- Technical contribution
- Management, Awareness and Compliance
5 Common Ways Ransomware Can Infect Your Organization
Understanding how ransomware infects a device and spreads across a network is crucial to ensuring that your organization does not become the next victim of an attack. As recent trends have shown, the danger of losing access to your data, devices and services is compounded by threat actors that are now exfiltrating data and threatening to leak it on public sites if victims don’t pay up
As recent trends have shown, the danger of losing access to your data, devices and services is compounded by threat actors that are now exfiltrating data and threatening to leak it on public sites if victims don’t pay up. Ransomware operators have become wise to the threat to their business model from their own success: increased public attention of the ransomware threat has pushed (at least some) businesses to invest in backup and recovery. But those techniques become redundant when the perpetrators are holding your most sensitive customer and corporate data over your head.
Post infection, ransomware can spread to other machines or encrypt shared filers in the organization’s network. In some cases, it can spread across organizational boundaries to infect supply chains, customers and other organizations, and indeed, some malware campaigns have specifically targeted MSPs. The real answer to ransomware lies in prevention rather than cure. So just how does this devastating malware commonly infect devices?
1. Phishing & Social Engineering
Still the most common method for hackers to initially infect an endpoint with ransomware is through phishing emails. Increasingly targeted, personalised and specific information is used to craft emails to gain trust and trick potential victims into opening attachments or clicking on links to download malicious PDF and other document files. These can look indistinguishable to normal files, and attackers may take advantage of a default Windows configuration that hides the file’s true extension. For example, an attachment may appear to be called ‘filename.pdf’, but revealing the full extension shows it to be an executable, ‘filename.pdf.exe’.
2. Infection via Compromised Websites
Not all ransomware attacks have to be packaged in a maliciously-crafted email. Compromised websites are easy places to insert malicious code. All it takes is for an unsuspecting victim to visit the site, perhaps one they frequent often. The compromised site then reroutes to a page that prompts the user to download a newer version of some software, such as the web browser, plugin, or media player.
3. Malvertising & Breaching The Browser
If a user has an unpatched vulnerability in his or her browser, a malvertising attack can occur. Using common advertisements on websites, cybercriminals can insert malicious code that will download the ransomware once an advertisement is displayed. While this is a less common ransomware vector, it still poses a danger since it doesn’t require the victim to take any overt action such as downloading a file and enabling macros.
4. Exploit Kits That Deliver Custom Malware
Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware attacks. These frameworks are a type of malicious toolkit with pre-written exploits that target vulnerabilities in browser plugins like Java and Adobe Flash. Microsoft Internet Explorer and Microsoft Silverlight are also common targets. Ransomware like Locky and CryptoWall have been delivered through exploit kits on booby-trapped sites and through malvertising campaigns.
5. Infected Files and Application DownloadsAny file or application that can be downloaded can also be used for ransomware. Cracked software on illegal file-sharing sites are ripe for compromise, and such software is as often as not laden with malware. Recent cases of MBRLocker, for example, took this route. There is also potential for hackers to exploit legitimate websites to deliver an infected executable. All it takes is for the victim to download the file or application and then the ransomware is injected.