Ransomware is among the most formidable cyber threats that organisations the world over are constantly at risk of. According to the Q4 2021 Threat Landscape report published by Kroll, this cyber threat remains the most common attack type to date and an ongoing security challenge. Ransomware attacks have been making headlines as of late, mentioning the exploits of the infamous LAPSUS$ group and that nearly two-thirds of ransomware victims conceded to their attacker’s ransom demands last year. While ransomware remains a major threat, its attack vectors are generally straightforward weaknesses that can be defended against if routinely scanned and protected for.
1. Email attachments and links
Phishing via email attachments, links, or both is the most common attack vector used in ransomware attacks. Attackers profess to be a trusted source and send emails containing malicious file attachments and/or links that, once opened by the unwitting recipient, download the ransomware and infect as well as compromise the user’s system, encrypting their files and holding them for ransom.
2. Remote Desktop Protocol (RDP) connections
This Microsoft proprietary protocol enables users to remotely connect to other devices via a network connection. Attackers use its commonly open RDP ports to gain a foothold into a network. Another reason for the popularity of RDP among criminals is reliance on a password protocol for security, which users tend to ignore. Through RDP, attackers can steal credentials, bypass endpoint protection measures, and disrupt critical systems.
3. USB and removable media
Ransomware attacks can also take the straightforward and physical approach of using USB devices as their attack vector. One cybercrime group used a BadUSB attack by packaging USB thumb drives purported to be from the U.S. Department of Health and Human Services to trick the victims into plugging them into their devices. Once plugged in, these malicious USB devices enable the attackers to create keystrokes on the system, inject malware before its OS boots up, or spoof its network card to redirect traffic and deploy ransomware on the connected network.
4. Exploit kits
Exploit kits are another ransomware vector made up of sophisticated toolkits designed to exploit operating systems, web browsers, and other software vulnerabilities. It looks for supported vulnerabilities and, once identified, will run its code to install ransomware on the victim’s device. Exploit kits are typically executed when victims visit a compromised website that contains hidden malicious code that redirects them to the exploit kit’s landing page. Afterwards, a drive-by download is executed, and the malicious payload gets installed on the system, infecting it and encrypting the files for ransom.
5. Exploitable vulnerabilities
Any internet-capable system that does not have updated patches can potentially serve as a ransomware attack vector. Unpatched vulnerabilities in various systems, be it plugins, workflows, or others, could be used as an entry point for a ransomware attack.
Some of the most critical steps to reducing the risks of ransomware attack vectors include:
● Establish and enforce a robust, strong password policy for all staff.
● Ensure RDP can only be accessed within the organisation or through its VPN.
● Monitor RDP connections and maintain activity logs.
● Focus on identifying and resolving vulnerabilities as well as frequently conduct threat and vulnerability scans.
● Periodically train employees about cybersecurity best practices and potential risks.
● Employ next-gen anti-virus (NGAV) and endpoint detection and response (EDR) to detect abnormal activities within the organisation’s IT environment.
● Conduct network segregation to severely restrict access to company data. Moreover, top management should exercise extreme caution when it comes to granting admin privileges to employees.
● Conduct periodic patch management to ensure all deployed systems are updated, minimising vulnerabilities that may be exploited.
● Employ multi-factor authentication (MFA) wherever possible, especially in virtual and remote login application services, since attackers can easily gain access to them through stolen credentials.
Ransomware is a constant threat that can strike any organisation, big or small, at any moment. Although it is impossible to fully defend against ransomware, many strategic steps can mitigate your risk and the potential disruption it may cause.
GROUP8 provides comprehensive cyber security services in Singapore with industry-leading solutions that cover the fundamentals for defending against ransomware attacks, including vulnerability research, incident response, endpoint security, and Pen Test Services Singapore. To learn more about our offensive-inspired solutions, reach out to us at hello@group8.co today.