Multistage ransomware attacks on vital infrastructure providers are becoming more dangerous and frequent, according to an analysis by cybersecurity firm Cybereason.

According to Cybereason, many networks that protect critical infrastructure are ‘old and vulnerable’. Although the aim of most attacks is still to collect ransom, many groups are also out to test the resilience and security of these systems. “It is only a matter of time before a catastrophic event occurs, putting a nation in the dark or causing damage to the integrity of our electricity networks, water systems or industrial networks.”

Best practices for mitigating these types of threats include setting up cyber-incident response tools and procedures, setting up workflows in both IT and OT environments, and designing and working with resilience in mind.

Multistage ransomware

Multistage ransomware attacks are carried out in multiple stages. In the first stage, a device is infected with ransomware but the ransomware is not triggered yet. Instead, hackers use the ransomware to infect as many devices within the network as possible. Critical components, such as domain controllers can also be infected in this way. According to the report, it can sometimes take several hours to infect this component.

After infecting as many devices as possible and collecting as much data as possible, the ransomware will be triggered. As a result, users no longer have access to infected devices. They can only get that access back if they pay the ransom, and even then it is not always certain whether they will regain access to their systems, or whether all the data is still available.