How ransomware spreads: 9 most common infection methods and how to stop them - harlan4096 - 20 December 19
Quote:
Cybercriminals are looking for creative new ways to hold your data hostage.
However, while ransomware might be getting more sophisticated, it’s important to remember that it still has to abide by the same rules as regular old malware.
That means it still has to be distributed, it still has to infect your system before it can deliver its payload – and it can still be avoided by taking a proactive approach to security.
How does ransomware infect your computer? In this article, we’ll show you some of the most common ways ransomware propagates and how you can reduce the risk of infection.
1. Email attachments
Ransomware is commonly distributed via emails that encourage the recipient to open a malicious attachment. The file can be delivered in a variety of formats, including a ZIP file, PDF, Word document, Excel spreadsheet and more. Once the attachment is opened, the ransomware may be deployed immediately; in other situations, attackers may wait days, weeks or even months after infection to encrypt the victim’s files, as was the case in the Emotet/Trickbot attacks.
Attackers may conduct extensive research on their target (often a specific company or high-ranking individual in an organization) to create credible and very believable emails. The more legitimate the email looks, the more likely the recipient is to open the attachment.
Prevention tips- Only open attachments from trusted senders.
- Check that the sender’s email address is correct. Remember that domain names and display names can easily be spoofed.
- Do not open attachments that require you to enable macros. If you believe the attachment is legitimate, seek guidance from your IT Department.
- Read this guide for more information on how to avoid phishing emails.
2. Malicious URLs
Attackers also use emails and social media platforms to distribute ransomware by inserting malicious links into messages. During Q3 2019, almost 1 in 4 ransomware attacks used email phishing as an attack vector, according to figures from Coveware.
To encourage you to click on the malicious links, the messages are usually worded in a way that evokes a sense of urgency or intrigue. Clicking on the link triggers the download of ransomware, which encrypts your system and holds your data for ransom.
Prevention tips- Be wary of all links embedded in emails and direct messages.
- Double-check URLs by hovering over the link before clicking.
- Use CheckShortURL to expand shortened URLs.
- Manually enter links into your browser to avoid clicking on phishing links.
3. Remote desktop protocol
RDP, a communications protocol that allows you to connect to another computer over a network connection, is another popular attack vector. Some examples of ransomware that spread via RDP include SamSam, Dharma and GandCrab, among many others.
By default, RDP receives connection requests through port 3389. Cybercriminals take advantage of this by using port-scanners to scour the Internet for computers with exposed ports. They then attempt to gain access to the machine by exploiting security vulnerabilities or using brute force attacks to crack the machine’s login credentials.
Once the attacker has gained access to the machine, they can do more or less anything they wish. Typically this involves disabling your antivirus software and other security solutions, deleting accessible backups and deploying the ransomware. They may also leave a backdoor they can use in the future.
Prevention tips- Use strong passwords.
- Change the RDP port from the default port 3389.
- Only enable RDP if necessary.
- Use a VPN.
- Enable 2FA for remote sessions.
4. MSPs and RMMs
Cybercriminals frequently target managed service providers (MSPs) with phishing attacks and by exploiting the remote monitoring and management (RMM) software commonly used by MSPs.
A successful attack on an MSP can potentially enable cybercriminals to deploy ransomware to the MSP’s entire customer base and put immense pressure on the victim to pay the ransom. In August 2019, 22 towns in Texas were hit with ransomware that spread via MSP tools. Attackers demanded $2.5 million to unlock the encrypted files.
Prevention tips- Enable 2FA on RMM software.
- MSPs should be hyper-vigilant regarding phishing scams.
...
Continue Reading
|