To best understand how to protect against ransomware attacks, we must first look at how ransomware might spread across a business’ local systems and SaaS accounts.
Delivery: Ransomware is typically distributed via a phishing email that dupes a user into clicking a link or downloading an attachment, which installs the malware on their system. In the early days of the ransomware boom, these attacks were generic and carried out on a wide scale. However, today’s social engineering attacks are more targeted and customized for the intended victim.
Infection: An employee receives a phishing email and unknowingly clicks on a file that installs a “cryptoworm” variant of ransomware on their laptop, which begins searching for files on the device to encrypt. At the same time, the ransomware spreads across the network, infecting additional PCs and servers. Encryption does not begin immediately, instead the malware first spreads to as many systems as possible. This occurs in the background, so the business remains unaware of the infection.
Encryption: The command and control server operated by the cybercriminals generates a cryptographic key that will be used to encrypt the infected systems. Depending on the type of attack, this server may also be used to collect business information from infected systems. When the attackers are satisfied that the ransomware has been thoroughly distributed, the encryption process is triggered.