Ransomware continues to be a formidable cyber security threat to many organisations. One significant reason for this is the many types of attack vectors used by ransomware gangs.
In this blog post, we outline some of the most common types and the steps organisations should take to defend themselves.
An ongoing challenge
Ransomware is one of the most significant cyber threats currently faced by organisations. Kroll’s Q4 2021 Threat Landscape report revealed that ransomware remains the most common attack type and an ongoing security challenge.
Ransomware attacks are constantly in the news. Whether it is reports about the Conti Group attacking again or the fact that nearly two-thirds of victims paid ransoms in 2021, ransomware continues to be a significant cyber threat. Yet many ransomware attack vectors are relatively straightforward weaknesses which, if regularly scanned and protected for, can help defend your organisation against many risks.
Key ransomware attack vectors
Remote Desktop protocol connections
Remote desktop protocol (RDP), a proprietary protocol developed by Microsoft, allows users to remotely connect to other computers over a network connection. Being one of the many common ports open to the internet, RDP ports are an easy entry point through which attackers can gain a foothold. Some cybercrime groups specialise in scanning the web for exposed RDP ports. Another reason for RDP’s popularity with cybercriminals is that its security relies on password protocol, which can be ignored by users. Threat actors can gain credentials, bypass endpoint protection and disrupt enterprise systems. Organisations then have to make a payment through cryptocurrency in order to retrieve or gain access to their own data.
Phishing is one of the most commonly used ransomware attack vectors, whether this is through links, attachments or both. Attackers create emails purporting to be from a trusted source and attach a malicious file, such as a Word or Excel document referred to as a maldoc, a .JS file or a portable executable (PE) file. Once the attachment is opened by the recipient, the ransomware is downloaded, leading to the system becoming infected, encrypted and compromised, with the user’s files being held for ransom.
Another form of phishing and a key ransomware attack vector is when malicious links are incorporated into the body of emails, which appear to be sent from a trusted source. Clicking on these URLs causes malicious files to be downloaded over the web (known as drive-by downloads), leading to the system becoming infected and the user’s files being held for ransom.
Another common ransomware vector, exploit kits are sophisticated toolkits that exploit vulnerabilities in web browsers, operating systems or other software. If it is able to detect a supported vulnerability, the exploit kit will activate its exploit code and use it to install ransomware on the victim’s machine. They are often executed when a victim visits a compromised website. The site contains hidden malicious code (this may be in the form of an advert, known as malvertisement), which redirects the victim to the exploit kit landing page. At this stage, a drive-by download of a malicious payload is executed, the system is infected and the files are held for ransom.
Any internet-facing system that isn’t effectively patched and protected is a potential ransomware attack vector. From plugins to workflows, an unpatched vulnerability in many types of system could lead to a ransomware attack. As outlined in our commonly exploited vulnerabilities include the ProxyLogon suite of vulnerabilities and PrintNightmare, a vulnerability commonly exploited by RaaS operators such as Conti.
USB and removable media
Yet another vector for ransomware attacks is USB devices. In the BadUSB attacks, one cybercrime group harnessed this potential to the fullest by posting out USB thumb drives packaged to appear as if they were from the U.S. Department of Health and Human Services, with the goal of defrauding recipients into plugging them into their PCs. In these types of attacks, once plugged in, the USB device enables the cybercriminals to create keystrokes on a computer, install malware before the operating system boots up, or spoof a network card and redirect traffic and install ransomware on networks.
Key steps to defend against ransomware
Important steps to help reduce the risks created by ransomware attack vectors include:
- Establish a clear policy of strong passwords for all employees
- Ensure RDP is only accessible from inside the organisation or via an organisation-controlled VPN
- Maintain logs and monitor RDP connections
- Prioritise the identification and remediation of vulnerabilities and run regular vulnerability and threat scans
- Regularly educate employees about the potential risks and the best practices, such as proper password protocol and phishing techniques.
- Employ EDR (endpoint detection and response) and NGAV (next gen anti-virus) to enable the detection of abnormal activity taking place within the environment.
- Undertake network segregation as this ensures restricted access to your data. Every organisation should be particularly cautious when granting administrative privileges.
- Undertake regular patch management to ensure all your systems are up-to-date and minimise vulnerabilities that could be exploited.
- Use multi-factor authentication (MFA) on as many applications as possible. This is especially important for remote login and virtual application services as ransomware groups can easily access these services using stolen or dumped credentials found on the Darknet. Ensure the use of MFA OTP (one time password) where possible as some attackers send MFA authentication requests to end-user devices in order to gain access.
How Kroll can help
While completely preventing ransomware attacks is nearly impossible, strategic steps can help to neutralise them and mitigate their potential damage and disruption.
Kroll provides ransomware preparedness assessments to identify and track down any vulnerabilities that ransomware actors could exploit. This allows you to build smarter defences, close exploitable gaps, better safeguard sensitive data and more quickly respond and recover from an attack.