There is no doubt that ransomware has become a huge problem. In fact, many would say that it has become the number one cyber threat in the world today. This is due to the fact that ransomware is relatively hard to avoid or counter. The cybersecurity industry simply has not figured out an airtight way of dealing with this kind of threat. That being said, a lot of helpful work has been done as well. In order to develop methods of prevention and mitigation and make them more effective, it is necessary for us to think about the ways in which ransomware is delivered and deployed.
The Ransomware Process
Before we get into any specific methods, it is important to understand how ransomware works. Typically, the process is carried out in stages, with the actual ransom payment being the final stage and the end goal. These stages are:
- 1. Fingerprinting: During this stage the attacker scouts out the environment and makes a plan of attack
- 2. Propagation: This is the stage where the ransomware is installed
- 3. Communication: The ransomware program communicates with the attacker
- 4. Mapping: The ransomware scans the target drive for files to encrypt
- 5. Encryption: All targeted files are scrambled with a unique password
- 6. Lock and threaten: This is where the hammer gets dropped and the ransom demand is made
Most of these stages are just preparation for the main event, which is the ransom demand. Some programs will also corrupt the drive itself, making recovery that much harder. However, most ransomware variants do not use this feature because that also makes it harder for the attacker to access the data.
Phishing Is Still The Main Method
You have probably been warned about clicking strange links or attachments in your emails. There is good reason for this warning, as email phishing remains the most popular method of cyber-attack. Ransomware is no exception to this trend. Before such a program can do its dirty work, it must start by getting a foothold and phishing can provide that.
Phishing works by trickery rather than technology. The attacker impersonates a trusted entity or person, directing you to follow a link and enter some credentials. Of course, the page will be fake. The “imposter” page will log your every keystroke or use a screen capture function if the password is displayed while typing.
Either way, the result is the same: The victim is tricked into revealing usernames, passwords, and/or other identifying information. In the case of ransomware, those credentials are then used to authorize the download and installation of a malware program.
Tainted File Attachments
Links generally seem less suspicious to people, and that is why they are used more often. In the course of navigating the internet, most of us click on HTTP links without giving it much thought. However, email attachments have also proven to be one of the more common ransomware vectors. These emails will normally impersonate some kind of business/work email since it is more common to receive email attachments in that
File attachments allow the attacker to trick you into directly downloading the malware, which is much simpler for them. These attachments may not look like executable files, but appearances can be deceiving. The executable (usually a portable one) can be hidden inside other files. Thus, the attachment may look like a simple Word document, a spreadsheet, a ZIP file, or just a notepad file.
In many cases, this approach requires the victim to enable macros on their machine. Macros are automated commands that are usually executed in groups. Needless to say, a hacker can make full use of this feature. If an app is trying to make you enable this feature, you should pretty much always say “no.”
Believe it or not, you don’t actually have to be a hacker or even a computer expert to utilize malware. Some cyber-criminals will rent out their software to paying customers, who will then use the software for their own illicit ends. When ransomware is the product, this kind of thing is usually called RAAS (Ransomware As A Service).
As bad as this picture sounds, there is a silver lining. Most RAAS attacks are essentially the actions of opportunistic predators. That’s a fancy way of describing predators who only go for the easy prey. Because RAAS attackers tend to be less technically proficient, most of the functions will be automated and unguided. Thus, such attacks are not as likely to succeed.
Remote Desktop Exploits
Remote desktop is a common Windows feature that enables another computer to access and configure the host system. These connections will normally use port 3389, although that is not an absolute rule. Thus, an attacker just has to steal or forge admin credentials, and they can configure your device in whatever way they wish. They can also gain access by attacking the server.
Thankfully, this attack method is easy to defeat. Simply keep remote desktop protocol (RDP) turned off unless it is being put to legitimate use. If you have to enable RDP for support purposes, turn it back off as soon as the service is complete. You should also make sure that you do not operate with port 3389 open unless there is a specific reason to do so.
This is just as sneaky and criminal as it sounds. Sometimes, a malicious website can download malware to your computer…even if you don’t click on anything. This is done through the use of scanning tools that quickly identify vulnerabilities in your system whereby they can deliver the malicious code. This is why you should be careful about the sites you visit.
Good cybersecurity is not easy to achieve these days, but a good IT support provider can do a lot to help. Without proper precautions, you might very well be a sitting duck. If you need help protecting yourself from ransomware, or if you just need small business computer support, you should call PCH Technologies at (856) 754-7500.