Organizations from Cosco to FedEx, local governments from Atlanta to Alaska, and several hospitals and law firms around the world all share a common, jarring experience - in the past few years, all of these organizations have watched as malicious software took over their networks and demanded a ransom payment, while disrupting their business service continuity.
Ransomware (opens in new tab) is an escalating, increasingly sophisticated threat, and no one seems to be immune. With new ransomware authors constantly upping their game to evade detection by demanding new forms of crypto-currency, such as DASH, or stealing passwords and Bitcoin wallets, it can be difficult for the average user to understand how they were infected in the first place when they fall victim to an attack.
There are a number of attack vectors ransomware can exploit to take over computers or servers. These are the four most common ways ransomware infects its victims.
Related: protect your business from cyber attack with the best antivirus software (opens in new tab).
1. Phishing emails
The most common method for hackers to spread ransomware is through phishing emails. Hackers use carefully crafted phishing emails to trick a victim into opening an attachment or clicking on a link that contains a malicious file.
This enables the attacker to run a script that downloads and executes a malicious executable file (EXE) from an external web server. The EXE would include the functions necessary to encrypt the data on the victim’s machine.
Once the data is encrypted, and ransomware gains a foothold on one machine, the more advanced ransomware variants will spread to other machines on the network (PCs and servers). All it takes is for one person to naïvely open an attachment in the phishing email, and an entire organization can be infected.
Popular ransomware exploiting victims using phishing emails include:
2. Remote Desktop Protocol
An increasingly popular mechanism in which attackers are infecting victims is through Remote Desktop (opens in new tab) Protocol (RDP). As the name implies, Remote Desktop Protocol was created to enable IT administrators to securely access a user’s machine remotely to configure it, or to simply use the machine. RDP typically runs over port 3389.
While opening doors to a device for legitimate use has many benefits, it also presents an opportunity for a bad actor to exploit it for illegitimate use. In 2017, it was determined that over 10 million machines are advertising themselves to the public internet as having port 3389 open – ie, they are running RDP over 3389.
Hackers can simply search for those machines on search engines such as Shodan.io to find devices that are vulnerable to infection. Once the target machines are identified, hackers commonly gain access by brute-forcing the password so they can log on as an administrator. Open source password-cracking tools help achieve this objective. Popular tools, including Cain and Able, John the Ripper, and Medusa, allow cybercriminals to quickly and automatically try multiple passwords to gain access.
Once they’re in as an administrator, hackers have full control of the machine and can initiate the ransomware encryption operation. To create additional damage, some hackers will disable the endpoint security software running on the machine or delete Windows file backups prior to running the ransomware.
This creates even more reason for the victim to pay the ransom, as the Windows backup options may no longer exist.
Popular ransomware exploiting victims through RDP include:
- SamSam (opens in new tab): Responsible for significant damage in 2018 on the City of Atlanta, Colorado Department of Transportation, Hospitals, and other organizations. A recent report estimated that SamSam authors made $5.9 million of revenues (opens in new tab).
- LowLevel04 (opens in new tab)
- CrySis (opens in new tab)
3. Drive-by downloads from a compromised website
Another entry path that attackers use to deliver ransomware is through what is known as drive-by downloads. These are malicious downloads that happen without a user’s knowledge when they visit a compromised website.
Attackers often initiate drive-by downloads by taking advantage of known vulnerabilities in the software of legitimate websites.
They then use these vulnerabilities to either embed the malicious code on a website or to redirect the victim to another site that they control, which hosts software known as exploit kits. Exploit kits give hackers the ability to silently scan the visiting device for its specific weaknesses, and, if found, execute code in the background without the user clicking anything. The unsuspecting user will then suddenly be faced with a ransom note, alerting them of the infection and demanding payment for returned files.
While this may sound like something encountered only on small, under the radar sites, drive-by downloads are actually not limited to obscure websites. They have happened to some of the most popular sites in the world including the New York Times, the BBC, and the NFL – all of these were targeted in a ransomware campaign through hijacked advertisements.
Popular ransomware exploiting victims through drive-by downloads include:
4. USB and Removable Media
Another avenue that ransomware uses to penetrate an environment is through a USB device. In 2016, Australian police issued a warning to citizens (opens in new tab) about USB drives containing malicious software appearing in mailboxes. The USB drives masqueraded as a promotional Netflix application, then once opened deployed ransomware on to the unsuspecting user’s computer.
The mighty Spora Ransomware even added the capability to replicate itself onto USB and Removable Media drives (in a hidden file formats), jeopardizing subsequent machines in which the USB device is plugged into.
Ransomware has become the go-to attack of choice for cybercriminals to generate revenues. It’s simple to buy on the dark web through Ransomware-as-a-Service (RaaS) and attacks are relatively easy to launch through one of the above methods. It’s important for organizations to recognize how their systems can be targeted and proactively take steps through a layered security approach to keep themselves protected and to safeguard their business service continuity.
Antonio Challita is Director of Product Management at CyberSight (opens in new tab).
Related: 10 effective steps for preventing cyberattacks on your business (opens in new tab).