Multistage ransomware attacks against critical infrastructure providers are becoming both increasingly dangerous and prevalent, according to analysis published by cybersecurity firm Cybereason.
Multistage ransomware attacks occur, as the name suggests, in multiple stages. The first sees a device infected with malware, but not detonated. Instead, hackers move laterally through the network, infecting as many devices as possible. This includes critical assets like domain controllers, which the report claims “could take between several minutes to several hours to properly infiltrate."
Only after infecting as many devices and scraping as much data as possible does the ransomware detonate, locking out its victims.
The goal of these campaigns is always financial gain, according to the report, and they are usually facilitated by credential and data theft that took place at an earlier date.
According to Cybereason, many of the networks that protect critical infrastructure providers are “old and fragile”.
“While it may seem as though some attackers are more interested in taking control of a network and extorting a ransom, just as many groups continue to test the resiliency of systems," said the firm.
"It is only a matter of time before a catastrophic event occurs, putting a nation in the dark or causing damage to the integrity of our electricity networks, water systems, or SCADA networks.”
Best practices for mitigating against threats of this kind include establishing cyber-incident response tools and procedures, establishing unified security operation centres and workflows across both IT and OT environments, and designing and operating with resilience in mind.