Ransomware is everywhere. This disruptive malware infiltrates and disrupts everyone and everything from healthcare organizations to schools, retailers and energy distribution pipelines.
But do you know how ransomware finds its way onto its victims' systems? Or how it could get into your systems? The key to preventing ransomware is knowing how it enters in the first place. Once the top ransomware attack vectors are understood, you know which cybersecurity controls and mitigations to put in place to make your organization as resilient as possible to ransomware infection.
The top three ways ransomware gets onto victims' systems are social engineering and phishing, Remote Desktop Protocol (RDP) and credential abuse, and exploitable software vulnerabilities. Let's look at these three common ransomware attack vectors and how to best secure them to prevent an infection.
1. Social engineering and phishing, phishing, phishing
Phishing, the most popular type of social engineering, continues to be the No. 1 attack vector for all kinds of malware, including ransomware, because it continues to work -- and nothing succeeds like success. Attackers target email especially because it arrives in employees' inboxes, which generally reside on corporate endpoints and networks. The attacker, therefore, has high confidence that email-borne malware -- if opened-- has reached a valuable target.
Phishing emails can be disguised in a variety of ways to keep pace with topics users are most likely to be interested in. For example, nothing leads to clicks like the promise of a quicker tax refund in April or a great deal on electronics ahead of Black Friday or Cyber Monday. And, once the email is in, all it takes is a quick click of an attachment or malicious link for dropper malware to install and then download ransomware payloads.
Other social engineering scams used to trick users into downloading malware include smishing, text- or SMS-based phishing; vishing, voice phishing over the phone; and spear phishing, highly targeted phishing attacks.
How to prevent social engineering and phishing
- Security awareness training is the key to a well-trained and security-aware workforce that provides a powerful first line of defense. Rather than shaming employees for clicking, look to model behavior with positive feedback. For example, celebrate the "Catch of the Month" for the employee who finds and reports the most interesting phishing attempt.
- Technology helps prevent phishing. Email hygiene systems, especially those running in the cloud, can reduce the load on your mail server and lighten employee inboxes by filtering out the low-hanging, easy-to-spot phishing emails before they get to your organization. Endpoint detection and response systems, especially products that recognize anomalous behavior, are another line of defense that can detect ransomware activity if it gets past email filters and users.
2. RDP and credential abuse
Microsoft's proprietary Remote Desktop Protocol is incredibly valuable to modern enterprises because it enables administrators to access servers and desktops from virtually anywhere. If not protected properly, however, it can also enable attackers to do the same thing.
Threat actors usually need legitimate credentials to exploit RDP. To acquire these credentials, ransomware operators and other criminal gangs use a variety of techniques, including brute-force attacks, purchasing them from criminal sites and credential stuffing.
How to protect RDP and prevent credential abuse
- Add and require multifactor authentication for remote access. Even with valid credentials, an attacker won't be able to access the system without the additional authentication factor, whether it's a one-time code, dongle or text message.
- Lock down remote system access further by using VPNs and restricting admin access to a single-purpose device, such as a jump server or a privileged access workstation. This means attackers must infiltrate the jump server or workstation before they can attempt to access the remote server via RDP.
- Consider keeping the admin ports closed and opening them only when a legitimate, verified user requests access. This way admins can still do their jobs, but systems aren't open to potential attack around the clock.
3. Exploitable software vulnerabilities
The last ransomware attack vector is the "other" category, which includes the exploitability of unpatched systems, including websites and VPN servers. Any system that is internet-facing and isn't patched and protected could be a vector for cyber attack.
Due to the complexity of modern software supply chains, don't forget that websites often include plugins and libraries. Additionally, many low-code/no-code workflows interconnect with different services and functions. A vulnerability in any of these could be a ransomware attack vector.
How to eliminate exploitable software vulnerabilities
- If you haven't updated your patch management program, do it now.
- Ensure all the systems your organization uses -- especially those that are public-facing -- are up to date on patches.
- For software and workflows, implement an application lifecycle management (ALM) program to inventory and track applications and services in use at the organization.
- Use software bills of materials (SBOMs), which inventory the components used in a piece of software. This best practice is gaining traction because it provides transparency into what's deployed, giving organizations better control.
If a new zero-day vulnerability hits the internet, companies using ALM and SBOMs don't need to wonder if they are affected; they will know if they are.