The Cyber Kill Chain: The 7 Stages of a Ransomware Attack (& Why Accountants Should Care)

For three months, the thieves spent time learning about the business—-casing the joint, in movie parlance. They learned the names of key employees, their backgrounds, and where they lived. They knew who worked in which department and who might present an easy target. They built websites that looked just like the legitimate ones that belonged to this company—a big, nationwide organization that’s a household name but that shall remain nameless—and learned the names of their customers.

Finally, one day, they struck. An email came into a group mailbox, a place where the bystander effect is rampant and people tend to be less vigilant because they assume somebody else will be more careful. An unwitting employee opened the email and BOOM. The criminals were in.

The business struggled to survive for the next three weeks, hemorrhaging an eye-watering $400,000 a day just in operations losses. The criminals, triumphant, sent in their ransom demands, asking for hundreds of thousands more, to be paid in bitcoin, which would allow them to remain anonymous. Six months went by, and the company and law enforcement were still struggling to scope out all the places in the network the thieves could have hidden and evict them. After another six months, they were finally back in control of their data and assets, but at an enormous cost.

No, this isn’t the plot of a sci-fi thriller. This is a real-life cybercrime story that Luke Kiely, law enforcement veteran and CISO of SmartVault, related to Seth Fineberg, owner of Accountants Forward and former editor of AccountingWEB, on a recent webinar.

Why was Luke telling this nightmarish tale? Two reasons: First, the accounting department was the criminals’ real target. Its cybersecurity was weak, and it possessed a lot of valuable financial and personal data. Second, he and Seth both want to underscore an incredibly important point: All individuals and businesses—no matter what—are susceptible to a cyber attack. It’s the modern-day equivalent of being a bank in the Old West: If you’re without security and on John Dillinger’s radar, you’re getting robbed.

While ransomware attacks are a heavy subject, it’s true, “this is just the reality of being connected to the internet these days,” Luke admits. And unfortunately, as Seth points out, these kinds of cyberattacks are on the rise simply because, well, they’re profitable for successful criminals. That’s why both experts thought it was so crucial to come together on a webinar to talk about this subject. Awareness needs to be raised, and while a lot of content focuses on best cybersecurity practices (something everyone needs to do), accounting professionals will also benefit from understanding the life cycle of how a ransomware attack works and who’s actually behind a lot of the hacking. Both might surprise you.

The 7 Steps in a Typical Ransomware Attack

"Tech has permeated nearly every aspect of work accountants do these days, but it’s also a double-edged sword," says Seth. "While it’s there to help you work in a myriad of ways with your clients, often in the cloud and in real time, it also means we’re all very connected. And we have to be, to do the work [accountants] do and do it more efficiently." But that connectedness is exactly where a lot of risk comes from, and, as Seth puts it, "it’s a great way for bad actors to get at your clients’ data and make some money for themselves."

Cybercrimes—specifically, ransomware attacks—tend to come in two flavors: direct and indirect. In the latter kind of attack, cybercriminals execute massive phishing campaigns, essentially "taking a shot in the dark," Luke explains. Businesses and people are inadvertently targeted; the thieves are waiting until someone unknowingly clicks that email link and then, they’re in. And you really have to watch out, because as Seth points out, it’s not always super obvious what’s a phishing email anymore. "They often look really legit," he notes.

Direct cybercrimes have a typical life cycle that has seven steps. Luke calls it "the cyber kill chain," and here’s what it looks like:

1. Step 1: Reconnaissance
   In this phase, cybercriminals undertake online open-source research and gather intelligence on a business and its employees and customers. They investigate its online presence to see what kinds of security measures it has in place so they can develop a strategy to get in. They harvest employee email addresses and credentials, probing the network in search of vulnerabilities. This could happen hours, days, weeks, or even months before the attack actually happens.
2. Step 2: Weaponization
   In this phase, the criminals figure out a way into the network, often by turning something legitimate, like an email with a link or a Word document, into something malicious. The latter is actually a very common practice. It often looks innocent, like a client just sent you an attachment. Cybercriminals can easily build malware into certain features of word and create macros that hide malicious code. And unfortunately, most accounting professionals don’t have tech that can analyze the contents of an attachment before they open a document.
3. Step 3: Delivery
   The attackers deliver the weaponized bundle to the victim, often through an email, a fake website, or even a cloud application. To entice the end user to want to open it and release the malware, they often pretend to be a trusted source and use the power of social engineering to allay any concerns. "Think back to the pandemic," Luke says. "You got a lot of emails from the government to workers to say, this is what we’re doing. COVID was actually an especially good excuse for ransomware attacks. Scammers made use of this as a hook because people wanted to know what was going on. People wanted valuable information. It’s now down to you to decide if you want to open it."
4. Step 4: Exploitation
   In this phase, the criminals exploit the vulnerability they found to execute a code on the victim’s system. So, when the person opens the email, they do one of two things: They either click a link where you’re asked to enter bank or network credentials or something, or the attachment will be opened, and that simple act allows malware onto your system. The malware immediately starts to take over certain parts of the machine, looking for connected drives and devices, everything that could be on that network.
5. Step 5: Installation
   This is the part where malware is installed on the asset. It starts encrypting files, and it "locks down all your access to everything," Seth says. In the same way you look on your laptop and have to enter a password, the hackers hijack your system and become the only ones with the information to access your data. Before you know it, they have taken control of everything. "This is where things become insanely problematic," Luke notes. "These files are central to businesses. And the malware could be on an entire firm’s devices, not just on the laptop of one person working at home. It could be firm-wide. Think back to COVID. You get it, you go to your family’s house, you now spread it. Anything you have access to that you can see and touch, you pass it on. Same with malware. That’s why it’s called a virus."
6. Step 6: Command and control
   Now, the thieves have established a command channel to an external server for remote manipulation of the victim. "Effectively, we now go into the extortion piece, where they want money out of you so you can get your data back," Luke explains.
7. Step 7: Actions on objectives
   The thieves, now in control, take any additional actions they need to achieve their objective: money. And just because you get hit once doesn’t mean you can’t get hit again. Back to the virus simile: It’s like getting the flu.

A Mini Case Study: The Independent Hotel Owner

To illustrate his points, Luke relates the story of the independent hotel owner—a real case he worked on—to Seth and the audience.

In this case, the owner of an independent hotel had received a phishing email that, upon closer inspection, wasn’t even that well disguised. However, like most business owners, he was incredibly busy, and so were his team members. One day, a staff member opened the email—completely unaware it was bogus—and clicked the link. Just like that, a malicious payload entered the hotel’s network. It locked everything down and shut the network down in 90 minutes. The hotel owner and his staff were unable to do anything, Luke says. "They couldn’t access their finance systems, couldn’t open doors to customers’ rooms, couldn’t even contact customers because everything was in a spreadsheet. The attack was devastating in a short amount of time."

Not long after, the hotel owner received a note from the criminals. "They can actually be quite professional," Luke laughs. "This is where they play the emotional game. They want to encourage you to pay the ransom." In this case, the thieves requested the money be paid in the form of cryptocurrency and deposited into a crypto wallet, which has become an incredibly popular choice among cybercriminals due to the anonymity it provides and because it’s far less risky than asking someone to do bank transfers and giving out account numbers. In this case, after some consideration as to how to respond, Luke worked with a broker and the hotel owner to pay the ransom. They set up a crypto account and sent the money the thieves wanted. Slowly, the files were returned decrypted.

"Unfortunately, they were encrypted within about two hours again," Luke remembers. "You really can’t trust a criminal. They go back on their word." That’s right: The hotel had to pay the ransom all over again.

This isn’t even a worst-case scenario, he finishes. This is a fairly common, arguably run- of-the-mill scenario. The hotel was just unlucky.

What Does a Cybercriminal Look Like?

There’s a big misconception around what hackers look like, Luke’s found. "You or I look just like any hacker I’ve ever seen. It’s surprising, but hackers are average people who now have the ability to commit cybercrimes because of how readily available these tools are. Cybergangs develop online through mutual associates. Normal people are introduced to criminality online because they have that propensity or because they’re curious and cybercrime brings the promise of anonymity. They could be out for revenge. Anybody is capable of a cybercrime if they really want to," he cautions.

How to Protect Yourself Against Ransomware Attacks

Think this is sobering information? It’s meant to be! Accountancy firms of all shapes and sizes are the keepers of the most sensitive data. "Data is the new gold," Luke notes. Accountants have a large amount of finite, sensitive information that is personally and commercially sensitive, which is why they will be targeted by cybercriminals looking to make money by extorting people. A cyberattack could cost a business thousands—if not millions—of dollars and ultimately close its doors. And this is businesses of any size. Think about the risk of not doing something about cybersecurity: Is it worth it versus the actual life of your business?

So what do Seth and Luke recommend? They both encourage accounting firm leaders to implement security that is commensurate with the data they store and the size of the organization. Worried about cost? Think about what this is really worth. The cloud can be a great resource. Keep it simple in terms of what you’re doing and why. Think about who you’re protecting and how they’re equipped. If something bad happens, what are you going to do in response to it? Know how you’ll respond. Who do you need to contact and why? The goal is to identify your biggest weaknesses and to have a plan in place that will help you react well to an incredibly emotional situation.

While ransomware is scary, being proactive and having the right tools in place make a big difference. SmartVault provides accounting professionals with a cloud-based document management system and client portal that prioritizes security and compliance. SmartVault automatically backs up your data, making recovery easy. Built with bank-level security, SmartVault also encrypts data both in transit and at rest and has robust user access controls that allows you to restrict and track data access. Two-factor authentication provides an added layer of protection.

To see SmartVault in action, schedule a demo today.