Ransomware Spread: The 8 Most Common Infection Ways, and How to Safeguard Against Them
While organizations around the world are forced to shell out vast amounts of money to protect their data from ransomware attacks, trying to rightsize their IT security budgets and headcount, cybercriminals continue to terrorize organizations in ever more sophisticated ways. Looking to increase their profits, over the recent years attackers have changed their tactics in favor of methods that are more sophisticated and simple in realization, such as cyber extortion.
Rather than fishing out financial information from their prey in order to steal its money, these days cybercriminals prefer to encrypt victim’s data and keep it hostage under the threat of corruption or public disclosure. Unfortunately, those methods have proven to be effective: according to recent studies, 57% of organizations affected by blackmail or ransomware reported paying the ransom to redeem their data — when in 2018 this number reached only 38%.
Along with this, cybercriminals seem to be encroaching on larger goals, too: whereas before those were mainly medium enterprises and individuals that cybercriminals kept on target, today healthcare organizations and law enforcement agencies as well cannot defend themselves from attacks.
However, even though ransomware tools might be getting more sophisticated, they still abide by the same rules as regular old malware. In this article, we’ll review 8 most common ways of infection — and how to protect your data against them.
1. Email attachments
One of the most effective ways of ransomware distribution is through emails containing malicious attachments. The file can be delivered in a variety of extensions, including Word documents, Excel spreadsheets, ZIP or PDF files, and more. Once the infected attachment is opened, the ransomware can be run immediately, infecting the victim’s system and encrypting files.
Moreover, the more credible the email looks, the more likely the recipient will open the attachment. For that, in order to make up very believable emails, cybercriminals often conduct extensive research on their target (normally that would be a high-ranking individual in a company, or a specific organization) before an attack.
- Make sure the sender’s data (email address, domain and display names, etc) is correct.
- Open attachments from trusted senders only.
- Avoid opening attachments that require you to enable macros; consult with your IT department in case you are unsure about the attachment being legitimate.
2. Malicious Links
Social networks and media platforms can also serve as a means of distributing ransomware. For that, malefactors would insert malicious links into messages, or simply leave them somewhere in the comment section; formulated in a way that evokes a sense of urgency or intrigue, those messages can easily encourage incautious users to follow malicious URLs — and then, once downloaded onto victim’s computer, the ransomware will hold their data encrypted until a ransom is paid.
- Be vigilant about any links embedded into emails or direct messages.
- Before following a link, bother to double-check URLs by hovering over it.
- Manually enter URLs into your browser in order to avoid clicking on phishing links.
3. Drive-by Downloads
Basically, a drive-by download refers to situations where malicious code gets downloaded to your system without your knowledge. To do so, ransomware distributors either inject it into legitimate websites by exploiting known security flaws, or, more rarely, host the malicious content on their own site. At a technical level, this means that when you visit an infected site, the malware it contains automatically analyzes your computer or other device for specific vulnerabilities, and executes the malicious code in the background, gaining access to your system.
The worst part about drive-by downloads is that this method, unlike many others, doesn’t require any input on behalf of the user. You don’t have to install or click on anything, and you don’t have to open malicious attachments — all it takes for your system to become infected is to visit an infected website.
- Keep all your software up-to-date; check regularly for the latest security updates.
- Install a credible ad-blocker (like uBlock Origin).
- Remove browser plugins if they are no longer in use.
Malicious advertising is also gaining in popularity as a means of infecting systems. This one takes advantage of the same tools used to show legitimate ads on the Internet. Typically, cybercriminals purchase ad space and link it to an exploit kit, and then make it attractive for a web page visitors to follow with an attractive offer, provocative image, urgent message, or anything similar.
Then, should a curious visitor click on the ad, the exploit kit immediately scans their system for information related to the operating system, installed software, browser specifications and more; finally, as soon as the exploit kit detects a security flaw in the user’s machine, it attempts to install ransomware on it. There are plenty of ransomware distributed through malicious advertising, including such well-known ones as CryptoWall and Sodinokibi.
- Always keep your operating system, software and browsers up-to-date.
- Again, disable unnecessary plugins.
- Enable click-to-play plugins that prevent Flash and Java plugins from running automatically — as those can be easily exploited by malicious advertising.
5. Remote Desktop Protocol
Another popular attack vector is RDP, a communication protocol which allows users to link to another computer over a network connection. By default, Remote Desktop Protocol receives connection requests through port 3389, which cybercriminals take advantage of using the port-scanners to scour the web for systems with exposed ports. Then, by exploiting security vulnerabilities found in targeted machines or using brute force attacks to crack user’s login credentials, cybercriminals may gain access to the computer, from where their freedom of action gets nearly unlimited. Examples of malware transmitted through RDP include well-known instances such as SamSam, Dharma, along many others.
6. Network propagation
Whereas older ransomware were only able to encrypt the local computer they infected, more advanced strains have been improved with self-propagating mechanisms that now allow them to move to other devices connected to the network, which makes it possible to cripple entire organizations. Some of the most disruptive ransomware attacks in history featured these self-propagation mechanisms, including Petya or WannaCry. If heard of those, then it should be easy for you to imagine the extent of potential harm.
- Segregate your network; adhere to the Principle of Least Privilege.
- Develop and maintain a dependable ransomware backup strategy.
7. Pirated Software
Pirated software is associated with many threats, and ransomware is the largest of them: for plenty of cracked programs come bundled with adware or hidden malware, you can never tell for sure what has been actually downloaded onto your machine once that button is hit.
While a cracked program offered for free may save you a handful of money, unlicensed software never gets security patches and official updates from the developer; needless to say, using pirated software thus dramatically increases the risk of ransomware infection. In addition, websites that host pirated software are more likely to be susceptible to drive-by downloads or malvertising, so keep that in mind.
- Avoid using pirated software,
- Avoid visiting websites that are hosting it (including cracks or key generators).
- Be careful about offers that seem too good to be true.
8. Portable Drives And USB Media
While they offer plenty of undeniable benefits, such as decent storage volumes, high-speed performance and absolute convenience of use rolled into one, portable data storage devices may also serve as delivery vehicles for all kinds of viruses and ransomware.
Once an infected device is connected to a computer, ransomware can spread across the system, resulting in the local machine being encrypted, with the entire network jeopardized. Typically, this is inadvertent: an employee unwittingly plugs in an infected USB stick, and a moment later the endpoint is encrypted; but intent doesn’t really matter when it comes to a few thousands demanded for the data to be redeemed, or a few weeks of downtime required to rebuild all the lost company’s information, does it?
- Never plug in unknown devices to your machine.
- Avoid connecting your devices to shared public systems, such as computers at Internet cafes.
- Use reputable antivirus software that’s able to scan and safeguard removable drives.
- Additionally, businesses must implement and maintain robust BYOD policies.
As you can see, regardless of the myriad of ways for ransomware to spread through, there are plenty of precautionary measures you take to reduce the risk of infection, and mitigate the effects of the attack. So go for it!