Ransomware Attacks: Basics, TTPs, and Countermeasures Course

In this course, you will learn current trends in ransomware attack campaigns, the MITRE ATT&CK techniques extensively used in ransomware attacks, and DarkSide ransomware attack chain as an example. Moreover, you will learn essential protection methods for ransomware attacks.
Write your awesome label here.

Why should I take this course?

Ransomware has grown to be a prevalent and well-known threat to organizations. The impact of these attacks on organizations has risen to the point that some have halted production and, in the case of healthcare, lives have been endangered.

Therefore, we created a learning path entirely dedicated to the ransomware threat. Ransomware attacks are becoming more sophisticated and targeted. As a result, this first course in the ransomware learning path is focused on the offensive techniques employed by adversaries conducting ransomware attacks.

By the end of this course, you will have gained an understanding of recent ransomware attack trends:
  • Ransomware as a Service (RaaS)

  • Quintuple extortion
  • Initial access brokers (IABs). 

Additionally, you will discover three MITRE ATT&CK techniques frequently utilized by ransomware gangs:
  • T1486 Data Encrypted for Impact

  • T1490 Inhibit System Recovery
  • T1082 System Information Discovery 

Moreover, this course covers the other most commonly applied techniques in an example ransomware attack kill chain - the DarkSide ransomware.

Finally, you'll learn how to take critical measures against ransomware attacks and how to validate and improve your security controls against the full ransomware attack chain.
Ransomware is a type of malware that disables or restricts users' access to their system or data and threatens to publish or sell the victim's data unless the victim pays the attacker a ransom fee.

Ransomware is classified into two major categories:
  • The majority of ransomware variants, dubbed crypto-ransomware, encrypt files on the infected system.
  • However, a few ransomware families also use various methods to delete files or entirely block access to the system, dubbed destructive ransomware.

Ransomware attacks have a catastrophic effect on businesses, resulting in downtime and revenue loss, reputational damage, data loss, and the public disclosure of critical information.

Why is ransomware such a dangerous threat?
  • To begin, it is quite costly for victim organizations. According to Sophos' State of Ransomware Report 2021, the average total cost of resolving ransomware-related incidents was US$1.85 million. This cost includes lost revenue, business interruption, ransom payments, and other costs. For example, according to Coveware's Q3 2021 study, organizations suffer an average of 22 days of business disruption. The average ransom paid by medium-sized businesses is $170,404. However, only 65% of the encrypted data was restored following the ransom payment.
  • Second, ransomware attacks are on the rise. According to Sophos' analysis, ransomware attacked 37% of firms last year, affecting all industries.

  • Ransomware is a high-profit, low-risk business for threat actors, which is the primary cause of its proliferation. Additionally, cybercriminals face a low technical entry barrier to the ransomware business as a result of the Ransomware as a Service (RaaS) and Initial Access Brokers (IABs) trends (RAAS). Ransomware is now being sold as a service on Deep Web forums, which means that anyone with even basic technical knowledge can launch his own ransomware campaign. 

This course also includes trends in ransomware attacks. Security teams and security and risk management leaders need to adapt to these trends.
  • The first trend is Ransomware as a Service. Ready-to-use ransomware infrastructures are easily obtainable on the dark web, where they are advertised similarly to legitimate software. Thus, the RaaS business model enables anyone to launch ransomware attacks simply by signing up for a service.
  • Multiple extortion is the second trend.  As we all know, ransomware business is founded on extortion. Initially, ransomware prevented you from accessing your data or compromised systems by encrypting files on infected machines and demanding payment for the decryption. Now, they are using more methods for extortion.
  • As the third trend, Initial Access Brokers (IABs) are financially motivated threat actors who profit from the sale of remote access to enterprise networks.

We will discuss them in more detail in the course.