Manoharan Mudaliar

Cyber Security Consultant

The Most Common Attack Vectors for Ransomware

The Most Common Attack Vectors for Ransomware

An attack vector is a path which attackers can exploit to gain unauthorized access into a network or computer to deliver a malicious outcome or a payload. Attack vectors give attackers a chance to exploit certain vulnerabilities in a system to install different kinds of malware before they launch consistent cyber attacks.

Attack vectors can also be predominantly used to gain access to personal identifiable information or sensitive data. An attack on sensitive data usually leads to a data breach; threatening financial and personal information from hundreds and thousands of customers. With the current cost of a data breach marked at $3.92 million, companies can actually benefit from taking the right steps at the right time to limit cyber attacks.

What Is Ransomware?

While attack vectors are the same for all kinds of cyber attacks, ransomware attacks put businesses in a heightened spot of bother. Call it the novelty of ransomware or just the widespread destruction these attacks have caused recently, but businesses sure do view the malware as a significant threat.

Most forms of ransomware lock or encrypt files on a system, while some other variants completely erase documents and relevant data. Once access to documents within the system is blocked, the malware automatically demands victims to pay a ransom in order to get their files back. Ransom figures can vary from case to case; based on the data that is on hold.

There have also been cases of embezzled businesses paying their ransom amount, only to receive other ransom requests for a full clean slate. Hence, if you thought you could gain access to your files by paying the ransom, then think twice.

Victims suffering from ransomware attacks are at risk of not only losing personal data and files, but also losing productivity and customer trust. Customers seldom deal with organizations that have gone through a major data breach without successful recovery.

While ransomware first came to the scene in 1989, a lot has changed about them since. Ransomware attacks have not only matured in sophistication, but are far more widespread than they ever were before. The year 2019 saw a 74 percent increase in ransomware attacks, with ransom payments currently orbiting around $80,000 on average in Q4 2019. With enhanced earning potential, ransomware sure is the malware of choice for Madoff’s of the cyber world.

Preventing Ransomware by Understanding the Vectors at Play

What can organizations in the line of fire do to better defend themselves from a ransomware attack? Security experts have for long recommended that organizations maintain up-to-date backups at all times. These backups should be stored offline, so that affected systems can be wiped and restored if all other defenses fail.

However, considering cyber attackers are revving up the heat, experts also feel that organizations can be better prepared if they’re watching for and blocking out the favorite tactics, procedures and techniques ransomware gangs like to follow.

Hence, it is critical for you to understand the tactics attackers use for encrypting your files and delivering their threats. An understanding of attack vectors will help you focus your security and attention towards all fronts that need better defense.

Loose RDP Endpoints

Rankings released by most security firms tracking the techniques commonly used by cyber attackers are mostly inconclusive because of geographic variations and the lack of diversity in incidents they’ve investigated.

However, recent research from a ransomware incident report firm, Coveware, suggests that RDP happens to be the most common vector used by attackers in the 1,000 incidents they studied from the first quarter of 2019. RDP accounted for more than half of all successful attacks covered by Coveware during this period, followed by phishing attacks and targets on known or disclosed software vulnerabilities.

RDP, or the remote desktop protocol, is an authentic tool that connects systems from across the firm and gives remote access to IT administrators. While RDP makes remote management more convenient and easier, it also leaves a loophole in the setup for attackers to barge through. Cyber attackers with access to RDP endpoints can use that entry point and the connected systems within the tool to establish their foothold over the corporate network and the data present in it.

Security firm McAfee recently mentioned that it has tracked “an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.”

Organizations with RDP systems can take quite a few steps to shut down vulnerable system endpoints. These steps include protecting the system with strong passwords, restricting access to the system for only VPN users and putting multifactor authentication in place before login. RDP systems can also be configured to amp up network-level authentication. This ensures that all users are required to authenticate themselves before they start an RDP session.

Phishing for Credentials

Email phishing is the second most popular ransomware attack vector used by attackers. Attackers use attachments, links or both together to trick curious users into downloading the attachment or opening the link.

Phishing emails usually come from known contacts. The email can ask users to enter their credentials for any bogus purpose. The credentials entered by the employee are then stolen and used to access key points within the target computer to install the ransomware.

Phishing can also happen through malicious email attachments. As we mentioned above, an unsuspecting employee will receive an email from a known or trusted source. The email will contain an attachment with it, which users will be asked to download. As soon as the user clicks on the attachment, the system is infected and the files within that system or the connected network are held for ransom.

Knowledge can truly be considered power when it comes to mitigating or limiting the risk of compromise or ransomware through phishing. Organizations looking to safeguard their data should educate employees on the dangers hosted by phishing emails. Employees should be warned against entering key credentials for any bogus purposes and should save contacts on email, to ensure similar looking email addresses do not swindle them.

Drive-By Malware Attacks

Drive-by malware attacks work on a framework similar to phishing to infect systems. Cyber criminals take control over legitimate websites by posting advertisements that redirect consumers over to malicious sites that host technical codes designed with the core purpose of exploiting all known vulnerabilities within a browser.

Exploit kits most frequently used in these drive-by attacks were RIG, Fallout, and Spelevo,” Group-IB says. “Some threat actors, such as Shade and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators gathered information about the intruded network, moving laterally and compromising entire network infrastructures.”

Malicious Insiders

An insider is usually an employee who has access to private company vulnerabilities and information. A malicious insider is, hence, someone who exposes these vulnerabilities and private information to other threat actors.

Unhappy or disgruntled employees usually act as malicious insiders. All employees and users with access to networks and sensitive data can inflict irreparable damage through malicious intent and privileged misuse.

As an organization, you can benefit by keeping an eye out on all unhappy and disgruntled employees. By keeping an eye out, we want you to monitor their data and network access across devices. Even the slightest discrepancy should be considered a red flag.

Patchy Protection

Patchy protection or software vulnerability is the last attack vector we will shed light on. Unpatched software actually ends up laying out a welcome mat for every malware intruder and attacker. In many cases where software isn’t properly patched or updated, attackers can gain access to files and data within the networks, without having to actually harvest credentials from employees. Talk about making work easy for cyber criminals!

Once attackers gain access to the system through an unpatched hole in your software, they can attack key programs and exfiltrate sensitive consumer data. Additionally, a number of ransomware attacks have decreased their footprint and have evolved into newer forms where they are extremely hard to detect. The invisible nature of the attack usually means that the ransomware can dwell for an unlimited period of time in your setup, leading to maximum destruction, even if you are able to take some face saving measures.

To ensure vulnerabilities in your software aren’t exploited, you need to immediately identify and finish them. Periodic vulnerability scans can help you identify weaknesses within the setup and what you ought to do to eliminate them.

Regardless of how prepared you are, a cyber security consultant can do wonders for your fight against ransomware. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

Posted in ,

Manoharan Mudaliar
Consultant and Blogger

Leave a Comment