Recently, cyber-attacks reported in the news have made mention of a cyber-attack method called ‘Ransomware’. But why is a ransomware attack so feared?
The way that a ransomware attack works is that a threat actor will try and compromise a system, and if they are successful in gaining access to the system, the threat actor will then encrypt the system and send a notification to the owner of the system. This notification will advise that their system is locked, and cannot be unlocked unless a ransom is paid. If the target complies, they will be sent a decryption key to access their system or data that was held ransom.
The evolution of ransomware has been steady and increasing exponentially. There are two common methods threat actors use when deploying ransomware – opportunistic attacks and targeted attacks. The opportunistic approach utilises mass distribution of the ransomware online, hoping for a victim to get caught. The targeted attack includes gathering specific information about the target before wrapping up the customised gift basket and leaving it on their front door.
Initial compromise by ransomware, according to Cloudflare researchers, includes:
- An attacker compromising Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) servers.
- An attacker exploiting unpatched vulnerabilities in a web application or server.
- Attackers using spear-phishing to gain a foothold in the targeted environment.
Damage from a ransomware attack
Without proper security infrastructure or protocol, attackers who have gained access to the system can leave behind them a devastating path of destruction. This is especially true when it’s a sophisticated group of hackers. One of the dangerous routes these hackers can take within the system is to identify the network infrastructure of the business. The larger the network, the heavier the impact of the ransomware. To make matters worse, these attackers can also install backdoors to the system, in case they need to access it again later, while also moving laterally to the system’s backup server and deleting those backups in order to retain backdoor access.
While the damage sounds horrifying to most businesses and government bodies, ransomware is showing no signs of slowing down. Ransom as a service (RaaS) models are starting to become popular, and soon inexperienced threat actors will be able to access and use them. Below are a few recommendations to help keep your oragnisation secure.
- Use 2FA (two-factor authentication) as much as possible on your remote access entry points
- Maintain multiple redundant backups of critical systems and data, onsite and offsite
- Monitor and block malicious domains
- Sandbox web browsing activity to isolate threats at the browser level
For more information about best industry practices and standards, please contact us.
Author: Saeed Baayoun