In 2023, knowing how ransomware gets in is crucial to keep your business competitive.
Ransomware has become a significant threat to companies, individuals, and institutions. It's malware that encrypts a victim's files, making them inaccessible. It asks for payment in exchange for the decryption key.
A report by Veeam shows that 85% of interviewed companies were attacked by ransomware in 2022. And according to a report by IBM, the average cost of a ransomware attack is $4.62 million — not considering the actual ransom payment.
After reading this article, you'll learn the following:
- How ransomware works and spreads on a network
- Who's the target of cybercriminals
- 6 different types of ransomware you should know
- What Ransomware as a Service (RaaS) is, and why it's becoming so popular
- The 7 stages of cyber attack
- How ransomware gets on your computer
- 7 main ransomware attack vectors
- A 9-step ransomware mitigation checklist
How does ransomware work and spread on a network?
In a nutshell, ransomware is designed to lock down a victim's system, making their files inaccessible and putting pressure on the victim to pay the ransom and get back access to data. Ransomware usually gets in through different attack vectors like phishing emails, malicious links, or vulnerabilities in software and can quickly spread on a network.
Related reading: What is ransomware? 4 main types and a practical guide to restoring files encrypted by ransomware in 2023
Once a system is infected, the ransomware encrypts files and directories, making them inaccessible to the user. In some cases, the ransomware can also move laterally and spread to other systems on the network.
There are many types of ransomware, and each operates differently — yet, the basic ransom principle remains the same. But how does ransomware get in? In the following sections, we'll explore and analyze the 7 stages of this cyber attack.
Who is the target of ransomware?
Ransomware attacks are mainly targeted at organizations with valuable data and a high willingness to pay for recovery. The primary targets for ransomware attacks include healthcare providers, financial institutions, public administration, and companies (e.g., manufacturing, ICT) that handle sensitive, personal, and financial data.
In addition to these organizations, network-attached storage (NAS) devices such as those made by QNAP and Synology have also been targeted by these attacks — as in the case of eCh0raix ransomware. Small and medium-sized businesses often use these devices to store important data and files.
Related reading: How to decrypt files encrypted by ransomware (free, 6-step process)
The cost of a ransomware attack on these organizations can be devastating, with inaccessible critical data and operations, the cost of downtime, and the threat of private information being published.
6 different types of ransomware you should know about
There are several types of ransomware, each with unique tactics and methods for infecting and encrypting a victim's files. Knowing the different types of ransomware and how they work is essential to better understand the threat.
Here are the 6 most popular types:
1. Encrypting ransomware: This is the most common type. It operates by encrypting all of the files on the victim's computer or network. Examples of encrypting ransomware include CryptoLocker, WannaCry, Petya, and Bad Rabbit.
2. Locker ransomware: A type of ransomware that not only encrypts data but it directly locks access to the entire system. An example of locker ransomware is the Reveton ransomware.
3. DDoS ransomware: This ransomware launches a DDoS (distributed denial-of-service) attack against the victim's website or network. This ransomware devastates the victim since websites or networks are usually essential for a business. An example of DDoS ransomware is the Armada Collective.
4. Scareware ransomware: Scareware displays fake alerts and warnings to the victim, falsely claiming that their computer is infected with a virus or that their personal information has been compromised.
5. MBR ransomware: This attack is known for infecting the master boot record (MBR) of a victim's computer, making it impossible to start the operating system (and access files and backups). An example of MBR ransomware is the Petya ransomware.
6. Double-extorsion ransomware: This ransomware targets enterprise-level organizations, specifically those with high-value data. For example, Ryuk ransomware is known for its highly targeted and sophisticated attacks — stealing (and sometimes publishing) the sensitive data of its victims.
Related reading: 7 different types of ransomware (& 23 examples of attack damage)
There are many types of ransomware, and the popularity of this threat fueled the creation of a paradoxical business model: Ransomware as a Service (RaaS).
What is Ransomware as a Service (RaaS)? (And why this paradox is becoming so popular)
Ransomware as a Service (RaaS) has become a growing industry in the last few years, generating millions of revenues.
In a nutshell, Ransomware-as-a-Service (RaaS) operates as a subscription-based business model where cybercriminals offer a complete package of tools, services, and support to launch a successful ransomware attack. This includes malware, a payment platform, and support.
Ransomware as a Service (RaaS) enables a paradoxical model where groups in the ransomware space often refer to their activity as "business." Consequently, the victims of their attacks are their "customers," towards whom these groups have "a reputation to defend."
The RaaS service is aimed at individuals or groups who lack the technical skills or resources to create their ransomware but want to carry out a ransomware attack for financial gain. RaaS operates similarly to other software-as-a-service (SaaS) offerings getting a percentage in exchange for their services.
But how does ransomware get in? We'll now see the 7 stages of cyber attack.
What happens during a ransomware infection? 7 stages of cyber attack
Knowing your enemy is crucial in protecting from ransomware attacks. Here is a thorough explanation of the 7 stages of a ransomware attack and the capabilities used by ransomware to enter an organization:
1. Initial access: The attacker will typically gain initial access to the target's network through various ransomware attack vectors, such as phishing emails (e.g., by sending an infected excel file), exposed services with high-risk vulnerability, insiders, or compromised credentials.
2. Scaling privileges: Once the hacker has entered the network, it will move sideways to gain privileged access.
3. Malware delivery: Once the attacker has gained privileged access to the network, they will deliver the ransomware payload.
4. Propagation: The ransomware will spread on the network within seconds, infecting all connected systems and devices. This can be done by leveraging cross-compatibilities, using network scanning tools, or leveraging the ability to move laterally within the network.
Related reading: How object storage helps you protect data against ransomware
5. Ransomware encryption of files: Once all systems have been infected, the ransomware encrypts and makes data inaccessible. The encryption is done correctly using locally generated symmetric keys, which are then encrypted using asymmetric encryption. Keys can be single or multiple, relying on solid cryptography schemes like RSA.
6. Ransom demand: The attacker will then ask for a payment, typically in the form of cryptocurrency, in exchange for the decryption key. They may also threaten to publish the victim's sensitive data if the ransom is not paid, further increasing the pressure on the victim to comply.
7. Clean-up and recovery: Experts suggest not paying the ransom so that the criminal will not be incentivized to make further attacks. Instead, you should clean up everything, eliminate the ransom and start the recovery process. You can check the step-by-step process here.
We've considered the 7 stages of cyber attack. But to prevent this enemy, knowing how ransomware gets in is crucial. We'll now analyze the 7 main ransomware attack vectors every IT manager should know.
7 leading ransomware attack vectors companies should know
We've learned how ransomware works, its main types, and the stages of a cyber attack. But how does ransomware get on your computer?
Here are the 7 main ransomware attack vectors for initial access:
1. Exploitation of exposed services with high-risk vulnerabilities: attackers often target vulnerabilities in systems and software that are not up-to-date or properly patched, making it easier to gain initial access. For example, on February 3rd, 2023, a high-risk vulnerability in VMware servers caused over 1000 servers and websites to go offline worldwide. Examples of these vulnerabilities include "zero-day" exploits, essentially unknown vulnerabilities that are exploited before the vendor can release a patch.
2. Phishing attacks: these are social engineering attacks that aim to trick users into clicking on malicious links or opening attachments that contain malware. Phishing can take many forms, including email attachments, SMS messages with malicious links, phone calls, infected websites, and more. Attackers often disguise themselves as trustworthy individuals, such as colleagues, banks, or government agencies.
3. Compromised credentials: this happens when an attacker gains access to a user's login credentials, either through guessing, cracking, or obtaining them through a data breach. This is why it's essential to adopt strong password policies, update login credentials regularly, and monitor for any suspicious activity.
Related content: [Webinar] Ransomware: is your company safe for 2023?
4. Insider threats: in some cases, attackers will target and bribe employees or insiders to gain access to a company's systems. This can be devastating as insiders often have privileged access to sensitive information and systems. LAPSUS Ransom Gang bribed money to employees at famous companies to get in.
5. Drive-by downloads: these are malicious downloads that occur when a user visits a suspicious website or clicks on a malicious advertisement. The attacker can then install malware on the user's computer without their knowledge.
6. Malvertising/Adware: attackers can create fake pop-ups or advertising software updates that contain malware, tricking users into downloading and installing it on their systems.
7. Remote desktop protocol (RDP) exploitation: RDP is a protocol that allows remote access to a computer, and attackers can exploit this protocol to gain unauthorized access to systems.
As you may have noticed, how ransomware can get into your computer are innumerable. But how does ransomware spread on a network once it has entered? In the next section, we will see 5 key capabilities that allow this threat to join your company door.
How does ransomware spread on a network? 5 key capabilities you can’t ignore anymore
Once ransomware leverages the attack vectors we've listed above, it can use various techniques to spread on your network. Here are key 5 capabilities that enable this job:
1. Cross-compatibility: Some ransomware strains are designed to be compatible with multiple operating systems, such as Windows, Linux, and MacOS, allowing them to infect a wide range of devices and systems.
2. Network-level spread: Ransomware can spread quickly and efficiently through a network by leveraging network-level capabilities, such as exploiting network shares, protocols (e.g., SMD and NetBIOS), tools (e.g., PsExec, WMI), and other connected devices (e.g., printers).
3. Lateral movement: Once the attacker has gained access to a system, they can use various techniques, such as exploiting trust relationships and using privileged access, to move laterally within the network and infect other systems.
4. Elimination of backups and restore points: Many ransomware strains can delete the local versioning system (such as "Shadow Copies" in Windows) and even interact with local backups, making it difficult for victims to restore their data without paying the ransom.
5. Direct attacks on disk images: Some strains of ransomware, such as Hive, are capable of communicating with systems like VMware ESXi and directly attacking disk images, causing widespread damage to a network.
But it's not only about knowing how ransomware gets in and how it spreads on a network. In the next section, we'll share our 9-step ransomware mitigation checklist.
The best defense against ransomware is prevention: 9-step ransomware mitigation checklist
We've dissected and analyzed the 7 stages of cyber attacks and seen how ransomware can get in. But how to minimize the risk of a successful attack and minimize the damage if one does occur? Follow this 9-step ransomware mitigation checklist:
1. Minimize the attack surface: Minimize the number of software programs and tools installed on each device, and only use trusted and regularly updated software. Implement robust password policies, and restrict access to sensitive data and systems to those who need it by applying the Principle of Least Privilege (PLOP).
2. Implement versioned, immutable Backups: Regularly back up all critical data, test them, and ensure that your backup solution has versioning and immutability features. This means a backup can't be altered or deleted once made, and multiple versions of the same data can be stored and retrieved. Consider using S3 compatible object storage solutions with S3 Object Locking and Object Versioning capabilities.
Related reading: 6 backup strategy solutions for ransomware data recovery in 2023
3. Layered security approach: Use multiple layers of security, such as firewalls, antivirus software, and intrusion detection systems, to detect and respond to ransomware attacks. This approach provides a more comprehensive defense against a wide range of threats.
4. Keep software up-to-date: Regularly update all software, including operating systems, web browsers, and applications, to ensure they are protected against the latest security threats and vulnerabilities.
Related reading: How to get rid of ransomware (Instead of paying for it)
5. Employee education: Train employees to recognize and avoid potential ransomware attacks, including phishing scams and suspicious emails. Provide regular security awareness training to keep employees vigilant against new and emerging threats.
6. Use encryption: Encrypt sensitive data end-to-end, at rest, and in transit to make it more difficult for attackers to access and exploit. Also, it will stop double-extorsion ransomware from publishing your critical data.
7. Adopt a 321 backup strategy: Follow the 321 backup rule, which involves creating three copies of your data, storing two copies on different media types, and keeping one copy off-site. This ensures that you have multiple layers of protection against data loss or corruption, including protection against ransomware attacks. For even more protection, consider following Veeam's 3-2-1-1-0 rule on a hybrid cloud model.
Related reading: What is a hybrid cloud model? Examples and benefits in 2023
8. Continuous monitoring: Monitor networks and systems for signs of intrusion or suspicious activity, and respond promptly to alerts or incidents. Use security information and event management (SIEM) systems to automate monitoring and quickly identify and respond to potential threats.
9. Leverage Veeam forever incremental backup: Many companies have geographically dispersed offices, and when it comes to storage solutions, they've to trade security and resilience with performance issues. This happens because if they don't have ample bandwidth availability, they'll risk saturating it all with backups and compromise the function of other connected tools and systems (e.g., anti-theft alarms). Veeam solves this problem with two actions: lowering file size thanks to deduplication and doing only patches/upgrades to your initial full backup — so that you don't have to download back 200 incremental backups. This incremental approach minimizes the amount of data that needs to be restored during a ransomware attack, allowing for a quick and efficient recovery.
For enterprises, protecting against ransomware attacks requires a combination of technical measures and employee training. Here are some additional tips for enterprise protection:
1. Centralize security management: Centralizing security management makes monitoring and responding to security threats easier and ensures that all devices and systems are protected against ransomware attacks.
2. Limit user privileges: Limit user privileges to only what is necessary. Use role-based access control (which you can implement via IAM) to restrict access to sensitive systems and data further.
3. Use endpoint protection: Use endpoint protection solutions like endpoint detection and response (EDR) software, to detect and prevent ransomware attacks at the endpoint level.
4. Use a dedicated backup network: A dedicated backup network reduces the risk of a ransomware attack and helps ensure that backups are not affected by network congestion.
By following these best practices and tips, companies and enterprises can effectively minimize their risk of a ransomware attack and ensure their data is protected.
Conclusion
Cyber-attacks and data breaches have become increasingly prevalent in recent years, with businesses and individuals facing the consequences of cyber criminals seeking to exploit digital systems vulnerabilities. This article has sought to provide a comprehensive overview of the different types of threats, the main attack vectors, how ransomware gets in, and the steps that can be taken to prevent this attack.
At Cubbit, we think it's crucial to know how to make the best out of the tools you use. Our insight on leveraging Veeam forever incremental backup is worth more than a look.
Cubbit offers a next-gen solution for ransomware data recovery with its geo-distributed, secure, S3 compatible, and immutable object storage.
Each stored data is encrypted, micro-fragmented, and geo-distributed in multiple copies in a peer-to-peer network under user control. Cubbit provides a simple and S3 compatible UX, making it easy to switch from AWS to Cubbit by changing one configuration parameter in the CLI.
Want to see Cubbt in action? You can take a look at our latest demo. Instead, if you'd like to start immediately, you can activate a free Cubbit object storage trial here.
P.S. For further questions or advice about cybersecurity and storage, we encourage you to get in touch with our team for a free 15-minute consultation. Our team of experts is here to help you stay protected against the constantly evolving threat of cyber attacks.
