To address a ransomware attack, it’s vital to identify the attack vector. That’s not always easy: Ransomware groups may go to great lengths to hide their methods, particularly during targeted attacks.
However, the vast majority of incidents can be traced to a relatively limited number of attack vectors.
1. Software Vulnerabilities
According to research from Kaspersky, 43% of ransomware attacks start with exploitation of publicly known software vulnerabilities.
A high-profile recent example: In June 2023, the CL0p ransomware gang exploited a vulnerability in MOVEit Transfer, a popular file transfer program used by enterprises. The exploit impacted at least 121 organizations, prompting the State Department to offer a reward of up to $10 million for information related to CL0p’s activities.
The simple solution is to keep software updated — and have a strategy in place to enforce updates when they’re available.
2. Phishing Attacks
Phishing is a common technique for targeted ransomware attacks, though phishing may not be effective if organizations take appropriate methods to apply privileges or permissions (discussed below).
Employees must be instructed on common phishing methods, which include malicious attachments and links to compromised websites (“spear-phishing”). Sophisticated ransomware groups may impersonate trusted individuals within an organization, or target victims on their personal devices (assuming that the user will bring their compromised device to work).
3. Remote Desktop Protocol (RDP) Exploits
Remote Desktop Protocol (RDP) comes standard with all current Windows operating systems and serves as the most common protocol for remote access. It’s also quite exploitable — if an attacker can obtain sufficient credentials, they can control systems and deploy malware.
RDP exploits are especially common infection vectors, but they’re easy to defeat: Organizations must enforce multi-factor authentication (MFA) and correctly define their access control lists.
4. Poor Security Controls
Unfortunately, the Cybersecurity and Infrastructure Security Agency (CISA) notes that many organizations use vendor-supplied default configurations or default login credentials, which creates an obvious vulnerability.
“These default credentials are not secure,” CISA writes. “They may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software.”
CISA also list other security controls that could invite an attack:
- Strong password policies are not implemented.
- Cloud services are unprotected.
- Open ports and misconfigured services are exposed to the internet.
- Poor endpoint detection and response. .
These issues can be charitably summarized as misguided — or, more accurately, lazy. Most malware can be defeated by following the most basic tenants of cybersecurity, but many organizations fail to take the necessary steps.
Evaluate your systems and policies to prevent a ransomware attack.
Datarecovery.com provides ransomware investigation services, penetration (PEN) testing, and ransomware recovery solutions to help organizations prevent infiltration.
Our cybersecurity experts can help your enterprise mitigate potential attacks and recover from actual incidents — and in some cases, restore data while minimizing downtime.
To learn more, call 1-800-237-4200 or set up a case online.
