Manoharan Mudaliar

Cyber Security Consultant

The Most Common Attack Vectors for Ransomware

An attack vector is a path which attackers can exploit to gain unauthorized access into a network or computer to deliver a malicious outcome or a payload. Attack vectors give attackers a chance to exploit certain vulnerabilities in a system to install different kinds of malware before they launch consistent cyber attacks.

Attack vectors can also be predominantly used to gain access to personal identifiable information or sensitive data. An attack on sensitive data usually leads to a data breach; threatening financial and personal information from hundreds and thousands of customers. With the current cost of a data breach marked at $3.92 million, companies can actually benefit from taking the right steps at the right time to limit cyber attacks.

What Is Ransomware?

While attack vectors are the same for all kinds of cyber attacks, ransomware attacks put businesses in a heightened spot of bother. Call it the novelty of ransomware or just the widespread destruction these attacks have caused recently, but businesses sure do view the malware as a significant threat.

Most forms of ransomware lock or encrypt files on a system, while some other variants completely erase documents and relevant data. Once access to documents within the system is blocked, the malware automatically demands victims to pay a ransom in order to get their files back. Ransom figures can vary from case to case; based on the data that is on hold.

There have also been cases of embezzled businesses paying their ransom amount, only to receive other ransom requests for a full clean slate. Hence, if you thought you could gain access to your files by paying the ransom, then think twice.

Victims suffering from ransomware attacks are at risk of not only losing personal data and files, but also losing productivity and customer trust. Customers seldom deal with organizations that have gone through a major data breach without successful recovery.

While ransomware first came to the scene in 1989, a lot has changed about them since. Ransomware attacks have not only matured in sophistication, but are far more widespread than they ever were before. The year 2019 saw a 74 percent increase in ransomware attacks, with ransom payments currently orbiting around $80,000 on average in Q4 2019. With enhanced earning potential, ransomware sure is the malware of choice for Madoff’s of the cyber world.

Preventing Ransomware by Understanding the Vectors at Play

What can organizations in the line of fire do to better defend themselves from a ransomware attack? Security experts have for long recommended that organizations maintain up-to-date backups at all times. These backups should be stored offline, so that affected systems can be wiped and restored if all other defenses fail.

However, considering cyber attackers are revving up the heat, experts also feel that organizations can be better prepared if they’re watching for and blocking out the favorite tactics, procedures and techniques ransomware gangs like to follow.

Hence, it is critical for you to understand the tactics attackers use for encrypting your files and delivering their threats. An understanding of attack vectors will help you focus your security and attention towards all fronts that need better defense.

Loose RDP Endpoints

Rankings released by most security firms tracking the techniques commonly used by cyber attackers are mostly inconclusive because of geographic variations and the lack of diversity in incidents they’ve investigated.

However, recent research from a ransomware incident report firm, Coveware, suggests that RDP happens to be the most common vector used by attackers in the 1,000 incidents they studied from the first quarter of 2019. RDP accounted for more than half of all successful attacks covered by Coveware during this period, followed by phishing attacks and targets on known or disclosed software vulnerabilities.

RDP, or the remote desktop protocol, is an authentic tool that connects systems from across the firm and gives remote access to IT administrators. While RDP makes remote management more convenient and easier, it also leaves a loophole in the setup for attackers to barge through. Cyber attackers with access to RDP endpoints can use that entry point and the connected systems within the tool to establish their foothold over the corporate network and the data present in it.

Security firm McAfee recently mentioned that it has tracked “an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.”

Organizations with RDP systems can take quite a few steps to shut down vulnerable system endpoints. These steps include protecting the system with strong passwords, restricting access to the system for only VPN users and putting multifactor authentication in place before login. RDP systems can also be configured to amp up network-level authentication. This ensures that all users are required to authenticate themselves before they start an RDP session.

Phishing for Credentials

Email phishing is the second most popular ransomware attack vector used by attackers. Attackers use attachments, links or both together to trick curious users into downloading the attachment or opening the link.

Phishing emails usually come from known contacts. The email can ask users to enter their credentials for any bogus purpose. The credentials entered by the employee are then stolen and used to access key points within the target computer to install the ransomware.

Phishing can also happen through malicious email attachments. As we mentioned above, an unsuspecting employee will receive an email from a known or trusted source. The email will contain an attachment with it, which users will be asked to download. As soon as the user clicks on the attachment, the system is infected and the files within that system or the connected network are held for ransom.

Knowledge can truly be considered power when it comes to mitigating or limiting the risk of compromise or ransomware through phishing. Organizations looking to safeguard their data should educate employees on the dangers hosted by phishing emails. Employees should be warned against entering key credentials for any bogus purposes and should save contacts on email, to ensure similar looking email addresses do not swindle them.

Drive-By Malware Attacks

Drive-by malware attacks work on a framework similar to phishing to infect systems. Cyber criminals take control over legitimate websites by posting advertisements that redirect consumers over to malicious sites that host technical codes designed with the core purpose of exploiting all known vulnerabilities within a browser.

Exploit kits most frequently used in these drive-by attacks were RIG, Fallout, and Spelevo,” Group-IB says. “Some threat actors, such as Shade and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators gathered information about the intruded network, moving laterally and compromising entire network infrastructures.”

Malicious Insiders

An insider is usually an employee who has access to private company vulnerabilities and information. A malicious insider is, hence, someone who exposes these vulnerabilities and private information to other threat actors.

Unhappy or disgruntled employees usually act as malicious insiders. All employees and users with access to networks and sensitive data can inflict irreparable damage through malicious intent and privileged misuse.

As an organization, you can benefit by keeping an eye out on all unhappy and disgruntled employees. By keeping an eye out, we want you to monitor their data and network access across devices. Even the slightest discrepancy should be considered a red flag.

Patchy Protection

Patchy protection or software vulnerability is the last attack vector we will shed light on. Unpatched software actually ends up laying out a welcome mat for every malware intruder and attacker. In many cases where software isn’t properly patched or updated, attackers can gain access to files and data within the networks, without having to actually harvest credentials from employees. Talk about making work easy for cyber criminals!

Once attackers gain access to the system through an unpatched hole in your software, they can attack key programs and exfiltrate sensitive consumer data. Additionally, a number of ransomware attacks have decreased their footprint and have evolved into newer forms where they are extremely hard to detect. The invisible nature of the attack usually means that the ransomware can dwell for an unlimited period of time in your setup, leading to maximum destruction, even if you are able to take some face saving measures.

To ensure vulnerabilities in your software aren’t exploited, you need to immediately identify and finish them. Periodic vulnerability scans can help you identify weaknesses within the setup and what you ought to do to eliminate them.

Regardless of how prepared you are, a cyber security consultant can do wonders for your fight against ransomware. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

Ransomware 101: Facts, Threats, and Countermeasures

Ransomware 101

The last two years have seen ransomware become a substantial threat to individuals and businesses in the US. As the name suggests, ransomware—a type of malware—holds victims’ files to ransom. The targeted individual or organization risks losing their files altogether or sustain a financial loss if they choose to pay.

According to a 2019 report by The Beazley Group, small and medium-sized businesses, which typically spend less on information security, were the most at risk of ransomware attacks.

While the average ransomware demand in 2018—a staggering $116,000—was skewed by some exceptionally large demands, the median demand was $10,310. A Safety Detectives analysis found that the average projected cost of ransomware-caused downtime per incident in 2020 was $283,800.

In this piece, we’ll provide an in-depth guide to ransomware facts, threats, and countermeasures.

Read moreRansomware 101: Facts, Threats, and Countermeasures

Ransomware Variant Pezi

A new ransomware variant spotted. PEZI

After analysis, it seems to be an updated version of Djvu and not possible to decrypt offline. The only way to decrypt is online.

Online ID. In most cases, the ransomware is able to connect to its command and control servers when it encrypts files. When this happens, the servers respond by generating random keys for each infected computer. Since each computer has its unique key, you can’t use a key from another computer to decrypt your files. Unfortunately, there is nothing that can be done to recover files for the current version.

Ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-gSEEREZ5tS
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoreadmin@firemail.cc

ransomnote_email: helpmanager@mail.ch

sample_extension: .pezi

sample_bytes: [0x4F203 – 0x4F229] 0x7B33364136393842392D443637432D344530372D424538322D3045433542313442344446357D

US-CERT Releases Malicious Cyber Activity Report

The US Computer Emergency Readiness Team, CERT, has released the analysis on (RAT) Remote Access Tool Malware variant. The variant has been identified as COPPERHEDGE.

“The Manuscript family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features. The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” and later “WebPacket.”

Malware Analysis Report Published by US-CERT on Trojan: TAINTEDSCRIBE

“The trojan is a full-featured beaconing implant and its command modules. These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes, and perform target system enumeration”

Malware Analysis Report Published by US-CERT on Trojan: PEBBLEDASH

“This report looks at a full-featured beaconing implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration”.

CERT provides detailed information and recommended mitigation and techniques. Please follow the US-CERT website.

Reference:

  1. https://www.us-cert.gov/northkorea
  2. https://www.us-cert.gov/ncas/alerts/aa20-106a
  3. https://www.us-cert.gov/ncas/analysis-reports/ar20-133a
  4. https://www.us-cert.gov/ncas/analysis-reports/ar20-133b
  5. https://www.us-cert.gov/ncas/analysis-reports/ar20-133c
  6. https://www.schneier.com/blog/archives/2020/05/us_government_e.html