In the past 2 years, ransomware attacks have grown by leaps and bounds with the average ransom demand surging from roughly USD 10,000 to a whooping USD 100,000. While there is a lot of discussion around whether companies should pay the ransom or not, based on our cyber threat intelligence and monitoring of the deep and dark web – we bring you a comprehensive list of the common entry points for ransomware into an organization.
During our analysis, we found that the top ransomware groups continue to use emails to start their attack chain. But unlike in the past, emails are just steppingstones used indirectly to launch a lethal attack. According to CYFIRMA researchers, the most common and often-exploited entry points for ransomware groups are as follows:
To gain access to the remote access services like RDP/ VPN servers, the threat actors resort to phishing activities to get hold of the credentials. There are several instances, wherein, these groups also employ the credential dumps available on dark web forums. Before the rampant use of phishing, cyber criminals would leverage downloaders as the initial payload. It is since 2020, that there has been a spike in the volume of phishing as an initial payload for a ransomware attack.
One of the recent reports reveals that close to 260,642 phishing attacks in July 2021 took place in the US alone. Given that humans are the weakest links in a cybersecurity framework, CYFIRMA Cyber Threat Intelligence (CTI) suggests organizations consider advanced threat intelligence capability to complement their email security solutions. For an organization, a robust email security strategy should include:
Vulnerable systems are another low-hanging fruit for ransomware attackers. Some of the most frequently exploited vulnerable internet-facing services include SSL VPN (Fortinet, Citrix, Pulse, SonicWall, etc.), Microsoft Exchanger Servers, Telerik UI-based web interfaces. To overcome all kinds of prospective cyberattacks (ransomware or otherwise), CTI suggests:
Ransomware attack groups are also known to deliver vicious malware into their target’s infrastructure. And it is through emails that these groups execute malware implants. Hackers’ modus operandi include attaching malicious .xls and .doc in the emails. When unsuspecting victims open these documents, macros will execute, run payload, and load malware on the computers.
According to CTI, organizations should:
As per researchers at CYFIRMA, ransomware attacks are all set to evolve constantly in the upcoming years. We predict that