A popular misconception is that a ransomware attack will happen immediately after someone clicks on a link, opens an email, or accesses the wrong website. This couldn't be further from the truth.
While there may be the occasional and rare instance where it automatically launches and starts encrypting, the attackers will take their time in your environment. They'll start with testing the access of the person's system they were able to access. If its just a regular (non-admin) user, they'll create little issues at random times in order to hopefully get one of the admins to login so they can capture their administrator credentials. From there, they'll try to capture credentials from as many people as they can throughout the organization...unless they do happen to get someone with full administrative privileges, then it's just a matter of testing what sort of access they have and if there are any restrictions.
Tesla example -Attackers took FOUR YEARS to pull the trigger!
Let's take the latest Tesla security announcement as an example, then I'll tell you how these typically occur.
Here's a link to the article, but I want you to think about the timeline and what was involved. This all started in 2016! And just wrapped up the end of August (yes - in 2020!). Of course this one is a bit on the extreme side, but still...not something planned or attempted in an overnight attack. Sony, back in 2014, was an attack that took months to coordinate, infiltrate, and perform. Nowadays you're looking at weeks, possibly months of an attacker performing reconnaissance in an environment capturing accounts and testing their access. Once they have the permissions to the right systems, they'll begin.
First is the click, download, email, or what have you. Yes, this does start with a user most likely doing something they shouldn't. For this example I'm going to say they clicked on a link in an email (typical phishing type). Once the user clicks on the link, there may or may not be something visual on their screen, but that typically doesn't matter. They've clicked and the callback to the attacker's Command and Control (C&C) server has been initiated.
Now that the attacker has a victim, they don't want to spoil their fun and just encrypt this one system...they'll do what I stated earlier and try to capture someone with admin credentials information. Then the real fun begins.
They will spend weeks and months testing what sort of access they have throughout the organization. They'll even create their own administrative accounts and add themselves to admin groups. They'll inventory the entire organization - probably better than your current IT staff has done...and then, and only then...when the time is right, they will launch their attack. It will be calculated and performed with precision. You won't see it coming, and you'll ask yourself "how could this have happened to us?"
The first step besides investing in "good enough" security solutions, is to be monitoring your systems and your network. Larger organizations will buy a SIEM (Security Information and Event Manager) and hire a team of highly skilled engineers to monitor, analyze, and respond. But that's pretty expensive and probably out of the realm for smaller businesses.
But don't worry, there are other not-as-expensive options. You can use an EDR / MDR (Endpoint Detection and Response / Managed Detection and Response) solution but you'll want to make sure there's someone to also do the remediation. Think of these EDR / MDR offerings like having a home monitoring system for your house but for your computers and network. These monitor and alert but won't stop someone from actually doing anything, or fixing anything that may have happened. When was the last time you heard of a company like ADT catching a burglar? You haven't! That's because they only monitor and send an alert to the police.
For your computers and your network, "the police" would be someone like a managed service provider. You know, an organization like London Security. Not only do we monitor and alert, we also perform the response and remediation. That includes applying security updates, patches, and other fixes; even making policy and configuration changes in your security solutions (if necessary and according to security industry best practices).
If you haven't taken us up on a free assessment yet...drop us a line at firstname.lastname@example.org. We're here to help, and there is no cost or obligation for this free service.