Posted on Feb 24, 2021
Ransomware has been a persistent threat for organizations across industries for many years now. As more businesses embrace digital transformation, the likelihood of being targeted in a ransomware attack has grown considerably. This is because the methods cybercriminals employ to carry out attacks are becoming more difficult to identify and manage.
With ransomware attacks growing in complexity, organizations must stay educated and up-to-date on the rising cost and frequency of an attack, as well as the best practices for protecting against these vectors.
Below, we break down key ransomware attack vectors you should be aware of as you build out organization-wide security strategies and monitor your cybersecurity posture.
Ransomware is a type of malicious code designed to gain access to a network and encrypt files on a system. From there, a cyber adversary will hold the encrypted files hostage until a ransom is paid. Given the lucrative nature of these attacks, cybercriminals are constantly creating and testing new vectors and variants of ransomware. This has given rise to a new age of ransomware attacks that leverage advanced deployment techniques to avoid detection altogether. As sophisticated ransomware kits become cheaper and easier to obtain, staying protected is a top concern for businesses looking to grow their digital capabilities.
Understanding the vectors cybercriminals use to gain access to a system is critical in better protecting against ransomware attacks.
Below are three common ransomware attack vectors:
RDP is a protocol designed by Microsoft that allows users to connect to and carry out commands on a system remotely. The issue is that RDP security is heavily dependent on having strong password hygiene which is often ignored by users. This means that cybercriminals are often able to easily crack RDP credentials and gain access to a system. These credentials are also available for purchase on the Dark Web for those who don’t want to do the work.
Another popular ransomware vector is email phishing. Using social engineering tactics, cybercriminals will send emails to employees that appear to come from trusted sources. Once opened, the email will ask for employee credentials or to download malware onto the system. The key to mitigating phishing risk is working with employees to ensure that they understand how to spot illegitimate messages across all platforms of communication.
Exploiting software vulnerabilities is another common ransomware delivery method. Unpatched software creates gaps in security that open the door to malware intrusions. Not only does this expose organizations to increased levels of cyber threat activity, but it also makes them an easier target for attackers since they can gain access to unpatched systems without having to harvest credentials. To reduce this risk, make sure to establish a patch management schedule so that new system patches are implemented as soon as they are released.
With the average cost of a ransomware attack having grown in 2020, it is important to have an understanding of the different ransomware variants that may be used to target your organization. Below is a list of ten of the most significant ransomware attacks throughout the 2010s:
CryptoLocker is a Trojan horse malware that was used between September 2013 and Late May 2014 to gain access to and encrypt files on a system. Cybercriminals would use social engineering tactics to get employees to download the ransomware onto their computers and infect a network. Once downloaded, CryptoLocker would display a ransom message offering to decrypt the data if a cash or Bitcoin payment was made by the stated deadline. While the CryptoLocker ransomware has since been taken down, it is believed that its operators extorted around three million dollars from unsuspecting organizations.
Locky was released in 2016 and is spread primarily through emails containing an infected Microsoft Word document. When a user opens the document, they will see unintelligible data and the phrase "Enable macro if data encoding is incorrect." If they enable macros then the ransomware will be downloaded and begin encrypting files. After the encryption is complete, victims receive a message on how to pay the ransom and get their files back.
Petya is a ransomware family that was first discovered in 2016. It targets Windows-based systems, infecting the master boot record to deliver a payload and encrypt hard drive files. Upon its download, Petya encrypts the Master File Table of the NTFS file system and then displays a message with ransom payment instructions.
Ryuk is enterprise-focused ransomware designed and executed by the cybercrime group WIZARD SPIDER. Unlike traditional ransomware attack vectors, Ryuk leverages spear-phishing tactics to target high-ranking individuals within an organization. Once infected, organizations will receive a note named RyukReadMe.txt with details on ransom demands and where to send the payment. Since 2018, WIZARD SPIDER has made around $3.7 million in Bitcoin payments from this ransomware.
WannaCry is a unique ransomware case because once it infects a system, it is able to duplicate itself without changing files or affecting the boot sector of a computer. Due to its duplicative nature, WannaCry was responsible for a worldwide cyberattack in May 2017, infecting over 230,000 computers in less than a day.
WannaCry targets computers that are running outdated versions of Microsoft Windows, exploiting the EternalBlue vulnerability. Much of its success can be attributed to poor patching hygiene, highlighting the importance of regular patching.
The Cerber ransomware highlights the growing complexity of ransomware threats, as it is being distributed using the Ransomware-as-a-Service model. Cerber is easily accessible as anyone can use it as long as they share forty percent of profits with the distributors.
Cerber is primarily distributed using phishing tactics, and once downloaded begins to encrypt files while running in the background to avoid detection. Once the encryption is complete the users will find ransom notes with instructions for payment.
First discovered in January 2018, GandCrab targets vulnerabilities within the Microsoft Windows operating system. Similar to Cerber, GandCrab is run as a Ransomware-as-a-Service with users agreeing to split profits with the distributors. As with other ransomware attacks, GandCrab uses social engineering tactics to gain access. Once it has been downloaded, it will begin encrypting files for ransom.
Sometimes referred to as the “Police Trojan'', Reveton uses social engineering to trick users into thinking they have committed a crime. Victims will receive a message claiming their computer has been locked by a law enforcement agency and that must pay a fine in order to regain access.
Unlike most ransomware variants, SamSam uses remote desktop protocol exploits as well as brute-force tactics to steal credentials. SamSam only targets JBoss servers so if you use JBoss, make sure to keep up to date with their patch releases.
What makes SamSam particularly dangerous is the fact that it assumes administrator rights before downloading the malware onto a system. This means that victims do not have to download a file to be compromised, making it extremely difficult to track.
Unlike the ransomware discussed above, SimpleLocker targets mobile devices running on the Android operating system. It is delivered using a Trojan downloader which has made it difficult to counter.
While this is the first identified Android ransomware, it will not be the last. To avoid infecting your device, make sure you only download apps from established stores such as the Google Play Store or the App Store.
To protect against ransomware threats you need complete visibility into your internal and third-party network environments. SecurtyScorecard’s Security Ratings offer an extra layer of protection by providing organizations with real-time vulnerability alerts, allowing them to actively address ransomware vectors as they arise. Our platform uses a simple A through F scale to rank vulnerabilities so that you can quickly visualize your organization's security posture and prioritize threat remediation.
With Security Data, organizations can leverage cybersecurity data to gain insights into critical vulnerabilities within their enterprise ecosystems. SecurityScorecard’s global security threat intelligence engine continuously collects and analyzes a broad range of highly relevant, cybersecurity signals, allowing you to address ransomware threats in real-time.
Ransomware attacks are not going away anytime soon so it is essential that organizations take steps to defend against them. With SecurityScorecard, you have access to the tools you need to continuously monitor for and stay ahead of ransomware threats as your business embraces digital innovation.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.