The history and evolution of ransomware 3 ransomware distribution methods popular with attackers

Top 3 ransomware attack vectors and how to avoid them

Adversaries use three common entryways to infect systems with ransomware. Learn how to prevent your organization from falling victim to an attack.

Ransomware is seemingly everywhere right now. This disruptive malware infiltrates and disrupts everything from healthcare organizations to energy distribution pipelines.

But do you know how ransomware finds its way onto its victims' systems? Or how it could get into your systems? The key to preventing ransomware is knowing how it makes its way in in the first place. Once the top three ransomware attack vectors are understood, you'll know which controls and mitigations to put in place to make your organization as resilient as possible to ransomware infection.

Ransomware attack vectors and mitigations

The top three ways ransomware gets onto victims' systems are phishing, Remote Desktop Protocol (RDP) and credential abuse, and vulnerabilities. Let's take a look at these three vectors and how to best secure them to prevent a ransomware infection.

1. Phishing, phishing, phishing

Phishing continues to be the No. 1 attack vector for all kinds of malware, including ransomware, because it continues to work -- and nothing succeeds like success. Attackers target email especially because it arrives in employees' inboxes, which generally reside on corporate endpoints and networks. The attacker, therefore, has high confidence that email-borne malware -- if opened-- has reached a valuable target.

Phishing emails can be disguised in a variety of ways to keep pace with topics users are most likely to be interested in. For example, nothing leads to clicks like the promise of a quicker tax refund in April or a great deal on electronics ahead of Black Friday or Cyber Monday. And, once the email is in, all it takes is a quick click of an attachment or malicious link for dropper malware to install and then download ransomware payloads.

How to prevent phishing

  • Security awareness is often dismissed by the technical community, but a well-trained and security-aware workforce is a powerful line of defense. Rather than shaming employees for clicking, look to model behavior with positive feedback. For example, celebrate the "Catch of the Month" for the employee who finds and reports the most interesting phishing attempt.
  • Technology is also key to phishing prevention. Email hygiene systems, especially those running in the cloud, can reduce load on your mail server and lighten employee inboxes by filtering out the low-hanging, easy-to-spot phishing emails before they get to your organization. Endpoint detection and response systems, especially products that recognize anomalous behavior, are a late line of defense that can catch ransomware activity if it gets past email filters and users.

2. RDP and credential abuse

Microsoft's proprietary Remote Desktop Protocol is incredibly valuable to modern enterprises because it enables administrators to access servers and desktops from virtually anywhere. If not protected properly, however, it can also enable attackers to do the same thing.

Attackers usually need legitimate credentials to exploit RDP. To acquire these credentials, ransomware operators and other criminal gangs use a variety of techniques, including brute force, purchasing them from criminal sites and credential stuffing.

How to protect RDP and prevent credential abuse

  • Add and require multifactor authentication for remote access. Even with valid credentials, an attacker won't be able to access the system without the additional authentication factor, whether it's a one-time code, dongle or text message.
  • Lock down remote system access further by using VPNs and restricting admin access to a single-purpose device, such as a jump server or a privileged access workstation. This means attackers must infiltrate the jump server or workstation before they can attempt to access the remote server via RDP.
  • Consider keeping the admin ports closed and opening them only when a legitimate, verified user requests access. This way admins can still do their jobs, but systems aren't open to potential attack around the clock.

3. Exploitable vulnerabilities

The last ransomware attack vector is the "other" category, which includes the exploitability of unpatched systems, such as websites and VPN servers. Any system that is internet-facing and isn't patched and protected could be a vector for attack. Due to the complexity of modern software supply chains, don't forget that websites often include plugins and libraries. Additionally, many low-code/no-code workflows interconnect with different services and functions. A vulnerability in any of these could be a ransomware attack vector.

How to eliminate vulnerabilities

If you haven't updated your patch management program, do it now:

  • First, ensure all the systems your organization uses -- especially those that are public-facing -- are up to date on patches.
  • For software and workflows, implement an application lifecycle management (ALM) program to inventory and track applications and services in use at the organization.
  • A software bill of materials (SBOM) is an inventory of the components used in a piece of software. It's gaining traction because it provides transparency regarding what's deployed, giving organizations better control.

If a new zero-day vulnerability hits the internet, companies using ALM and SBOMs don't need to wonder if they are affected; they will know if they are.

Next Steps

Italian Mafia implicated in massive cybercrime network

4 types of ransomware and a timeline of attack examples

3 ransomware distribution methods popular with attackers

Best practices for reporting ransomware attacks

How to create a ransomware incident response plan

This was last published in September 2021

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing