[BreachExchange] The four most popular methods hackers use to spread ransomware
Destry Winant
destry at riskbasedsecurity.com
Fri Aug 10 09:30:45 EDT 2018
https://www.itproportal.com/features/the-four-most-popular-methods-hackers-use-to-spread-ransomware/
Organizations from COSCO to FedEx, local governments from Atlanta to
Alaska, and several hospitals and law firms around the world all share
a common, jarring experience - in the past year, all of these
organizations have watched as malicious software took over their
networks and demanded a ransom payment, while disrupting their
business service continuity.
Ransomware is an escalating, increasingly sophisticated threat, and no
one seems to be immune. With new ransomware authors constantly upping
their game to evade detection by demanding new forms of
crypto-currency, such as DASH, or stealing passwords and Bitcoin
wallets, it can be difficult for the average user to understand how
they were infected in the first place when they fall victim to an
attack.
There are a number of attack vectors ransomware can exploit to take
over computers or servers. These are the four most common ways
ransomware infects its victims.
1. Phishing Emails
The most common method for hackers to spread ransomware is through
phishing emails. Hackers use carefully crafted phishing emails to
trick a victim into opening an attachment or clicking on a link that
contains a malicious file.
That file can come in a number of different formats, including a PDF,
ZIP file, Word document or JavaScript. In the case of a Word document,
the attacker most commonly tricks the user into “Enabling Macros” upon
opening the document. This enables the attacker to run a script that
downloads and executes a malicious executable file (EXE) from an
external web server. The EXE would include the functions necessary to
encrypt the data on the victim’s machine.
Once the data is encrypted, and ransomware gains a foothold on one
machine, the more advanced ransomware variants will spread to other
machines on the network (PCs and servers). All it takes is for one
person to naïvely open an attachment in the phishing email, and an
entire organization can be infected.
Popular ransomware exploiting victims using phishing emails include:
Locky
Cerber
Nemucod
2. Remote Desktop Protocol
An increasingly popular mechanism in which attackers are infecting
victims is through Remote Desktop Protocol (RDP). As the name implies,
Remote Desktop Protocol was created to enable IT administrators to
securely access a user’s machine remotely to configure it, or to
simply use the machine. RDP typically runs over port 3389.
While opening doors to a device for legitimate use has many benefits,
it also presents an opportunity for a bad actor to exploit it for
illegitimate use. In 2017, it was determined that over 10 million
machines are advertising themselves to the public internet as having
port 3389 open – ie, they are running RDP over 3389. Hackers can
simply search for those machines on search engines such as Shodan.io
to find devices that are vulnerable to infection. Once the target
machines are identified, hackers commonly gain access by brute-forcing
the password so they can log on as an administrator. Open source
password-cracking tools help achieve this objective. Popular tools,
including Cain and Able, John the Ripper, and Medusa, allow
cybercriminals to quickly and automatically try multiple passwords to
gain access.
Once they’re in as an administrator, hackers have full control of the
machine and can initiate the ransomware encryption operation. To
create additional damage, some hackers will disable the endpoint
security software running on the machine or delete Windows file
backups prior to running the ransomware. This creates even more reason
for the victim to pay the ransom, as the Windows backup options may no
longer exist.
Popular ransomware exploiting victims through RDP include:
SamSam: Responsible for significant damage in 2018 on the City of
Atlanta, Colorado Department of Transportation, Hospitals, and other
organizations. A recent report estimated that SamSam authors made $5.9
million of revenues.
LowLevel04
CrySis
3. Drive-By Downloads From a Compromised Website
Another entry path that attackers use to deliver ransomware is through
what is known as drive-by downloads. These are malicious downloads
that happen without a user’s knowledge when they visit a compromised
website.
Attackers often initiate drive-by downloads by taking advantage of
known vulnerabilities in the software of legitimate websites. They
then use these vulnerabilities to either embed the malicious code on a
website or to redirect the victim to another site that they control,
which hosts software known as exploit kits. Exploit kits give hackers
the ability to silently scan the visiting device for its specific
weaknesses, and, if found, execute code in the background without the
user clicking anything. The unsuspecting user will then suddenly be
faced with a ransom note, alerting them of the infection and demanding
payment for returned files.
While this may sound like something encountered only on small, under
the radar sites, drive-by downloads are actually not limited to
obscure websites. They have happened to some of the most popular sites
in the world including the New York Times, the BBC, and the NFL – all
of these were targeted in a ransomware campaign through hijacked
advertisements.
Popular ransomware exploiting victims through drive-by downloads include:
CryptoWall
PrincessLocker
CryptXXX
4. USB and Removable Media
Another avenue that ransomware uses to penetrate an environment is
through a USB device. In 2016, Australian police issued a warning to
citizens about USB drives containing malicious software appearing in
mailboxes. The USB drives masqueraded as a promotional Netflix
application, then once opened deployed ransomware on to the
unsuspecting user’s computer.
The mighty Spora Ransomware even added the capability to replicate
itself onto USB and Removable Media drives (in a hidden file formats),
jeopardizing subsequent machines in which the USB device is plugged
into.
Ransomware has become the go-to attack of choice for cybercriminals to
generate revenues. It’s simple to buy on the dark web through
Ransomware-as-a-Service (RaaS) and attacks are relatively easy to
launch through one of the above methods. It’s important for
organizations to recognize how their systems can be targeted and
proactively take steps through a layered security approach to keep
themselves protected and to safeguard their business service
continuity.
More information about the BreachExchange
mailing list