365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
As recent trends have shown, the danger of losing access to your data, devices and services is compounded by threat actors that are now exfiltrating data and threatening to leak it on public sites if victims don’t pay up. Ransomware operators have become wise to the threat to their business model from their own success: increased public attention of the ransomware threat has pushed (at least some) businesses to invest in backup and recovery. But those techniques become redundant when the perpetrators are holding your most sensitive customer and corporate data over your head.
Post infection, ransomware can spread to other machines or encrypt shared filers in the organization’s network. In some cases, it can spread across organizational boundaries to infect supply chains, customers and other organizations, and indeed, some malware campaigns have specifically targeted MSPs. The real answer to ransomware lies in prevention rather than cure. So just how does this devastating malware commonly infect devices?
Still the most common method for hackers to initially infect an endpoint with ransomware is through phishing emails. Increasingly targeted, personalised and specific information is used to craft emails to gain trust and trick potential victims into opening attachments or clicking on links to download malicious PDF and other document files. These can look indistinguishable to normal files, and attackers may take advantage of a default Windows configuration that hides the file’s true extension. For example, an attachment may appear to be called ‘filename.pdf’, but revealing the full extension shows it to be an executable, ‘filename.pdf.exe’.
Not all ransomware attacks have to be packaged in a maliciously-crafted email. Compromised websites are easy places to insert malicious code. All it takes is for an unsuspecting victim to visit the site, perhaps one they frequent often. The compromised site then reroutes to a page that prompts the user to download a newer version of some software, such as the web browser, plugin, or media player.
If a user has an unpatched vulnerability in his or her browser, a malvertising attack can occur. Using common advertisements on websites, cybercriminals can insert malicious code that will download the ransomware once an advertisement is displayed. While this is a less common ransomware vector, it still poses a danger since it doesn’t require the victim to take any overt action such as downloading a file and enabling macros.
Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware attacks. These frameworks are a type of malicious toolkit with pre-written exploits that target vulnerabilities in browser plugins like Java and Adobe Flash. Microsoft Internet Explorer and Microsoft Silverlight are also common targets. Ransomware like Locky and CryptoWall have been delivered through exploit kits on booby-trapped sites and through malvertising campaigns.
