Skip to content
  • This article was written and provided to the Scottish Business Resilience Centre by cyber security provider, Blackberry.

It’s a dark and rainy night. Thunder rumbles. Lightning flashes. An unexpected crime takes place. Intrigue and deception follow, with a mystery to solve.

When it comes to fiction, you might enjoy reading a good mystery to figure out “whodunnit.” Not so when that crime is a ransomware attack with a digital note telling you that threat actors have compromised your organisation’s network, encrypted all your files, and are demanding immediate payment to restore your operations.

The Cost of Ransomware: More Than Money

In 2021, the average cost of a ransomware attack hit $1.85 million – a 41% increase from the previous year. This includes the ransom, downtime, people time, device cost, network cost, lost opportunity, and more. But beyond the financial and reputational cost, there’s another impact few companies talk about: leadership turnover. Recent research reveals that 32% of the time, C-level employees depart the organisation after a successful ransomware attack. To add insult to injury, 80% of targeted organisations are hit by a repeat attack.

These are the reasons SANS Institute’s Senior Instructor Jake Williams and BlackBerry Principal Incident Response & Forensics Consultant Ryan Chapman, joined forces in a recent SANS webcast to explain the various stages of a ransomware operation and steps organisations can take to lessen vulnerability.

“Ransomware is no longer just an executable that drops onto a device and then does bad things on that device,” Chapman says in the webcast. “Rather, it is an overall operation, and it’s carried out by humans with their hands on the keyboard.”

Threat actors are “doing things human-operated,” Chapman concludes. “You should too. If you don’t have enough security-minded folks, then that’s where managed detection and response comes in.”

Stages of a Ransomware Attack

In the webcast, Williams and Chapman list eight distinct stages in a typical ransomware attack:

  1. Initial access – how it’s usually accomplished, and why detecting attacker backdoors is so difficult
  2. Command and control – and the keys to detection
  3. Local privilege escalation – and why it’s so easy for threat actors to carry out
  4. Lateral movement – and corresponding detection methods
  5. Domain privilege escalation – the top four tactics typically favoured by attackers
  6. Data exfiltration – threat actors exfiltrate data prior to encryption
  7. Searching for your backups – and the lengths malicious actors will go to in order to find them
  8. Deployment of the ransomware – and the most common tools attackers use

View the webcast, or read the free white paper from Blackberry for more details on each attack stage and to understand opportunities to disrupt a ransomware attack as it occurs in your environment.

How can your business get the best ransomware protection? Know that prevention is possible. Find out how.