Stages of a

Ransomware Attack
Key Findings From the 2022 Unit 42 Incident Response Report
Table of Contents

3 6 9
Introduction Ransom Demand Recovery

4 8 10
Initial Access Payment Negotiations A Proactive Strategy

STAGES OF A RANSOMWARE ATTACK 2

Uncovering and understanding how ransomware attacks
work is critical for mitigating risk and strengthening your
organization against future cybercrime.

Ransomware blocks access to valuable organizational data, only gain can be high. For example, ransomware as a service (RaaS)
allowing access once a ransom demand is paid. Today’s ransomware offers already-developed ransomware tools, lowering the technical
groups often take it one step further with multiple extortion requirement for implementing an attack and effectively expanding
techniques, such as threatening to release sensitive information to the reach of ransomware to additional would-be bad actors.
the public if payment isn’t received. The good news is that with a
Understanding how ransomware attacks work is the key to
strong understanding of ransomware, it’s possible to safeguard
mitigating the ones that occur, if not preventing them altogether.
your organization.
Proper education makes it easier to develop a preventative
Ransomware accounted for 36% of incidents investigated by Unit 42 strategy and take a proactive cybersecurity stance. In this e-book,
in the past year, making it the most frequent type of incident our we will dive into the stages of a ransomware attack and make
clients were forced to address. Ransomware is popular with threat recommendations for preparing and responding along the way.
actors because the technical barrier to entry is low, but the financial

STAGES OF A RANSOMWARE ATTACK 3

Initial Access:
How Ransomware Attacks Begin

According to the 2022 Unit 42 Incident Response To prevent vulnerability exploitation, patch internet-
Report, exploitation of software vulnerabilities (48%) exposed systems as quickly as due diligence allows.
and brute-force credential attacks (20%) were the two In addition, disable any direct external RDP access and
most common ways ransomware incidents started. ensure all external remote administration is conducted
More specifically, remote desktop protocol (RDP), a tool through an enterprise-grade VPN with required
used to access systems remotely, was often targeted in multifactor authentication (MFA).
credential-related attacks.

STAGES OF A RANSOMWARE ATTACK 4

Ransomware: Reducing Dwell Time is Critical
Suspected Means of Initial Access

28 days
The median dwell time for
ransomware attacks after
initial access.

Other

4%
Abuse of Trusted Dwell time is the amount of time a threat actor spends in your
Relationship(s)/Tool(s) Software
8% Vulnerabilities environment before being detected. If you can stop threat actors

48%
in the earlier stages of their attack, it’s possible you can avoid
Previously
Compromised Credentials downstream ransomware in your environment.
8%
To reduce dwell time and identify threat actor activity, ensure
you’re monitoring unusual indicators in your system. Look out for:
Phishing

12%
• The installation and usage of unauthorized remote access tools

• Unauthorized discovery activity (e.g., scanning, enumeration)

Brute-force
Credential Attacks • Atypical file access or downloads

20% • Unusual network traffic

STAGES OF A RANSOMWARE ATTACK 5

Ransom Demand Average Ransom Demand by Industry

In Unit 42’s ransomware case load, ransom demands

reached as high as $30 million, but demands overall can
vary by industry, with the finance and real estate sectors
seeing the highest demands.

Incidents may occur despite best efforts, so it’s critical

to have a tested, comprehensive plan for ensuring fast
action. We recommend that you have an incident response
and remediation plan and cyber insurance. Once you have
insurance, be sure to integrate the policy’s key processes
and contacts into the plan.

STAGES OF A RANSOMWARE ATTACK 6

THREAT ACTOR TECHNIQUES

Multi-extortion Techniques to Increase

Leverage and Maximize Profit

Threat actors will look for any opportunity to gain To minimize multi-extortion techniques, follow In Unit 42 cases we’ve seen payouts

over $8 million
the upper hand. With multi-extortion techniques, a defense-in-depth approach, implementing 1
attackers do more than encrypt files and disrupt safeguards at each layer of the web application
business operations. For example, they often post stack. You can also employ services that monitor
information about breached organizations on dark your brand and associated communications (e.g.,
web leak sites and threaten to release or sell stolen communications on the dark web).
data if a ransom is not paid. The goal is to get you to
pay more money, faster.

1. Palo Alto Networks. 2022 Unit 42 Incident Response Report.

STAGES OF A RANSOMWARE ATTACK 7

Payment Negotiations

During negotiations, threat actors may mention cyber • What’s your ability to recover the data?
insurance to get you to pay more, even if you don’t have
• Do you believe the threat actor has truly stolen your data?
insurance. In addition, threat actors who have access to
• What types of data are involved?
your financial information will likely use your (perceived)
revenue as a negotiation tool. • How could the situation impact your brand?

Remember, this is a negotiation. Most initial ransomware While your data may be incredibly valuable to you, there
demands are not paid in full but rather negotiated down. are risks associated with choosing to pay. For example,
paying may embolden the threat actors—who may
When deciding whether to pay the ransom for your
even see you as an “easy payer”—and there’s no way to
encrypted files, there are many things to consider.
guarantee you will indeed get your data back. Engage
For example:
Unit 42 incident response experts to help you navigate
the situation and assist in the negotiation process.

STAGES OF A RANSOMWARE ATTACK 8

Recovery

Even after the incident is resolved, it takes time for state to help ensure there are no lingering risks. It may be
an organization to fully restore operations, remediate tempting to cut corners. For example, it may seem difficult
security issues, improve security controls, and recover to reset passwords across the organization (including
the financial and reputational ground lost. This is not to service accounts) and improve authentication protocols.
mention the need to address any legal issues that may Doing this may cause increased help desk interactions,
arise from a data breach. increased communications with vendors, and frequent
updates to employees whose day-to-day operations
Logistically, recovery efforts can be very time-consuming
are impacted. However, it’s worth the effort to prevent
and resource-intensive. But err on the side of caution. It’s
additional incidents.
often a good idea to rebuild affected systems to a clean

STAGES OF A RANSOMWARE ATTACK 9

A Proactive Strategy

Ransomware groups will continue to threaten As ransomware groups turn up the pressure, turn up
organizations in almost every industry and sector. your organization’s ability to weather the storm and
Safeguarding your organization against attacks starts emerge stronger.
with understanding how they work. When you understand
how they work, you can develop a protection strategy that Learn best practices to protect your organization
is targeted and specific to every step of a ransomware
attack. Equipping yourself with that knowledge will
better prepare you for how to respond and recover
when an attack takes place.

STAGES OF A RANSOMWARE ATTACK 10

3000 Tannery Way
Santa Clary, CA 95054

Main +1.408.753.4000
Sales +1.866.320.4788
Support +1.866.898.9087

www.paloaltonetworks.com

© 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at
www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

STAGES OF A RANSOMWARE ATTACK 11