Ransomware is a problem that is here to stay and that will in time become an even bigger issue – that is a fact that is clear to everyone involved in IT security. According to the international study "The State of Ransomware", more than half of all organizations have experienced a ransomware cyberattack in 2020. Once hit, giving in to criminal demands or restoring the system wholesale is an expensive strategy, if it can be deemed a strategy at all. True risk mitigation should first ask what the main attack vectors exploited by this type of malware actually are. This is the only solution that not only staves off the problem of ransomware, but ideally minimizes the risk permanently.
- These are the best antivirus software (opens in new tab) around
The three main attack vectors of ransomware
Attack vector number 1 - the technology: As in many other attack scenarios, hackers exploit vulnerabilities and backdoors of infrastructure for their ransomware attacks in order to smuggle malware into a system. Infrastructure is especially vulnerable when it is based on unpatched systems. For example, the well-known Wannacry ransomware – which gained notoriety by taking out entire universities and hospitals – directly targets computers running outdated versions of Microsoft Windows. It exploits a known programming flaw in the SMB implementation to create crashes and persistent bluescreens (hence the name "Eternal-Blue"), spying on computers and locking users out of systems. The Wannacry ransomware attack shows just how virulent the problem of unpatched computers is. The attack spread to 150 countries and infected more than 230,000 computers.
Attack vector number 2 - the process: Even if Chief Information Security Officers (CISOs) conduct their job in an exemplary manner and keep their system up to date, patch management also involves risk. Failure to check if patches are transferred from verified sources, or simply allowing system changes to take place, may open the floodgates for malware and ransomware to befall your systems. As the example of network management service provider SolarWinds shows, even a single patch can be compromised: In this case that caused a stir in 2020, hackers infiltrated the SolarWinds supply chain. This allowed them to sneak a Trojan into an update that about 18,000 customers installed via the SolarWinds platform Orion. Such an attack on third-party software – especially if it is from a trusted vendor –, is difficult to detect for administrators in the organization. Experts compare it to attacking a key manufacturer rather than picking a lock: The compromised update allowed the attackers to infiltrate government and private networks of the U.S. government – from the Department of Homeland Security to the National Nuclear Security Administration – and companies such as Microsoft, Nvidia, Intel or Cisco were also affected.
Attack vector number 3 - people: The employees of an organization always remain a weak point, as they can easily be tricked into starting a download from a malicious website through hackers employing social engineering techniques or making phishing attempts. Attacks on individuals have increased massively, especially during the Corona pandemic as people switch en masse to remote work. Outside the physical premises of an organization it is more important than ever that attention is paid to employee behavior as far as IT security is concerned. However, according to a 2020 IBM study, nearly half (45 percent) of employees at different U.S. companies who switch to working from home permanently received no training on IT security. Thus, the insecurity of many employees in this novel situation, further exacerbated by the Corona pandemic, made them a popular target for hackers, and so phishing, “smishing” (SMS based phishing) and fraudulent calls from supposed “colleagues” in the corporate IT department are still booming. If employees are not sufficiently sensitized to these dangers, they can become unwitting g accomplices of the hackers. This can happen, for example, if they are asked to click on links or install programs hiding ransomware.
- Keep your organization safe with the best business antivirus (opens in new tab) around
The problem with credentials
But even assuming that all three attack vectors – technology, processes and people – were perfectly protected against ransomware attacks, the risk of unauthorized access to systems would still remain. The reason lies in the primitive nature of login data, i.e. credentials: whoever owns them gains access to the system and can do as she or he pleases. If there is no proof that the user rightfully possesses the credentials, the system has no reason to believe that it is an attack. If the access goes beyond the individual computer and affects the enterprise system as a whole, the widespread dissemination and installation of malware is not a challenge anymore either. The extent of the credentials problem in ransomware attacks is illustrated by the infiltration strategies used by some well-known types of malware:
- Dharma (a.k.a. CrySIS) – uses brute-force methods to attack weak credentials in order to gain access to an organization's network or system via Remote Desktop Protocols (RDP)
- Phobos Ransomware – also uses RDP connections to infiltrate networks
- Sodinoki (or Sodin and REvil, respectively) – gains access to the system through brute force attacks, server exploits or phishing
- Snake, or Ekans – spreads through industrial control systems (ICS) by using open RDPs with weak passwords to directly infect the ICS environment
There are two aspects that become very clear in this context: first, malware deliberately exploits credentials as a vulnerability, and second, RDPs are a popular point of attack.
The problems with RDPs
Most organizations rely on RDPs so their employees who work from home can access company resources remotely. Therefore, they make RDP ports available on the public Internet. It is easy for hackers to find these RDP ports and crack weak RDP credentials through brute force attacks or gain access through credential stuffing. But how can this vulnerability be eliminated? Reliable and strong authentication such as multi-factor authentication (MFA) is not easily implemented with standard RDPs. VPN connections could be used to make RDPs non-public, and yet a VPN access without MFA remains just as vulnerable.
Four ideas for secure authorization
The fight against ransomware is not hopeless. There are still measures to keep out even the most efficient ransomware:
1. The best protection is a strong MFA that cannot be stolen. This means that all factors should be passwordless, i.e. provide authentication through possession of an authorized device or a biometric feature that cannot be falsified.
2. Since RDP and VPN are such a common attack vector, especially in times of increased remote work, special attention should be paid to updating them on a regular basis.
3. Training for employees, especially regarding ransomware, should be standard in every organization. Phishing remains the main line of attack for ransomware.
4. Risk can never be completely eliminated, which is why the final measure should be a good backup strategy. Such a backup strategy should be implemented as soon as possible to keep the cost of a system reset as low as possible in the event of a ransomware infection.
Outlook: Strong authentication against ransomware
All in all, it is clear that authentication plays a critical role in ransomware risk mitigation. Malware creators continue to use credentials as a key vulnerability, and even complicated passwords are no longer an obstacle thanks to the computing power available to execute brute force attacks and credential stuffing. The fundamental elimination of passwords in favor of authorized devices or biometric features would thus eliminate one line of attack malware relies upon. Today, a passwordless MFA is the best way to hide the keys to the system, not just under the doormat.
- Check out our rundown of the best Windows 10 antivirus (opens in new tab) around
Al Lakhani, founder and CEO, IDEE (opens in new tab)