Imagine this, a newscast comes on and the term ransomware is thrown out. The reporter is describing how a company had been attacked by a notorious hacking group and held ransom for millions of dollars. If the amount wasn’t paid up on time, the group would release financial data that would end the company.
Believe it or not, that is a very real scenario that our DFIR team has had to help companies navigate the tumultuous waters of ransomware many times over the years.
What is Ransomware?
Ransomware is a type of malicious software that uses encryption to hold information hostage and deny access from a user or organization.
Cybercriminals, or threat actors, utilize ransomware as a business tool to extort monetary payments or other forms of ransom, from victims. If the victim fails to pay the ransom, the threat actors threaten to release sensitive data to the public or destroy the decryption key. These actors may also threaten to reinfect the victim network or target the victims’ customers.
What are Attack Vectors?
Threat actors infiltrate an organization’s networks via attack vectors. An attack vector is a method of gaining unauthorized access to a network or computer system. There are numerous different approaches for threat actors to attack victims.
Some of the most common include:
- Malicious Software
- Exploiting Software/Hardware Vulnerabilities
- Brute Forcing Weak Passwords
- Exploiting Lack of Multifactor Authentication
- Supply Chain or Third-Party Attacks
- Insider Threats
Phishing: Phishing is the act of attempting to exploit victims through social engineering. It normally involves the threat actor sending maliciously crafted emails containing malicious software, malicious links, or fraudulent information. Phishing is the number one attack vector used by threat actors to gain a foothold in a network.
Malicious Software: Malicious software, also known as malware, is designed to intentionally exploit a computer system. Malware has the ability to gather sensitive information and transmit, allow unauthorized access, or potentially disrupt security and privacy settings. Malware can include viruses, Trojans, worms, and spyware.
Exploiting Software/Hardware Vulnerabilities: Software and hardware vulnerabilities are defects that could allow threat actors to exploit and take control of systems. Normally vulnerabilities are a flawed design, procedure, or implementation.
Brute Forcing Weak Passwords: A brute force attack is when the threat actor randomly submits passwords or phrases to attempt to gain authentication. This type of attack is normally successful when organizations do not employ multifactor authentication or strong password policies.
Exploiting Lack of Multifactor Authentication: Multi-factor authentication (MFA) is an electronic method where a user authenticates to a system or application. MFA requires the use of two or more items for authentication. These items can include something you know, something you have, or something you are (knowledge, possession, inherence). Threat actors have resources that allow them to bypass certain aspects of MFA. This can include disabling or weakening an organization’s ability to implement MFA, exploiting accounts or applications that are not required to use MFA, compromising or stealing golden tickets, as well as hijacking previously authenticated user sessions.
Supply Chain or Third-party Attacks: Supply chain attacks occur when the threat actor successfully compromises either physical hardware or software before it is shipped or deployed to the end-user. These types of attacks can also impact third-party vendors who deploy software into their customer environments.
Insider Threats: Insider threats can include sabotage, theft, espionage, and potential fraud. Often insider threats are a result of carelessness or policy violations. This can allow threat actors to gain access to systems and resources if not properly monitored.
What Can Be Done?
There are many ways individuals and companies can protect themselves from being held ransom after a threat actor has infiltrated the network. The first goal should be to properly identify the cyber attack and isolate it from the rest of the enterprise’s network. Once properly identified and contained, you can determine the actions taken during the compromise and begin eradication and recovery of the compromised system(s).
These steps can be harder to accomplish than most imagine. Organizations need to have the proper cyber security tools in place that allow them to take these actions if and when necessary.
Whether it’s one of the many attack vectors listed above or another form of attack. Providing the training for employees, taking the steps to protect your data and networks, or hiring an outside vendor like CyberMaxx can help block an infiltration and protect your valuable information before it’s held for ransom.