Top Ransomware Attack Vectors: RDP, Drive-By, PhishingConfigure Defenses to Block Attackers, Security Experts Advise
Ransomware-wielding gangs are continuing to target corporate networks, and experts say they're typically breaking into victims' networks using one of three techniques: Remote desktop protocol access or some other type of remote access; phishing emails; or malware that's sometimes used in drive-by attacks against browsers.
However attackers gain access to a network, it's typically a prelude to infecting every system they can find with crypto-locking malware. That's why experts say it's essential for organizations to lock down RDP and ensure they have defenses against these attack vectors in place and tested.
Before trying to crypto-lock every system, however, more ransomware gangs are now gaining access to give them the ability to first conduct extensive reconnaissance to find and steal sensitive information as well as access a firm's business partners or customers (see: Ransomware Gangs' Ruthlessness Leads to Bigger Profits).
Stolen data - and access to other organizations - can potentially get resold on cybercrime forums.
Attackers tied to about a dozen strains of ransomware now also are using dedicated leak sites to name and shame victims and then leak stolen data if victims don't quickly accede to attackers' ransom shakedowns. In recent months, some gangs have also been raising their ransom demands, especially for large businesses.
What can organizations do to better defend themselves? Security experts have long recommended that organizations always maintain up-to-date backups, stored offline, so they can wipe and restore systems if other defenses fail.
But with ransomware attackers turning up the heat, experts also recommend that organizations ensure they're watching for and blocking ransomware gangs' favorite tactics, techniques and procedures.
Attackers' Top 3 Tactics
Rankings by security firms of which attack techniques are most commonly used by ransomware gangs vary because each analysis is based on the incidents they're tracking or have investigated, and potentially also due to geographic variations.
Ransomware incident response firm Coveware says that based on more than 1,000 corporate incidents it investigated from January to March, RDP was far and away the most common initial attack vector, accounting for more than half of all successful attacks, followed by phishing and targeting known software vulnerabilities.
RDP is a legitimate tool that allows IT administrators to gain remote access to systems. Any criminals able to access RDP endpoints, however, can use connected systems to gain a foothold in a corporate network and try to escalate their privileges and access many more systems. Earlier this month, security firm McAfee reported that it's been tracking "an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets."
Organizations can take a number of steps to lock down RDP endpoints, including by protecting them with strong passwords and multifactor authentication and restricting access to only corporate VPN users. Among other controls, RDP can be configured for network-level authentication, which requires a user to authenticate before they're allowed to establish an RDP session.
But McAfee warns that of the approximately 4.5 million internet-exposed RDP endpoints it counted in March, many of them lacked such protections (see: Why Are We So Stupid About RDP Passwords?).
Remote-access options available to crime gangs have continued to evolve.
In a new report on recent cybercrime marketplace trends, security firm Trend Micro notes that stolen or brute-forced RDP credentials continue to get sold, but that there are also an increasing number of "access as a service" offerings, which involve one attacker breaching a victim, potentially doing reconnaissance or installing hidden backdoors in the environment, and then selling this access on to others.
Reviewing cybercrime forums, Trend Micro says in its report: "We found multiple levels of access sold: executive-level credentials, remote desktop access, administrative panels, cloud storage, email accounts and even full company network access."
"Many of these offerings are found on the Russian forum Exploit[.]in," it adds. "One actor was selling access to an American insurance company for $1,999, and a European software company for $2,999. Prices for Fortune 500 companies can reach up to $10,000. Some offerings include access with read and write privileges."
Gangs Keep Phishing
Singapore-based cybersecurity firm Group-IB says that last year, based on more than 200 ransomware incidents that it examined, it saw phishing emails being the most common initial infection vector.
In 2019, "this technique's main admirers were Shade and Ryuk," the firm says, referring to two ransomware gangs. But Shade, aka Troldesh, may no longer be a threat, because the alleged operators last month released more than 750,000 decryption keys, saying in a GitHub post that they were closed down their operation (see: Shade Ransomware Operation Apparently Shuts Down).
Group-IB also notes that in 2019, Clop ransomware campaigns began using phishing emails with a malicious attachment "that would download FlawedAmmy or SDBBot" - both examples of remote-access Trojans - among other types of malicious code.
Drive-By Malware Attacks
Drive-by attacks also continue. These involve criminals taking control of legitimate websites to redirect users to sites that host malicious code designed to exploit known vulnerabilities in browsers. "Exploit kits most frequently used in these drive-by attacks were RIG, Fallout, and Spelevo," Group-IB says. "Some threat actors, such as Shade and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze and Dharma operators gathered information about the intruded network, moving laterally and compromising entire network infrastructures."
Beyond exploit kits, some gangs continue to use a variety of malware to first gain access to a victim's system. "In 2019, a wide variety of Trojans were used in ransomware campaigns, including Dridex, Emotet, SDBBot and TrickBot," Group-IB says (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
Some attackers pursue smash-and-grab tactics - gain access to a network, infect a bunch of endpoints and move on - says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.
But other gangs, he says, take a more advanced approach. In such cases, gaining access to a victim's network is just the beginning of a longer attack chain, as a gang next brings post-exploitation toolkits and network-penetration tactics to bear.
Many times, attackers use legitimate administrator tools, such as PowerShell. In other cases, they may use open source penetration testing toolkits such as Metasploit, as well as utilities designed to harvest passwords. Experts say attackers' end goal often is to gain full administrator rights to Active Directory, which may enable them to install malware onto any PC or server (see: Why Hackers Abuse Active Directory).
"For instance, Ryuk, REvil, Maze and DoppelPaymer actively used such tools, namely Cobalt Strike, CrackMapExec, PowerShell Empire, PoshC2, Metasploit and Koadic, which helped them collect as much information as possible about the compromised network," Group-IB notes. "Some operators used additional malware during their post-exploitation activities, which gave them more opportunities to obtain authentication data and even full control over Windows domains."
Such tactics continue. Microsoft, in a recent report, noted that in the first two weeks of April, it saw advanced tactics being used by attackers wielding these strains of ransomware against dozens of targets: LockBit, Maze, MedusaLocker, NetWalker, Paradise, PonyFinal, RagnarLocker, RobbinHood, Sodinokibi and Vatet loader (see: 10 Ransomware Strains Being Used in Advanced Attacks).
Microsoft warns that as with all breaches, ransomware gangs may camp out in a victim's network for weeks or months, conducting reconnaissance and stealing data, before they end the attack by crypto-locking as many systems as possible and demanding a ransom
That's why experts recommend monitoring for all intrusions and following them up as rapidly as possible to help avert potential ransomware outbreaks.