Ransomware is one of the biggest cybersecurity threats in 2022.
This blog will highlight:
- The definition of ransomware.
- What the anatomy of a ransomware attack looks like.
- Preventing ransomware attacks.
What is Ransomware?
It is malicious software that denies organisations access to a system and/or data until they pay a ransom.
Ransomware can affect an organisation by:
- Locking the system’s screen.
- Locking user and system files.
Tenable suggests that:
‘Ransomware is the most disruptive global cyberthreat we face today. This threat affects virtually every industry and stems from various root causes, all of which your security teams must account for in their defender strategies.
The Anatomy of Ransomware Attacks
Ransomware attacks are traditionally seen as being shared via phishing campaigns against specific targets.
Attackers use several ways to distribute malicious software, such as drive-by downloads, USBs, and other portable devices.
However the ransomware is delivered, the anatomy of an attack remains the same using the steps below.
Research ensures that the target organisation has exploitable vulnerabilities. This means that the attack will be worthwhile. The analysis will identify the severity of the attack’s impact.
Gaining access is the next step in an attack.
Using the research gathered in the reconnaissance phase, attackers will attempt to compromise the organisation’s user accounts by:
- Brute-forcing passwords.
- Using default passwords.
- Obtaining credentials via phishing.
- Exploiting misconfigured access points.
- Purchasing compromised user accounts (usually accounts with admin privileges that give greater access to the organisation’s network).
Maintaining Access to the Organisation
Attackers can access an organisation for months before encrypting files or selling access to another criminal body.
Destroying or Encrypting an Organisation’s Backups
The objective of a ransomware attack is to deny the availability of resources and force the target into making a ransom payment in order to regain access.
Importantly, attackers often ensure that recovery is not an option by encrypting or destroying any backups they have.
Attackers have developed strategies to traverse compromised networks, destroy backups, or create specialised strains to encrypt online backups.
These bad actors aim to force payment from the victim.
Negotiation and Payment
If the attack is successful, the next step is to begin the negotiation and payment phase.
The ransom payment, which is often paid in cryptocurrencies, prompts the attackers to release a decryptor to access encrypted files.
Many organisations choose to employ a third party Incident Response team to assist with the negotiation of the ransom.
Unfortunately, after an attack, many organisations are left with a clean-up exercise.
The organisation can suffer from:
- Income loss.
- Production restoration.
- Incident Response costs.
- Damage to reputation.
However, even if a victim pays the ransom, there are still no guarantees that the criminals will recover any of the files after an attack. As a result, organisations can still feel the ramifications for months afterwards.
What are some of the most popular forms of Ransomware?
Email is one of the most successful platforms to spread ransomware.
Attackers often use malicious links or attachments inserted into personalised or branded emails to look like they come from a legitimate source to dupe the receiver to click on the link.
Drive-by downloads occur when a user visits a compromised website that infects a device with ransomware.
As a result, cybercriminals often work on legitimate websites to find security flaws and vulnerabilities. Criminals then embed their code onto the website or present copies of popular websites to lure visitors.
As the popularity of cloud services increases, USBs are not used as frequently. However, they can still be used to infect computers and systems.
In some cases, these devices are left lying around an office space by social engineers and cybercriminals.
Open Remote Desktop Protocol (RDP) Ports
Remote Desktop Protocol (RDP) allows IT administrators to access a PC or server, primarily for configuration or application access.
If these ports have been exposed to the public internet or an untrusted network; it is possible for cybercriminals to access them and use them as a platform to deploy ransomware.
Ransomware as a Service (RaaS)
Check Point suggests that:
How can I Prepare for Ransomware Attacks?
Effective cyber security training for your organisation
This can help to raise your employee’s awareness of the risks associated with ransomware and other phishing attacks.
Regularly backing up data in your organisation
Having regular, verified, offline backups of your organisation’s data can help safeguard your data in an attack.
Disrupt ransomware attack paths before they are exploited
Some organisations can combine both Risk-based Vulnerability Management and Active Directory Security. This enables an organisation to disrupt common attack paths.
Active Directory Security stops attackers from gaining a foothold and taking the next step in their attack.
Prepare for the worst with cyber threat intelligence services
Threat intelligence services can provide crucial information about current and emerging threats to your organisation.
This foresight allows organisations to make informed decisions and reduce risk to their digital and corporate assets.
Get in touch with our expert team for more information about how to protect your organisation against ransomware attacks!