Under Attack: Understanding the Stages and Responses to a Ransomware Attack


    Dec 23, 2022

    In the news we see the word ‘ransomware’ every so often, but I assume that not everyone knows the success rate of ransomware attacks. Before I started this blog, I was familiar with some, but not all, of the current statistics on ransomware. Sure, I knew the during-attack measures are necessary, but just how necessary?

    Sophos, the British-based security company, reported that in 2021, 39% of attacks were intercepted before they could encrypt any data, but that over half (54%) of all ransomware attacks were successful. In such events, your system relies heavily on the security system, and that in short, your system’s during-attack measures are extremely important.

    Ransomware attacks aren’t isolated incidents, but refer to a series of events designed to first disrupt and disable systems, then force organizations to pay large sums to recover data and systems. By walking through each stage of a ransomware attack, we can better understand the scope of the threat and why your enterprise needs available backup copies.

    How ransomware infiltrates your system

    • Stage 1: Detection

    Hackers aim to collect information from an organization and/or IT system, using network sniffing tools to find vulnerabilities in the target IP address, OS information, and open ports. Through public means, like emails, hackers access internal department and email information.

    • Stage 2: Attack implantation

    The attackers set up the ransomware to infiltrate your system, using one or a combination of vulnerability exploits, phishing, and malware.

    • Stage 3: Infection and distribution

    Attackers exploit zero-day vulnerabilities, extract passwords, or gain credentials to infiltrate the whole system and find high-value data.

    • Stage 4: File encryption

    Once ransomware can access a system, it will traverse folders to encrypt files, change the suffix name, or delete the original files. Since it is near impossible to decrypt this data, your organization has three choices: accept the data is lost, recover from a replica or backup, or pay the ransom.

    During-attack response

    Any attack, big or small, can be costly both financially and to your brand reputation. Check Point reports that, on average, the total costs (including response and restoration costs, legal fees, monitoring costs, etc.) arising from a ransomware attack in 2020 were seven times higher than the ransom paid.

    So, what’s the answer? What can we do if your organization is compromised? Here is some advice to minimize your losses.

    • Ransomware detection. Ransomware detection enables the storage system to quickly intercept and detect ransomware attacks, thus initiating proactive protection to ensure the retained data copies are clean and not infected by ransomware.
    • Data encryption. Protocol, storage, and transmission link encryption are important to avoid data leakage. It ensures that even if hackers manage to enter the storage system or storage network, they cannot access enterprises’ confidential data.
    • Snapshot. A snapshot cannot be deleted or modified before the pre-set protection period expires. It ensures the storage data is read-only, preventing ransomware from tampering with your system.
    • Instant recovery of data. The reason we need this is that the recovery speed determines the financial loss suffered by an enterprise because of a ransomware attack. You would want the fastest data recovery in the event of an attack.
    • Isolated backup copies. Isolated storage of backup copies is the best way to defend against ransomware because it directly reduces the possibility of attacks. Transmission links are disconnected to create a physically isolated environment to protect data from ransomware.

    Keep a clean data copy with Huawei air gap technology

    Physical isolation (such as offline tape libraries) provides the best protection against ransomware, but these are fraught with inefficiencies. Huawei air gap replication technology is used with the link replication SLA, ensuring data copies are automatically or periodically replicated from the production or backup storage to the isolation environment. During the non-replication period, links are disconnected to physically isolate and thus protect data from threats. Air gap replication ensures data copies are offline most of the time, reducing the possibility of attacks.

    I hope you found this post informative! Visit the product page Huawei Ransomware Protection Storage Solution and stay tuned for part 4 of this series: “The 3-2-1-1 Strategy & Ransomware Recovery Actions.”

    Read the first two posts in this series

    Previously, in part 1 of this series, “The Ransomware Story: Predicting the Unpredictable“, we explored the concepts, history, and impact of ransomware. In part 2, “Understanding Hidden Ransomware and Strategies to Detect It” we looked at what happens before a ransomware attack, and what we can do to prevent it.

    Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.


      Leave a Comment

      Posted in


      Posted in