How to Disrupt Ransomware Attack Planning

6 min read

Ransomware cyberattacks are rampant, and their frequency and sophistication are still increasing. This is due to their relative success rate and better financial returns over other types of malware attacks. Over the last few years, we have seen the number of malware attacks decrease as attackers have switched to using ransomware. As Mike Hamilton, CISO and founder of Critical Insight says, "People are easier to fool than technology."

The number of malicious sites designed to steal user credentials and other information has increased so much recently that a chart tracking them would almost be a vertical line. The SonicWall 2020 Cyber Threat Report includes data showing that ransomware attacks in the USA rose by 109% in 2020.

Ransomware is a risk for all organizations. The good news is that actions can be taken to disrupt the attacker's abilities and mitigate the risks of a successful attack. In this article, we'll summarize the methods that cybercriminals use to plan their attacks and some actions you can take to disrupt this planning.


What is Ransomware?

Ransomware is a type of cyberattack designed to infect computer systems and then spread quickly to any other systems it can contact. In the past, ransomware just encrypted the data on the computer systems it infected. Then criminals demanded that the victims pay a ransom to get a cryptographic key that could decrypt the infected machines, usually via a cryptocurrency transaction. The WannaCry malware attack was this type of ransomware.

Recent ransomware variants have started to steal data by copying it to remote locations before encrypting the local copy. This allows cybercriminals to request a ransom from the victims and use their stolen data for other attacks or sell on the dark web. Modern ransomware attacks often use a period of dwell time after the infection to allow the attackers to monitor the infected systems. They do this to identify high-value targets with information that is more likely to be valuable on the black market or more likely to induce payments from the victims to get it decrypted.


Anatomy of a Ransomware Attack

Ransomware attacks rely on tricking people into divulging information they shouldn't, or getting those being tricked into clicking on a link that goes to a dummy site that harvests their information.

Information gathering by the attackers is a key part of ransomware attack planning. They use publicly available information and social engineering practices to compile a picture on staff and the organization. Then they build a narrative that they can use to pretend to be a legitimate contact with the goal being to build up trust and get those attacked to lower their guard and do what the attacker wants.

Most ransomware attacks have a seven-phase lifecycle as follows:

  1. Recon
  2. Stage
  3. Launch
  4. Exploit
  5. Install
  6. Callback
  7. Persist

These phases are grouped into three sections:

  • Target: Recon and Stage phases
  • Compromise: Launch and Exploit phases
  • Breach: Install, Callback, and Persistance phases

The Target section is where cybercriminals gather information about their targets and then plan their attack strategy and tactics. It is also the section that you can target to disrupt an attacker’s intelligence-gathering efforts, as outlined later.


How Cybercriminals Gather and Use Intelligence

Cybercriminals planning ransomware attacks use many sources of information when targeting an organization. Some of the information is from public sources, and some is from social engineering or previous attacks. The attacker's goal is to build a picture of an organization, and its staff, then use this to compile an attack profile known as a pretext.

A pretext is a believable narrative that the attackers can use to convince someone in an organization that their reasons for contacting them are legitimate. Pretexts are used as a cover story to fool the target. They are crafted with three parts:

1. Something they are - like a job title: "Hi, I'm Todd, a support admin from IT."

2. Something they do - a role they perform in the organization - "I need to check your Office 365 login details."

3. Something they have - information they have gathered about the person or organization that is being attacked - "I can see that you use an Android phone to access mobile email."

Attackers build and deploy their pretext stories using techniques that would be familiar to anyone with sales experience. For example:

• Authority - pretending to be an authority figure such as "I'm Todd from IT..."

• Consensus - Pretending that they have already talked to named others who have agreed, and therefore this conversation shouldn't take long.

• Consistency - starting with low-level questions about name, email address, department, and similar, building a pattern of answers that the attacker hopes will condition people to continue once they start asking questions about sensitive information. Most people find it uncomfortable to challenge the questions once embarked on a conversation like this.

• Reciprocity - feeding information to those being attacked to try to get them to volunteer sensitive information in response. Such as the mobile phone type in use.

• Scarcity - pretending there is a time limit on the information being requested and that there will be consequences from management if the person being attacked holds the process up.

• Similarity - Mimicking procedures and interactions that occur legitimately within an organization - using info obtained via reconnaissance.

The point of the pretext building and deployment is to create a relationship and gain the trust needed to extract other information. To 'close the deal' in sales language terms. With the cybercriminals getting data they wanted as the deal in this case.

Publicly Available Sources of Intelligence

Attackers use information obtained from multiple sources when building their pretexts. The sources fall into three main categories:

• OSINT - open-source intelligence

• HUMINT - information gained from human interactions

• SOCMINT - social media information

Many organizations leak a lot of information about their staff, offices, and operations. A lot of this is published for legitimate purposes. Some seems innocuous and is leaked via business sites like LinkedIn and job advertising sites. Still more is revealed via staff social media posts across all the major platforms.

Company websites have information about executives with profiles that can be used to start to build a pretext to use against them or staff who work for them. Job listings ask for specific skills that leak information about the technologies being used within the organization; this is a valuable bit of intel when building attack profiles. The rise in video meetings has resulted in many recorded videos being placed online. These often identify the video meeting software in use, which criminals can then use when targeting staff via phishing attacks. For example, a phishing email may inquire why someone is late for the meeting, with a link to a dummy site that requires a login. This is then used to steal the user’s login to the legitimate video meeting tool.

Corporate and personal social media posts leak a lot of information that is useful to attackers building profiles and pretexts. Pictures from within offices often show IT equipment in use, office layouts, the cafeteria, staff ID badges, and lots of other information that could be used by an attacker who phones a staff member to get them to divulge information. For example, if the attacker knows the office layout from pictures, they could mention a distinctive feature and say they saw it on their last visit. This info could be used to build trust on the phone as someone who is legitimate, because they note an accurate detail about the office.

All this information that can be publicly obtained over time is gold to attackers when they plan and deploy their pretexts to get more valuable information or deploy their ransomware packages via a link a user has been convinced to click.



The best way to combat developing and planned attacks is at the Recon and Stage phases in the Target phase of the ransomware attack noted above. Preventing attackers from gathering the information they need to build their pretexts in the first place goes a long way to preventing them from fooling staff members later during a phishing campaign.

Public-facing materials about any business should include considerations for security. Those who publish posts should review in advance for any potential intel threat actors could use against the company and ensure details in the text or pictures are free of anything that could be useful to attackers.

The following are online sources of pretext are typically used for ransomware attacks:

• Websites: Most information on corporate websites needs to be published. Content should be reviewed to see if attackers can leverage it.

• Social Media: Social media play a large part in the marketing and public awareness campaigns of many organizations. Staff should be trained to identify and remove anything that may reveal security intel online. If photos of staff are needed, use a plain background and ensure ID badges, post-it notes, and location identifiers, including image meta-data, are removed.


Offense is the best form of defense — and when planning for a ransomware attack, that is true. Going on the offense to shut down the sources of information that attackers can gather and use to build pretexts is something all organizations should be doing.

It's not the only thing that should be done to protect against ransomware attacks. Remediation planning, 24x7x365 monitoring, and incident response are also important functions within a complete cyber security program needed to ultimately minimize the risks associated with a ransomware attack.

Critical Insight can help organizations of all sizes identify the data they are leaking that is of benefit to cybercriminals, and help disrupt the criminals' planning. Contact us to start building the security program you deserve while managing ransomware risks with Critical Insight Anti-Ransomware Solutions from Critical Insight.