Targeted ransomware – everything you need to know

By Aaron Bugal, Global Solutions Engineer, Sophos

Credit: ID 113806864 © Tomas Knopp |

It’s been a while since ransomware made the front page, and although you’d be forgiven for thinking that it’s had its day,Bottom of Form I have to tell you that’s simply not the case. Whilst our attention has been focused on cryptomining and cryptojacking, which have been making the headlines of late, something else – that started brewing before anyone had ever heard of WannaCry – has been gathering pace and size.

There is a trend towards stealthier and more sophisticated ransomware attacks – these attacks are individually more lucrative, harder to stop, and more devastating for their victims. Known as targeted ransomware attacks, these attacks rely on tactics that can be repeated successfully, commodity tools that are easily replaced, and ransomware that makes itself hard to analyse by staying in its lane and cleaning up after itself. And while the footprint of a targeted attack is tiny in comparison to an outbreak or spam campaign, it can extract more money from a single victim than all of the WannaCry ransoms put together.

The anatomy of a targeted attack

The specifics of targeted attacks evolve over time, vary from hacking group to hacking group, and can be adapted to each individual target. Despite that, targeted attacks show remarkable similarities in their overall structure.

In a typical targeted attack, a criminal hacker:

  1. Gains entry via a weak RDP (Remote Desktop Protocol) password
  2. Escalate their privileges until gaining administrator controls
  3. Uses their powerful access rights to overcome security software
  4. Spreads and runs ransomware that encrypts a victim’s files
  5. Leaves a note demanding payment in return for decrypting the files
  6. Waits for the victim to contact them via email or a dark web website

The similarities between attacks and attackers isn’t the result of coordination, but a convergence around a method that works reliably, delivering huge payoffs to the criminal attackers. But what makes targeted attacks so fearsome is that the attackers are on hand to adapt and improvise.

The role of the attacker is changing

In a targeted attack the assailant’s job is to break into a victim’s network and maximise the chances of the ransomware succeeding in its malevolent task. As such, attackers will often look for a way to outflank security protocols by exploiting operating system vulnerabilities that let them elevate their privileges. If they can make themselves an administrator, an attacker will be permitted to run powerful administration tools, like third party kernel drivers, that can disable processes and force delete files, bypassing the protections put in place to stop the attackers uninstalling security software directly.

Targeted attacks may be relatively sophisticated but the criminals behind them aren’t looking for a challenge, and instead are on the hunt for vulnerable organisations. The best way for organisations to remove themselves from an attacker’s hit list is by getting the basics right.

Keeping businesses secure

Organisations cannot wait until after a breach to determine the next course of action. Instead you must ensure that if an attacker gains access to the networks they are met with layers of overlapping defences. This includes having trained and well drilled staff, and software, capable of monitoring and reacting to anomalous events on the network, such as unusual account activity, in real time.

It also includes the careful selection of software with the right approaches to automation, reporting and interoperability. The right software will ensure staff have sufficient, relevant, and timely information, but aren’t overwhelmed.  

At the same time, the right best-practices are critical to keeping your organisation safe. Targeted attackers are like all of us, they need to be productive, in this case to make their money. These cyber criminals won’t persist in trying to hack an organisation if there is an easier target elsewhere. So, make it hard, by first off getting the basics right! Patch old systems – attackers often think this is the weakest entry point for the majority of businesses. Make passwords stronger, period. And, make staff your strongest security advocates by testing them regularly, and showing them what to look out for i.e. with regular updates and sample phishing attacks.

Tags sophosdecryptiontargeted attackWannaCry

Show Comments