3 Common Ways Ransomware Attacks Happen & How to Prevent Them

3 Common Ways Ransomware Attacks Happen and How To Prevent Them

You might be coming to this page because your business is looking to protect itself from ransomware attacks. You know how dangerous these cyber threats can be, and you’re looking to prevent ransomware attacks from happening in the future. There truly is no “silver bullet” for defending against ransomware, and that creates uncertainty for those business leaders looking to protect their information. 

Ransomware is a dangerous cyber threat and doesn’t seem to be slowing down. In the first quarter of 2020, there was a 25% increase in the reported number of ransomware attacks from the previous quarter. As the cyber criminal community continues to evolve and develop, companies are neglecting to see how early action can significantly mitigate a cyber attack from ever occurring.

These attacks will continue to happen until organizations #GetCyberSerious about their data protection and address ransomware threats.  As one of the first companies to help victims recover from ransomware since 2015, we’ve seen businesses of all sizes and industries become affected by ransomware attacks. Our cyber security analysts use this hands-on experience to develop preventative actions that help keep networks safe from ransomware. This article describes the most common ways ransomware enters your network and the solutions to keeping your files safe. 

How Did The Ransomware Attack Happen?

After your home gets broken into, it might be obvious if the intruder came in through a broken window or smashed down the back door. Shattered glass and forced entry are observations that lead you to the conclusion of a home burglary. In the cyber world, these signals might not be as evident. How did my files get locked in a ransomware attack? 

Ransomware attacks can happen to a business when they fail to follow common cyber security frameworks such as:

  • Choosing strong passwords
  • Enforcing access management controls
  • Security awareness training for employees
  • Using EDR (Endpoint Detection and Response) or antivirus software
  • Updating operating systems and hardware

Cyber criminals use several methods to access your network (attack vectors) by exploiting vulnerabilities on your network. An effective way to prevent a ransomware attack is for your business to understand these attack vectors, and be proactive with stronger cyber security.

How Did Ransomware Encrypt My Files?

Once the ransomware is on your business network, it can spread like fire where it starts to encrypt your data. Ransomware is designed to spread over a network very quickly, and you might not have a lot of time to stop the encryption from happening on every computer. 

The average ransomware attack only takes three seconds to begin encrypting your network and lock your business files. It’s a much easier task preventing a ransomware attack than trying to recover ransomware files after you’ve become a victim. 

Here are the three most common ransomware attack vectors and how your business can prevent a cyber attack. 

Ransomware Attack #1 - Open RDP Ports

RDP attacks pose a significant risk to businesses because they are so common amongst organizations of all sizes. Just recently, Honda proved to be vulnerable to open RDP port ransomware attacks (along with 4.6 million other businesses with misconfigured RDP!

Organizations impacted are both large and small. Companies that staff remote employees requiring access to network computers, are especially vulnerable. 

What is RDP?

Remote Desktop Protocol (RDP) is an access portal that allows a user or administrator to connect to your computer from another location. The remote desktop protocol is a feature built into the Windows operating system that helps businesses manage their IT network and fix any issues that might arise on an employee computer. RDP can be a useful tool for companies with a Managed Service Provider (MSP) that updates and manages business systems from afar. 

If this open RDP setting is configured improperly, a cyber criminal can launch a ransomware attack on your business networks. In June 2020, the United States’ FBI warned K12 schools of ransomware attacks via RDP to raise awareness about this attack vector. 

Open RDP (Remote Desktop Protocol) Port 3389
Open RDP (Remote Desktop Protocol) Port 3389

Why Is RDP Not Secure?

Open RDP ports are a party invitation for hackers to come in and launch ransomware attacks to encrypt your files. Many times, businesses are completely unaware that their RDP port is public-facing and open to an attacker.

RDP is commonly misconfigured when: 

  • A company sets up its network for the first time
  • Inexperienced IT staff unsuccessfully secures the access port
  • Organizations have an outsourced IT service that keep this port open for remote monitoring & servicing  
  • Two-factor authentication is not applied

RDP ports are commonly misconfigured and left open, and sometimes weak RDP passwords are to blame for a company ransomware attack. If your business follows poor password hygiene and employees are re-using old passwords, this is an opportunity for hackers to get a foothold in your network. 

The global COVID-19 pandemic presents a golden opportunity for bruteforce remote access attacks where hackers are taking advantage of organizations working from home.

How Do I Disable Remote Desktop Protocol?

Businesses can prevent ransomware attacks by closing remote access and disabling any open ports or connections to their computers and networks. 

To disable remote desktop protocol in Windows 10:

  1. Open the settings panel for Remote System Properties (hint: you can also use the Windows assistant Cortana to search for remote settings for quick access)
  2.  Select “Don’t allow remote connections to this computer”

The settings to disable Windows remote desktop will be slightly different, depending on the Windows your organization runs. 

However, the solution to closing remote connections isn’t always this simple. If you are attempting to secure a network with multiple servers and advanced IT structure, the first place to look might be the server or firewall. Because the settings vary from product to product, it’s best to contact the manufacturer of your internal network server and firewall to see what steps can be taken for disabling remote access.

Remote Desktop Protocol Setting on Microsoft Windows 10
Remote Desktop Protocol Setting on Microsoft Windows 10

Ransomware Attack #2 - Phishing Emails

65% of U.S. organizations experienced a successful phishing attack last year, well above the 55% global average, according to the Proofpoint 2020 State of the Phish Report. As a result of successful phishing attacks, almost 50% of those victims were encrypted by ransomware or experienced some form of data loss.

What Is Phishing?

Forms of ransomware can come and attack your business through a malicious email message known as phishing. In a phishing attack, a cyber criminal sends malware or malicious links in the message that, when clicked on, install the ransomware program on the computer.

Phishing emails are back in fashion, becoming much more targeted and difficult to stop. Not only do phishing attacks aim to cause havoc via ransomware, they also try to coerce recipients with other means of cyber extortion

In 2020, hackers are taking advantage of the coronavirus pandemic with COVID-19 themed phishing attacks that result in ransomware and malware being downloaded.

What Is Phishing?
What Is Phishing?

How Can We Stop Phishing Emails?

It is critical for businesses to address the threat of phishing to avoid ransomware attacks. Actively prevent ransomware via phishing attacks by using an email filter and training your employees to detect malicious email threats. Popular business email platforms like Microsoft Office 365 and G-Mail have built-in malware and ransomware protection that may scan and alert you of any malicious emails. 

  • In addition to using email filters, you must train employees to detect suspicious emails and links.
  • Make cyber security training a part of the onboarding process which will establish expectations and high security standards for your business early on.
  • Annual training sessions can help employees understand what phishing attacks are popular and what they should look out for.

Double-check the sender’s address and encourage employees to speak up and ask when something feels suspicious. “If you see something… say something”.

This phishing attack fakes an Apple ID login attempt
This phishing attack fakes an Apple ID login attempt.

Ransomware Attack #3 - Exploit Kits

Possibly one of the most dangerous ways ransomware enters your network is through malicious vulnerabilities written into an exploit kit. An exploit kit is an advanced malware tool that helps cyber criminals target victims through existing security gaps from well-known software and hardware in popular technology manufacturers. These exploit kits are a collection of malware & malicious code in an “all-in-one” platform that helps hackers carry out sophisticated cyber attacks. 

In May 2017, the largest cyber attack in history, WannaCry, infected hundreds of thousands of Windows computers worldwide with ransomware. The ransomware used a stolen National Security Agency exploit dubbed EternalBlue that allowed hackers to take advantage of a vulnerability in Windows operating systems.

It wasn’t until Microsoft released official security updates to Microsoft Windows Server Message Block (SMB) that the vulnerability was closed, and the exploit could no longer work as intended. Exploit kits are developed on the weaknesses and security holes of popular platforms such as Adobe Java, Adobe Flash, and Microsoft Silverlight. 

How Do Exploit Kits Infect My Computer With Ransomware?

Although exploits kits vary in their design and development, they mainly take four actions to infect a computer or network with ransomware: 

  1. Connect 
  2. Redirect
  3. Exploit
  4. Infect
The contents of an exploit kit on a victim computer.
The contents of an exploit kit on a victim computer.

Step #1 - Connect to the Victim Computer

The ransomware operators will identify websites or advertisements (also known as malvertising) to compromise and insert their exploit code. This code helps gather information about the user, such as their country of origin via IP address and their operating system. 

The exploit kit might first start with identifying the user settings and their language settings. Hackers sometimes design their malware to stop once it discovers the computer uses Cyrillic languages (many Eastern European languages such as Ukrainian and Russian). The world’s best hackers come from Russia and this area of the world, and they do not want to infect their own citizens with ransomware, as it might increase their chances of being found by law enforcement. 

If the user doesn’t meet any of these conditions, the exploit kit begins the next phase in the attack.

Step #2 - Redirect Victim To Fraudulent Website

The exploit kit then redirects the unsuspecting user to a fraudulent website designed to look authentic and legitimate. While the user is browsing this mimic website, the exploit kit is actively scanning for web-based vulnerabilities and any security flaws found within the browser application.

Step #3 - Exploit is Executed

The term ‘exploit kit’ refers to the various exploits bundled together by the hacking community to increase their chances of successful ransomware attacks. An exploit kit might have a variety of malware code that takes advantage of weak browser security, unpatched Windows applications, and other software vulnerabilities. If it is an application-based exploit, the user might be asked to download a file that includes the malicious code.

Step #4 - Ransomware Infection on Victim Computer and Network

The malware code is executed on the victim’s computer and the ransomware spreads across the business network. Once the ransomware encrypts all the files on a network, a ransom note is displayed on the desktop and instructions are presented for an extortion payment via cryptocurrency payment. 

How Do I Stop Exploit Kits From Attacking My Business?

Updating your computer, software, and hardware seems easy, yet most people forget to do this essential security measure. The hacking community thrives on vulnerabilities that have yet to be discovered or an official security update to be released. 

Security researchers often discover these security vulnerabilities, and major software and hardware manufacturers work swiftly to provide an update that will close the security gap. Depending on the severity of the vulnerability (and the manufacturer being aware that it exists) will determine the speed at which the update can be provided. 

Enabling automatic updates on operating systems, applications, and hardware used by your business can greatly reduce your risk for ransomware. Exploit kits are becoming dangerously prevalent, as the cyber crime community continues to organize their resources and labor to maximize damage. 

IT leaders and business managers can also stay aware of what exploit kits and vulnerabilities they should be looking out for. The United States’ Cybersecurity and Infrastructure Security Agency (CISA) posts bulletins that directly address these threats and what is being done to solve these security issues.

What Should I Do If My Files Are Encrypted?

If your files are encrypted in a ransomware attack, we suggest researching the options you have for ransomware recovery. We understand how frustrating it can be when you don’t have access to your business files and you’re locked out of your network from the ransomware attack. Businesses feeling uncertain about recovering their locked files on their own and restoring business operations can use ransomware recovery services that can provide peace of mind. 

How Can I Prevent Ransomware?

There is one very simple answer to staying protected from ransomware, and that’s to be proactive. We see too many organizations fall victim to ransomware and their files are encrypted because of poor cyber security habits and no desire to protect their information. 

Being proactive means following the advice in this guide and genuinely addressing the security threats for your organization and educating your work staff. Protect your business from ransomware with professional cyber security services and avoid the headache of having encrypted files. 

Companies like Proven Data, who’ve worked with thousands of clients, can effectively identify gaps in your security infrastructure and provide custom-tailored solutions to organizations of all sizes.

If you would like to learn more about how we can help protect you from ransomware and emerging cyber threats, inquire today.

Recommended Posts