catch it? How did it make it through the firewall? I thought we had software to notify us of suspicious software?” And on and on. It’s easy to blame yourself or your technology for the crisis, but many times this is simply not the case.

When it comes to a malware infection or a breach, the answer to “How did this happen?” is usually this: Someone clicked a link or opened an attachment they shouldn’t have. Antivirus and similar protection technologies simply cannot detect malware that hasn’t already been discovered because their signature databases have not been updated to protect against them. The simplest analogy to why malware makes it through is to compare it to why we need to get a flu shot every year. Because influenza, a virus, mutates constantly, our immune system does not recognize the new strain(s) until after infection. In other words, our bodies react after the damage has already been done. In this same vein, new variants of malware are written hourly. This means that computers and devices around the world are infected and compromised at an ever-increasing rate because most counter-measures simply cannot keep up with the new mutations.

So, what happens when someone clicks that link or opens that attachment? How does a computer become infected, despite all of our efforts to always remain updated? To best illustrate what happens, we’ll tell a theoretical story about a company who has been hit with ransomware, one of the most common versions of malware circulating today. This “Anatomy of a Breach” discussion will help you see what happens ‘behind the scenes’—and help you devise measures to protect against it happening to you.

A user opens their email and sees a message with a document attached, along with a potentially compelling reason to open it. The email may announce that your invoice is past due or that you need to review an attached subpoena before it is submitted to a judge. Hackers know that while 90% of people (or more) will know this doesn’t apply to them and simply delete the message, at least a small percentage may be expecting a message just like this and it never occurs to them that it might not be legit. One of these users opens the attachment and is typically presented with a note stating something such as: “The contents of this document are encrypted for your protection, please click here to enable decryption”. This tactic is used to play on the psychological aspect of the attack and gain the victim’s trust.

What is really happening is that the user is enabling macros (in the case of Word and Excel documents) or accessing a website with malicious code, which allows the malware to start its work:

1. A small executable file and any supporting files embedded in the attachment are saved to the hard drive of the user’s device.
2. The computer registry is modified to start the malware every time the user logs on or the computer is rebooted.
3. The executable file is launched (sometimes as a hidden process) and it immediately connects to a “Command and Control” (CNC) server to register itself and uniquely identify the infected computer.
4. An RSA public key is requested from the CNC server and stored in the computer registry.
5. Any additional downloads/information the hackers want to transfer (ransom details, malware updates, etc.) are completed.
6. The malware then quietly starts encrypting all files it is programmed to look for, both on the local computer and and on any devices it’s connected to.
7. Once the malware finishes, it displays a notice to the victim that their files have been encrypted and a ransom demand is made.

Once the malware has done its job, the victim is basically at the mercy of the hackers. Without backups, the data is lost unless a gamble is made to pay the ransom. Even then, there is no guarantee the data will truly be restored in a usable fashion. The aftermath is typically the same: Restore from backup, if possible; rebuild the infected computer; review and update protection mechanisms and hope it doesn’t happen again.

The above scenario is one that plays out hundreds of times per day, with little variation other than the actual ransomware attack used. The underlying problem is that the hackers are, as noted above, constantly writing new variants of their attacks. The malware attack thus “looks and smells” like something completely new to automated scanners and signature-based technologies. Traditional protection simply does not work and executives from well-known technology companies have recently admitted as much. Also keep in mind, we are just referring to the recent ransomware epidemic and not even delving into the hundreds of other types of hacker attacks that are occurring as I write this.

Before you get frustrated and think there is nothing you can do, I urge you to relax. There are alternatives. Technology exists today that has consistently prevented users falling victim to these types of attacks, and it has been proven to work time and time again. That is part of our mission here at 12 Points: to find, test and explain groundbreaking technologies in this Brave New Cyber World of ours. Please don’t hesitate to contact us if you’d like to learn more.