Top 3 Ransomware Entry Points Used by Cyber Criminals

Top 3 Ransomware Entry Points Used by Cyber Criminals

In the past 2 years, ransomware attacks have grown by leaps and bounds with the average ransom demand surging from roughly USD 10,000 to a whooping USD 100,000. While there is a lot of discussion around whether companies should pay the ransom or not, based on our cyber threat intelligence and monitoring of the deep and dark web – we bring you a comprehensive list of the common entry points for ransomware into an organization.

During our analysis, we found that the top ransomware groups continue to use emails to start their attack chain. But unlike in the past, emails are just steppingstones used indirectly to launch a lethal attack. According to CYFIRMA researchers, the most common and often-exploited entry points for ransomware groups are as follows:

Phishing for Access to Remote Services

To gain access to the remote access services like RDP/ VPN servers, the threat actors resort to phishing activities to get hold of the credentials. There are several instances, wherein, these groups also employ the credential dumps available on dark web forums. Before the rampant use of phishing, cyber criminals would leverage downloaders as the initial payload. It is since 2020, that there has been a spike in the volume of phishing as an initial payload for a ransomware attack.

One of the recent reports reveals that close to 260,642 phishing attacks in July 2021 took place in the US alone. Given that humans are the weakest links in a cybersecurity framework, CYFIRMA Cyber Threat Intelligence (CTI) suggests organizations consider advanced threat intelligence capability to complement their email security solutions. For an organization, a robust email security strategy should include:

• a) Full-scale visibility of email threats being faced;
• b) Implementation of solutions that can correlate and analyze such threat data;
• c) Understanding of who and what is being targeted;
• d) Identify steps to counter email threats; and
• e) Mark external emails with a banner denoting the email are from an external source to assist users in detecting spoofed emails.

Leveraging Vulnerable Systems

Vulnerable systems are another low-hanging fruit for ransomware attackers. Some of the most frequently exploited vulnerable internet-facing services include SSL VPN (Fortinet, Citrix, Pulse, SonicWall, etc.), Microsoft Exchanger Servers, Telerik UI-based web interfaces. To overcome all kinds of prospective cyberattacks (ransomware or otherwise), CTI suggests:

1. Implementation of an advanced endpoint protection solution (EDR) that provides detection/prevention of malicious activities that do not rely on signature-based detection methods.
2. Updating all applications/software regularly with the latest versions and security patches alike.
3. In case of running a vulnerable version at any point in time, disable all VPNs (SSL-VPN or IPSEC) until the following remediation steps have been taken:

• a) Immediately upgrade to the latest available release
• b) Regardless of the upgrade, reset user password
• c) Consider all credentials as potentially compromised and initiate an organization-wide password reset
• d) Contact users to reset their passwords explaining the reason.
• e) Leverage third-party credential leak monitoring services.

Exploit Emails to Deliver Malware

Ransomware attack groups are also known to deliver vicious malware into their target’s infrastructure. And it is through emails that these groups execute malware implants. Hackers’ modus operandi include attaching malicious .xls and .doc in the emails. When unsuspecting victims open these documents, macros will execute, run payload, and load malware on the computers.

According to CTI, organizations should:

1. Establish a robust plan to identify assets by leveraging a risk-based approach along with the Defense-in-Depth (DiD) method as part of the organization’s security strategy to minimize the risk exposure of vulnerabilities to an acceptable level for an organization.
2. Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.

As per researchers at CYFIRMA, ransomware attacks are all set to evolve constantly in the upcoming years. We predict that

1. Operational technology is the next target for ransomware attackers;
2. IoT will be used heavily as the entry point for ransomware; and
3. Ransomware attacks on third-party software are all set to grow.

Additional Reading:

Double Extortion Ransomware Attack-The Achilles Heel for Organizations (cyfirma.com)

Counter Ransomware Evolution with Zero Trust in 2021 – CYFIRMA