Understanding what happens after ransomware helps MSPs protect against it

We all know — more or less — how to detect a ransomware attack, and what happens during one, but we have much less visibility on what happens after.

Why should we care? It's only when we understand the "after" do we quickly realize that the full extent of the danger. It shows us why we need to check, control, and analyze any and all access to machines, servers, and the network.

Ransomware's impact comes after the attack

The first thing to know is that, while the attackers encrypt your clients' files, while they attack their machines, your clients' work continues as normal. The main business for attackers happens after the attack.

Today the attackers don’t just infiltrate machines. They analyze all the documents they copied — stolen documents.

Ransomware is not only the encryption of information, it is the access to then allow everything.

A successful ransomware attack makes the bad actors the masters of your clients' machines. And they are going to blackmail them.

There's a clear marketing mindset to the malevolence that they have set up:

• The first attack is the hostage-taking of machines and files by encryption. They ask for payment in return for the decryption of the documents they've taken hostage.

• The second attack is the threat from the hackers to disclose information and to alert the authorities. Since regulations such as GDPR levy hefty fines for the non-disclosure of attacks, this second attack has proved to be more and more common.

• The third attack is the auctioning of the data stolen from the companies that have not paid following the first two blackmail attempts.

Read more: How securing Active Directory can prevent ransomware attacks

Stolen data for auction

Remember, everything is for sale. Login and passwords, identifiers, and all the data they can collect. Attackers put together samples of the data available and contact all potentially interested parties.

A deposit gets you a seat at the table to participate in this eBay-style online auction.

There are now partnerships between ransomware operators to take advantage of this stolen data when victims don't pay the ransom.

Operators can now download and leverage this wider pool of data to help improve their own operations.

But some distributed files get "trapped." Cybersecurity companies, who think they're doing cyber intelligence, download the files. And the company they're trying to help gets scammed once again.

Rentals and royalties through ransomware as a service (RaaS)

The operators of the ransomware themselves are not the only ones who can launch an attack. A few months into the ransomware’s life, the business model may now switch to Ransomware-as-a-Service (RaaS).

Recruitment is simple. A bad actor can pay a rate ranging from 10 dollars to several hundred or thousands of dollars. Anyone who knows absolutely nothing about ransomware, but has a couple of tools, can leverage the ransomware to release more mayhem. These new operators can also now infiltrate, copy, encrypt, send messages and negotiate.

And the attackers who launched the ransomware to begin with? They can collect royalties. The share from any successful attack ranges from 70% to as low as 30%. This means that the initial attacker who infiltrates your clients' computer or server could receive 70% of the amount that could be raised.

And the amounts demanded as ransom are not pocket change. Some go so far as asking for $40 million — which is the case of a large New York law firm. Understandably, 30% of $40 million is tantalizing for the original operator, and a real motivation to share their tools!

Attackers even create promotional videos to sell their little "toys" on the dark digital RaaS marketplace. This and the many add-on options available for rent give a clear window into just how savvy these operators are.