Ransomware hits the headlines almost daily. And most incidents target large corporations with enough capital to justify the attack. But sometimes ordinary people get infected as well. Some attackers choose small but constant collections with a “spray-and-pray” approach. And in light of recent events, we can see increased attacks on consumers. So today, we’ll look at the primary attack vectors that attackers use to infect us with data-encrypting malware.
Ransomware is malware that can encrypt data in order to make money. Typically, attackers leave a ransom note. It contains instructions on how to pay them to get the decryption key. And with the advent of digital, untraceable currencies such as bitcoin, the number of attacks has increased over the past decade. Next, we’ll look at five of the most common ransomware deployments that attackers use.
Warez Sites, Torrents, and Cracked Applications
The most common places for ransomware infections are warez and torrent sites. There, people usually download pirated content or unofficial software packages that are unlikely to be verified. Hence, these questionable media are ideal places for ransomware to spread. Attackers upload their malware inside of the hacks for popular games, or movies – and advertise them as clean and safe. Trusting users download malware-infected files and, in an attempt to run them, deploy the ransomware with their own hands.
To prevent ransomware infection, avoid unofficial software repositories, warez sites, and illegal torrents! Piracy is terrible in itself. The use, distribution, and creation of hacks for the software are illegal and entail criminal liability. There is also a good chance that you will get a ransomware program on your computer instead of free software.
Today, phishing emails are the most common method of distributing malware to hackers and government-sponsored hacker organizations. Hackers have become more masterful at creating emails that trick employees into clicking on links or downloading a file with malicious code. The old phishing emails from a Nigerian prince who wants to share part of his fortune with you (for a small fee) are far from the past. They have now been replaced by compelling emails replicating the company’s logo and branding. These phishing emails may come in many shapes, sizes, and colors, but they have one thing in common: a sense of urgency.
One sign of a phishing email is the sender’s email address. The sender may appear legitimate in most cases, such as “Microsoft-Support.” However, the associated email address is something fake, such as [email protected]. In attachments, hackers use standard file formats such as Word, PDF, Excel, and ZIP to make the message less suspicious. If the attachment is opened, the ransomware immediately delivers its payload by encrypting and storing the files for the hacker. Let your internal IT security team know if you receive an email and think it’s a phishing email. They will be able to evaluate it and block it if necessary. If you don’t have an internal IT security group, block it in your spam filter and delete it.
Tech Support Scams
Another seemingly no obvious way to get infected with ransomware is by cheating with technical support. This can be related to the previous point, but it is better to mention it separately. In this case, scammers target vulnerable populations, such as the elderly. They trick the victim into giving them remote access to their computer, then launch an attack. There have been known cases where tech support scammers have carried out attacks without even using actual ransomware. Instead, they have used Syskey. This Windows NT component encrypts the Security Account Manager (SAM) database using a 128-bit RC4 encryption key. Decades later, Syskey was removed in Windows 10 because it was abused in ransomware attacks, and its cryptography became insecure as technology evolved.
Remote Desktop Protocol (RDP)
One way to deploy Ransomware can be the RDP protocol. RDP usually initiates requests on port 3389. This port can become a gateway for ransomware attacks if it is open. Attackers use port scanners to find systems on the Internet with open ports. Once the systems are identified, they will try to use brute force attacks to log in as an administrator. Since Microsoft Windows is used in over 90% of the world’s countries, criminals have plenty of opportunities to steal data, especially from small businesses. Fortunately, this problem is solvable, and there are several steps you can take to protect RDP endpoints.
- First, change the default port 3380.
- Then enable two-factor authentication for remote sessions and require network-level authentication from new users.
- Use a VPN to restrict access to corporate users.
- Also, if possible, disable open connections and close ports when not in use.
Drive-by Downloads From a Compromised Website
Another way in which attackers can deliver ransomware is drive-by downloads. These malicious downloads are performed without the user’s knowledge when they visit a compromised website. Attackers often exploit known vulnerabilities in the software of legitimate websites to initiate drive-by downloads. Then they use these vulnerabilities to inject malicious code into a site or redirect the victim to another site that they control and that hosts exploit kits. They allow hackers to silently scan the visited device for specific weaknesses and, if detected, execute the code in the background without the user pressing a button. The unsuspecting user is suddenly confronted with a ransom note warning him of the infection and demanding that he pay to gain access to the files.
At first glance, this may seem like something found only on small, obscure sites, but it is not. Drive-by downloads are not limited to little-known sites. They occur on some of the most popular sites in the world, including the New York Times, BBC, and NFL. All of them have been attacked by ransomware through hijacked ads. Also among the popular ransomware programs exploiting victims through drive-by downloads are the following:
- Princess Locker
Ransomware has become a favorite way for cybercriminals to generate revenue. It is easy to buy on the darknet through the Ransomware-as-a-Service (RaaS), and attacks are relatively easy to launch using one of the above methods. Therefore, organizations need to be aware of how attacks can target their systems and to proactively take steps as part of a layered approach to security to protect themselves and ensure business continuity. The easiest way to become a victim of ransomware is to not be proactive in your defense strategy. Attackers often choose low-hanging fruit, relying on human error and sophisticated software to spread the infection. So don’t underestimate the importance of self-education about the latest malware trends and how to bolster your system’s defenses.
Gridinsoft has been stopping ransomware attacks for years to ensure business continuity and productivity. Try Ransomware Protection, a protection tool for Windows, to detect and protect against destructive attacks.