Ransomware attacks refer to the methods that a cybercriminal might use to infiltrate an environment and threaten an organization or individual in exchange for a ransom payment. According to 2022 Unit 42’s Incident Response Report, there are five specific ways attackers enter a system.
In the 2022 Incident Response Report, Unit 42® reported that the team had witnessed threat actors moving quickly, dwelling in an environment for a median of only 28 days before they began extorting a victim. Understanding what ransomware attacks are and how to prepare for them is the first step to protecting an organization.
Ransomware starts with cybercriminals entering a system and encrypting all data, then offering a decryption key if the victim agrees to pay a ransom through cryptocurrency. In addition to entering a system and depositing encryption malware, some ransomware operators will use multiextortion techniques to encourage payment, like copying and exfiltrating the unencrypted data, shaming the victim on social media, threatening additional attacks like DDoS, or leaking the stolen information to clients or on the dark web.
Unit 42 has investigated thousands of ransomware attacks launched against various organizations and helped with quick containment and recovery to save them millions of dollars. Detailed in the 2022 Incident Response Report, Unit 42 identified five main attack vectors that threat actors use to deploy ransomware.
To better prevent ransomware, it is crucial to understand the malicious tactics attackers use to compromise organizations in the first place. Reviewing recent trends in ransomware threats enables the security operations center (SOC) to focus resources on potential breach points, reduce the risk of infection and prepare the organization as a whole.
The five main ransomware attack vectors are:
Figure 1: How attackers entered an environment to launch a ransomware attack as observed in Unit 42’s 2022 Incident Response Report
Understanding how these five attack vectors operate and how best to protect them is a crucial first step to ransomware readiness.
Vulnerabilities come in many forms and can be exploited with code designed to take advantage of the gaps or flaws in a program. In the 2022 Unit 42 Incident Response Report, Unit 42 discovered that 48% of ransomware cases began with software vulnerabilities. When an application is exposed to the internet, threat actors may scan for and exploit known vulnerabilities to gain unauthorized access to an environment.
Another vulnerability technique popular among cybercriminals is using exploit kits, which involves inserting code into compromised websites. These websites look normal but contain malicious programs that scan through a connected device for vulnerabilities. If the exploit kit identifies a vulnerability, it will often download a malware payload designed to provide a threat actor with remote access to the system. Once remote access is established, threat actors will then deploy ransomware into the environment.
The best method of software protection is to ensure that all devices on a network are updated frequently. Software companies will regularly release updates that patch any discovered common vulnerabilities and exposures (CVEs), so it’s crucial to update these vulnerabilities before cybercriminals can access them. SOCs can take protection a step further with extended detection and response (EDR) products like Cortex XDR to detect and block attacks. To identify internet-facing vulnerabilities that need to be remediated and automatically remediate dangerous exposures such as remote desktop protocol (RDP), SOCs can adopt active attack surface management (ASM) tools like Cortex Xpanse.
Learn more about combining endpoint and network security.
Brute-force attacks use trial and error to access a system or application. Cybercriminals create and run scripts that automatically input usernames and passwords until a correct login is discovered. This is one of the oldest cybersecurity attacks, and it has maintained its status as a successful tactic over the years.
Brute-force attacks are one of the many reasons that multifactor authentication (MFA) is so important to implement. Systems with MFA require an additional form of verification, like a code from an application or biometrics, before a user is allowed access to the system.
Learn more about preventing credential abuse.
In the event of a successful brute-force attack, platforms like Cortex XSIAM will notify the SOC of abnormal user behaviors and prompt an investigation. Cortex XSIAM integrates seamlessly with MFA platforms to convey suspicious login information the moment it happens, expediting those alerts to the top of the funnel to inform analysts and stop brute-force attacks in their tracks.
Social engineering methods like phishing emails are sent from sources pretending to be trustworthy to encourage victims to click on links and download malware directly. There is often an underlying sense of urgency or danger with these messages to motivate people to action before they can think it through. These attacks can be very successful and, in the instance of ransomware, extremely dangerous and expensive.
Implementing regular cybersecurity training for employees is the best way to protect against social engineering attacks. When employees identify and report phishing attempts, the SOC can investigate the attack and learn from what happened. If a phishing attack is successful, security orchestration, automation and response (SOAR) platforms like Cortex XSOAR can streamline discovery and remediation, automatically shutting down compromised users until the SOC has investigated and removed the attacker from the system.
When user credentials are compromised, it is crucial to replace them as quickly as possible. Unfortunately, credential information can be leaked on the dark web without users knowing they’ve been compromised, allowing attackers of all kinds unfettered access to a system. And to make matters worse, many users will use the same password for multiple services, so if one password is compromised, reused passwords can be used against other systems or applications to gain unauthorized access.
In addition to multifactor authentication, encouraging employees to practice good password hygiene is a proven way to prevent attacks from compromised credentials. Using a password manager, changing passwords regularly, making sure they’re complex and not reusing the same password will protect individuals and the organization. Cortex XDR can leverage behavioral analytics to detect and prevent abnormal user behavior even when previously compromised credentials are used to gain unauthorized access into environments.
In the chaos of the current threat landscape, it’s important for security professionals to keep an eye on internal threats. Whether an employee feels wronged by their employer or was approached by a threat actor, one of the easiest ways for ransomware to enter an environment is from someone who already has legitimate access.
In case of an abuse of trust incident, products like Cortex XSOAR or platforms like Cortex XSIAM can automate incident response handling to inform security teams and isolate the user in question. Additional protection can be implemented with offboarding best practices to reduce the number of opportunities that a disgruntled employee might have to retaliate.
All five methods are damaging ways that an attacker can invade your system. To summarize, we recommend SOCs implement the following if they haven’t already:
While these methods and platforms are extremely helpful, they will only take you so far. For ransomware specifically, there’s an additional method of preparation that is the most beneficial.
Defending against ransomware starts with a plan. Unit 42 offers a Ransomware Readiness Assessment to prepare you to better prevent, detect, respond to and recover from ransomware attacks. Achieve a state of ransomware readiness by validating your response strategy, detecting hidden risks and more.
Figure 2: Graphic outlining the Unit 42 Ransomware Readiness Assessment
Our team is here to help you prepare for and respond to the most challenging and malicious cybersecurity threats. If you are experiencing an active breach or think you may have been impacted by a cyber incident, contact Unit 42.
Q: What are ransomware attacks?
A: A cybercriminal might use methods to infiltrate an environment and threaten an organization or individual in exchange for a ransom payment.
Q: Which attack vectors are being targeted by ransomware attackers?
A: Ransomware attackers are utilizing exploitable vulnerabilities, brute-force credential attacks, social engineering, previously compromised credentials and abuse of trust opportunities, according to the Unit 42 2022 Incident Response Report.
Q: How can I reduce ransomware risk in my SOC?
A: Implementing platforms for EDR, SOAR and active ASM can reduce ransomware risk and beyond.
Q: How do I know if I’m the victim of a ransomware attack?
A: You may know you’re the victim of a ransomware attack if you find that your computer or files have been locked and you cannot access them unless a ransom is paid.
Q: Is it safe to pay the ransom?
A: Paying the ransom is not recommended, as there’s no guarantee that the attackers will release your files or that you will not be targeted again. It is best to seek professional help and advice.