We’ve handled hundreds of cybersecurity attacks and found that a lack of cybersecurity understanding is at the root of most attacks. Many people simply don’t understand how and why ransomware attacks happen, so they’re not prepared when they do happen.
We decided to develop a quick, go-to resource as a primer to help people from a non-technical background understand how hackers work. We believe that in today’s world, everyone who works with IT systems needs to have a basic understanding of cybersecurity, and understanding cybersecurity requires some understanding of the methods used by hackers.
This series will go through every stage of a ransomware attack, from selecting a potential victim, to the initial breach, up through spreading through the network, exfiltrating, and encrypting data.
Stalking for Prey
Self-pity won’t help resolve a ransomware crisis, but it’s still not uncommon for ransomware victims to wonder “Why me?” This question can actually be a valuable starting point for improving cyber defenses.
The first consideration when ransomware attackers search for victims is location. Obviously, they want to make as much money as possible, so they tend to focus on the biggest economies. Most ransomware attacks focus on the United States, Australia, and Western Europe. If you are located in one of these countries, you need to be extra vigilant.
You would think that hackers would target large companies more often, since they are likely to be able to pay a large ransom. That’s not actually the case. Most ransomware attacks target small and medium companies. This is probably because these companies are less likely to have a large, dedicated cybersecurity budget.
Looking for High Value Data
Companies in certain sectors are also targeted more often than others. Data exfiltration attacks, where hackers try to extort companies by releasing sensitive data, are on the rise. With this trend, we’ve seen an increase in attacks targeting companies that have sensitive data, in particular organizations working in health care and legal services.
Companies that store confidential data can face heavy legal consequences for leaking their customers’ private information, and hackers are aware of this. This means that companies working in these areas need to exercise extra caution, especially when it comes to securing sensitive data. This goes even more so for defense sector companies that may have technical data related to equipment produced for the military.
Initial Access Brokers
One of the factors driving the growth of ransomware is increasing specialization within the ransomware ecosystem. The rise of cryptocurrency has enabled commerce among criminal actors on an unprecedented level. One of the most popular applications of cryptocurrency is for selling initial access to networks.
Specialized hackers will get access to networks using a number of techniques, and rather than conducting a ransomware attack themselves, they sell the access to others. This access may take the form of a software vulnerability, or login credentials obtained by phishing or a brute force attack.
One of the most common methods is a compromised remote desktop protocol (RDP). A specialized search engine like Shodan can be used to search for open RDP ports. Once a hacker finds an open port that is likely to belong to a potentially lucrative victim, they can simply run a brute force attack by testing hundreds of thousands of passwords, starting with common passwords, and moving on to random alphanumeric passwords.
More often, however, hackers will attempt to get employees to download malicious links by means of phishing attacks. Large scale ransomware attacks often use a combination of these methods. They might purchase initial access from a broker. Then, in the course of attempting to escalate their privileges deploy some kind of phishing attack to gain more control over a network.
Staying Up to Date
When wolves go hunting for prey, they go after the stragglers in the herd; the old, sick, or injured animals. When hackers look for targets, they will often look for victims using out of date software with known vulnerabilities. Running out of date software is a big indication of a weak cybersecurity posture. Even if the hackers can’t exploit a vulnerability in the software, it’s likely that someone running older software will have other holes in their security.
Happy Employees are Good for Security
Another recently emerging trend is hackers trying to recruit insiders. Ransomware gangs are posting advertisements looking for anyone who works at large companies or organizations and is willing to help them gain access to the network. In return for the favor, they offer the insiders a percentage of whatever ransom they are able to extort.
Since a single ransom can be equivalent to multiple years worth of salary, this could be a very enticing proposal for disgruntled employees. Having good employer-employee relationships is good for productivity and the overall quality of the work environment, but it can also make employees less willing to betray their employer.
How to Not Be a Target
Most of the attacks we deal with take place either by RDP or phishing. Software exploits are less common, but still a serious threat. That means that improving your cybersecurity defenses means prioritizing these three potential attack vectors, and planning accordingly. First, phishing awareness is a must, and the best way to have strong phishing resilience is to make cybersecurity savvy hires, even for non-technical roles. Additionally, a base phishing awareness training course, complimented by regular phishing awareness briefs, can keep employees alert for anything fishy (pun intended).
A security audit for all RDP ports is the next priority to reduce your risk of being targeted. Any unneeded ports should be closed, and necessary ports should have very strong passwords and two factor authentication set up.
Finally, regular penetration testing can help to scan for vulnerabilities and patch them before it’s too late.