Understand the steps of a ransomware attack to better safeguard your data

Identification and surveillance

The threat actor will identify their target and try to phish login credentials, scan the web for vulnerable servers, or purchase exploits and credentials from the Dark Web. 

What you can do to prevent


The threat actor uses the credentials or exploits they acquired to enter your infrastructure. With so many connected apps and servers, it can be difficult to identify unauthorized logins.

What you can do to prevent


The actor then installs a loader or injector file into the compromised infrastructure. This could enable them to create a backdoor or install software that will sit silently in the background.

What you can do to prevent


To ensure their work isn’t deleted when the compromised resource is rebooted or updated, the actor will create an auto-start action that persists through any state.

Privilege escalation

The actor escalates their privileges, enabling them to carry out more steps along the chain with a lower chance of setting off any alarms.

What you can do to prevent

Defense evasion

In order to avoid detection, the threat actor may reduce security configurations. An example of this would be removing single-sign on or disabling logging so there is no more visibility into activity.

What you can do to prevent


To ensure the greatest chance of success, the actor will silently observe security practices and processes, baselines typical user behavior, and find out where the most valuable assets are located.

Lateral movement

With the intel gathered during discovery, the actor will move laterally around the infrastructure. This helps them identify more assets for encryption and is often where they start to hone in on more sensitive data.

What you can do to prevent

Command and control

The actor opens up communications with command and control (C2) server(s) to gain further control over the environment. This is usually where the actor takes greater control of any compromised assets and begins issuing additional commands remotely.

What you can do to prevent


The actor may exfiltrate some data to hold as additional leverage against the victim to pressure them into paying the ransom. Taking it a step further, the actor may execute a “lock and leak” attack where they leak some of the stolen data as a negotiation tactic.

What you can do to prevent


The actor reveals themselves and executes their attack. They will encrypt sensitive files, lock out users and demand payment within a certain time-frame.

What you can do to prevent

3 key actions to take:

Secure the edge, wherever that may be, to minimize your initial exposure, contain the attack, and reduce the risk of lateral movement.
Implement contextual access policies that detect anomalous behavior indicative of a compromised user account or device. 
Protect data both at rest and in motion to mitigate the risk of modification, duplication, and exfiltration that an attacker typically executes as part of a ransomware attack.

Try our free SaaS risk assessment

Gain visibility into users, devices, and data associated with your SaaS apps today.

Take Assessment Now