“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” These words were written over 2500 years ago, but they are still relevant to the world of cybersecurity today. Knowing ransomware attack vectors is the best way to plan your cyber defenses and keep your organization running smoothly.
Ransomware attacks and therefore also ransomware recovery are increasing in scope and complexity, but an astonishing number of attacks still take advantage of painfully obvious vulnerabilities. The good news is that a few simple precautions can stop the vast majority of attacks in their tracks.
This article will cover a few of the most common ransomware attack vectors and the best ways to prevent hackers from taking advantage of them.
The Most Common Ransomware Attack Vectors
Phishing is the most common ransomware attack vector by a fair margin. This means that humans, not computers, are the weakest link when it comes to cybersecurity.
Phishing almost always involves gaining a victim’s trust. Trust can be gained in many ways; sometimes it is by impersonating a trusted party like a bank or a client who then tricks the victim into clicking a malicious link or opening a malicious attachment.
Some phishing attacks may come via mass emails or websites that appear to be legitimate. In other cases, they may be highly targeted, and could involve hacking the email account of a trusted colleague. The hacker might even study the writing stye and work patterns of a victim for weeks, so that when they move to strike, the phishing email will appear completely believable.
Phishing attacks can involve phone calls, SMS, emails, and just about any other communication medium. So, how to protect yourself from such sophisticated scams?
- Education is key. Hackers are always trying to refine their techniques, so it’s important to stay up to date with the latest methods. This could take the form of a monthly staff briefing where a team gets a rundown on the latest observed phishing attacks.
- Establish protocols for handling links and attachments. All kinds of attachments, even PDFs, can contain malware. Unfortunately, link scanning software is not foolproof, so it can be best to always speak in person before opening any unusual or unexpected links.
- Strictly segregate personal and work activities. Many phishing attacks have occurred through employees using work computers to do personal searches.
- Always double check URLs. Fake links will often look nearly identical to the real thing, but have an extra letter or number added.
Remote Desktop Protocol (RDP)
After phishing, Remote desktop protocols (RDPs) are one of the most exploited ransomware attack vectors. RDP’s can be very useful for accessing a device remotely, and usage of RDPs increased significantly during the COVID-19 crisis. However, they also present hackers with a very convenient method of gaining total control over a system.
Most RDP attacks use brute force attacks— the hackers simply try a list of common passwords using an automated tool until they find a match. In many cases, this step is not carried out by a ransomware hacker, but by another hacker who specializes in gaining access to networks.
These hackers are called initial access brokers. When they gain access to a network, they will gather some information about it (ie. the type of organization, how much money they are likely to have, etc.) and then sell the access to hackers based on how valuable of a target it is.
A few simple measures can prevent all RDP attacks.
- The first step to preventing RDP attacks is to disable all unneeded RDP ports. This is usually port 3389. A huge number of attacks take place via open RDP ports that don’t need to be open at all. Many people may only need them rarely, in which case the ports can be opened only as long as necessary.
- Next, make sure to use strong, unique passwords. This makes a brute force attack much less likely to succeed.
- 2 factor authentication connected to email or a phone number adds another layer of security. This can be slightly inconvenient, but makes it almost impossible for a hacker to gain access via RDP.
- Limiting IP access can be a good compromise between convenience and security. It involves whitelisting approved IP addresses and blocking any other addresses. However, this can still fail if the hacker is already inside the network and looking to spread his influence through the network.
While less common than phishing and RDP attacks, software vulnerabilities are still an important ransomware attack vector that deserve attention. These vulnerabilities typically relate to flaws in software which allows hackers to gain access to a system.
- Always stay up to date with updates. Follow updates about zero day vulnerabilities, and adjust your cyberdefenses accordingly.
- Don’t use out of date software. In some cases, this may mean you need to upgrade your hardware. It may be a tough pill to swallow, but the damage of a ransomware attack can be much more expensive than the cost of upgrading your systems.
- Carefully vet cloud service providers. Cloud software is more and more common all the time, and if hackers compromise the system of a cloud service provider, they can also compromise the systems of their clients. Check to make sure that they have strong and independently audited security practices before signing a contract.
- Conduct regular penetration testing. This can help to find vulnerabilities and patch them before hackers do.
Many sophisticated ransomware attacks may deploy multiple attack vectors— for example, hackers might gain initial access using a poorly secured RDP port, and then conduct reconnaissance. After getting more information on the network, they might use software vulnerabilities and phishing to infiltrate more of the network and gain access to backups.
It’s important to give attention to all of these attack vectors. This is not a one-off effort— it requires continuous maintenance. For example, when employees leave, sometimes their computers are left with permissions that they don’t need. Hackers then take advantage of these “open doors.” Regular security audits are needed to continuously configure and optimize security.
Everyone who comes into contact with IT systems needs to have some cybersecurity awareness. It’s also important for employers to screen new potential hires for their aptitude at detecting and preventing phishing attacks.
If it seems like a lot, don’t worry. Just do what you are able, and do it regularly. A little bit of effort can go a long way when it comes to preventing ransomware attacks.