| 6 min read
The rise of ransomware attacks has been astonishing. The ransomware business has picked up, carrying out attacks aggressively and relentlessly over the past decade. And business is good; cybercriminals are making thousands, if not millions, of dollars from ransom payments every year. According to a recent ransomware survey, there were 4,399 ransomware attacks in 2023, representing an increase from 2022, where 2,581 attacks were reported. The survey predicts that companies are more likely to be the target of ransomware attacks in 2024 and beyond since the trend of ransomware attacks and ransom payments nearly doubled in 2023. Seeing as this threat shows no signs of stopping, the question shouldn’t be “if” but “when”: When your company falls prey to this kind of malicious attack, will you be ready?
The thing with ransomware is that once it has hit, the targeted system is never the same. Ransomware is nearly impossible to remove, and it tends to be detected only after the fact (some of the signs are a lagging system, changes in file names or locations, data loss, indistinct file encryption, or an explicit announcement by the attacker). That’s why we say it is better to be safe than sorry, or in this case, better to be prepared than sorry. Prevention is key. The greater your understanding of these attacks, the better you can make your defense. For starters, let’s review the ways ransomware is delivered.
How is ransomware delivered?
Good question. Ransomware, like other malware, is delivered through an entry point that is exploited to gain access to the target system, facilitating the next stages of the attack. Cybercriminals know that a sophisticated, well-structured method of delivering ransomware can lead to a successful and crippling attack, and that’s why they spend time refining techniques to distribute malicious software.
The most prevalent tactic is phishing. This type of social engineering is an attacker's bread-and-butter because they know that emails, SMS and other types of messages are accessed by the greater part of the world. Phishing messages are disguised as coming from legitimate sources, for example, banks, credit card companies, and even family or colleagues, and contain malicious attachments or links that, when clicked, force the download and installation of ransomware. Spear phishing, smishing, vishing, and whaling are among the forms of phishing that we all should be aware of.
Another tactic used by malicious actors is the Remote Desktop Protocol (RDP) attack. RDP, which is pre-installed in all current Windows operating systems, is used by many remote workers who need to connect to their organization’s servers in order to perform their duties. Cybercriminals see RDP as an easy entry point. Whether by exploiting security vulnerabilities (which RDP is prone to), password cracking, or credential-stuffing, attackers gain remote access to the target system and can deploy ransomware there with payment instructions. RDP ransomware attacks have increased since working remotely became necessary during COVID-19 restrictions and a popular choice for companies to hire around-the-world employees.
A tactic in which a person browses through a website and an unsolicited download occurs is called a drive-by download. Attackers use websites to install malicious software or redirect visitors to web pages they control, leaving the user open to cyberattacks like ransomware. This type of strategy is an ominous threat because it can be executed even without the victim’s consent or knowledge. Exploit kits can be used in this tactic to provide the attackers with information on unpatched or outdated apps, web browsers or plugins.
More examples of ransomware delivery techniques are malvertising (or malicious advertising, is a tactic that attempts to spread malware via online advertisements), software piracy (unlicensed and usually free programs, apps, movies, games, or other software that can contain malware), and removable media (USBs and external hard drives can be easily used to infect anything they are connected to).
Ransomware prevention best practices
Preventing ransomware attacks from occurring in the first place is the strongest defense against them. A well-built defensive strategy can help mitigate or completely prevent a ransomware attack. Many websites provide checklists or information on this matter, including CISA (the Cybersecurity & Infrastructure Security Agency) which came up with a guide for companies to be better prepared against these attacks. We’ve also compiled here what we consider the best practices to build a robust prevention strategy:
-
Maintain offline and encrypted backups: Regularly back up critical data and store these backups offline. A step further is to encrypt them, making them unreadable if ever breached. Test the restoration procedure of the backups frequently to ensure they are functional. This step ensures the organization has a clean copy to restore from in case of data encryption or elimination by attackers.
-
Create an incident response plan (IRP): An IRP includes policies and procedures to manage a ransomware attack. It should provide detailed instructions for internal and external communication, outline ways to contain or stop the attack from spreading to other networks, and describe responding protocols to different scenarios and steps to recover data and restore systems. A hard copy of the plan should be on hand for anyone with access to company devices and should remain offline so only intended personnel know about it. It should also be constantly updated and regularly tested.
-
Implement a zero trust model: Prevent unauthorized access and limit user privileges, granting only the required permissions. This reduces the potential damages if attackers gain access to a user account.
-
Carry out continuous vulnerability assessment: To reduce the attack surface, frequent vulnerability scanning should be performed with tools that are linked to lists like CVE or CWE in order to identify recent or known threats. This can be part of a vulnerability management solution, which should involve ethical hackers to perform penetration testing. Ethical hackers have a deep understanding of vulnerabilities and know how to exploit them. As part of their assessments, they should provide reports on exploitation scenarios and remediation suggestions. Fixing the identified vulnerabilities (especially those of higher severity) should be done ASAP, as they are constantly being sought out by threat actors. Vulnerability assessment and management are key in a prevention plan.
-
Patch and update software constantly: Apply the latest updates to servers, operating systems and any internet-facing application. These updates often contain security patches that fix vulnerabilities that could be exploited by cybercriminals.
-
Separate networks logically: Network segmentation helps contain a ransomware attack to a section or sections by controlling access or limiting lateral movement.
-
Disable macros in Microsoft Office: Consider disabling macros for Microsoft Office files received via email, as these can be used to deliver ransomware.
-
Implement password policies: Set rules that outline how employees should create, use, and manage the passwords they need to access company systems and data.
-
Enable multi-factor authentication (MFA): Require identification from users with more than just a username and a password. MFA uses multiple verification steps, which adds an extra layer of security that protects systems against unauthorized or unwelcome people. Implement MFA to access corporate resources like applications, email accounts, VPNs and databases. Authentication methods like entering codes received in phone calls or SMS texts, push notifications from authenticator apps, or biometrics such as fingerprints are convenient security options to use as an MFA.
-
Use intrusion detection systems (IDS): An IDS is a monitoring tool that checks on network traffic for signs of suspicious activity or irregular behavior that could indicate an attack. An IDS can detect command-and-control activity and unknown or potentially harmful activity that happens before ransomware deployment.
-
Provide security awareness training: Educate employees about the dangers and risks in the cyberworld. Provide training on things like malware attacks (including ransomware), phishing scams, suspicious attachments, brute-force attacks and other tactics. Teach employees how to recognize possible threats and to report them; also reinforce the importance of adhering to security policies and procedures.
Companies should invest in social engineering awareness because educating employees about the manipulation techniques used by attackers reduces the risk of falling victim to one of them. Malicious actors know that the weakest link in a company is its employees since they can be persuaded, pushed, tricked, or in any way manipulated into giving out information that can compromise the company’s security.
Cybercriminals use strategies like baiting the employee with something desirable, phishing emails that could exploit the employee’s curiosity, pretexting pop-up windows or ads that target the employee, and creating false identities to collect credentials, among many other techniques. Investing in cybersecurity assessments and training employees to recognize red flags is a great way to foster a culture of security that can significantly reduce a company’s odds of a ransomware attack.
The power of proactive defense
As we talked about in a previous blog post, ransomware attacks have been, are and will be a tremendous threat in the cyber world we live and work in. By adopting a proactive mindset and implementing security measures like those mentioned above, organizations can reinforce their systems against ransomware attacks. They also entail staying informed about emerging threats and investing in cybersecurity.
Fluid Attacks offers continuous application security testing as a comprehensive solution to guard against exploitable vulnerabilities. One of our solutions is vulnerability management, which uses automated scanning software and ethical hacking, helping you better handle issues that may arise when developing software. Our ethical hackers are certified professionals who continuously work to find cybersecurity risks in your systems and are skillful in discovering zero-day vulnerabilities as they emerge. This allows your organization to maintain a strong security posture. All the information we find will be available to you on our platform, where we provide you with each vulnerability's particulars like severity, location, status and remediation suggestions.
Vulnerability management is just one of the solutions we provide within our Continuous Hacking Advanced plan. Find more of our application security solutions here and build a layered security approach to protect your organization. We’re a click away.
Recommended blog posts
You might be interested in the following related posts.
Introduction to cybersecurity in the aviation sector
Why measure cybersecurity risk with our CVSSF metric?
Our new testing architecture for software development
Protecting your PoS systems from cyber threats
Top seven successful cyberattacks against this industry
Challenges, threats, and best practices for retailers
Be more secure by increasing trust in your software
Social engineering awareness