Prevent the 3 Most Common Ransomware Attack Vectors

Summary

• A few basic security controls can greatly reduce your risk of a ransomware attack.
• These controls are common and highly effective at preventing ransomware.
• Organizations should not wait until they are hit to act.

It seems like we hear once a week about a new ransomware victim. What about the ones we don't hear about? Ransomware threat actors are busier than ever and are looking for the easiest payoff possible. Even if your company is in an overlooked industry or doesn't have data that you think would be of particular interest to hackers, you could still be a target.

In the many ransomware engagements to which the Secureworks Incident Response Practice responds, we find striking similarities in the tactics used by threat actors to gain access, move laterally, distribute the ransomware, and finally detonate it. As such, our recommendations for securing networks against such attacks offer a proven standard for ransomware protection.

Initial access vector

The three most common methods that we see threat actors use to gain access to a victim's network are:

1. Credential Abuse - Logging in to a remote access gateway via stolen or guessed credentials
2. Malware Infection - Installing malware on a host via a phishing campaign or other means
3. Scan and Exploit - Exploiting a vulnerability on an Internet-facing server

If you can prevent or detect and block these methods, your risk of follow-on activity is greatly reduced. If the attacker can't get in, what else can they do? The earlier in the process you can stop unauthorized activity, the greater your chances of stopping the attack.

Attackers usually go for the easiest payoff possible

More often than not, this means guessing your credentials and logging in. I’d like to take this opportunity to implore all of you reading this to please, please implement multi-factor authentication on your remote access gateways. The presence of MFA is usually enough to deter the attacker and force them to focus on a less secure organization.

Secondly, many malware infections used for initial entry evade traditional antivirus programs by living only in memory. Cobalt Strike, a tool built for adversary simulations and red team testing, is an example. It is used by penetration testers to compromise networks because it works. However, a good tool with endpoint detection and response capabilities, such as Secureworks® Taegis™ XDR, can detect Cobalt Strike, giving you the advantage over the attacker during the early stages of an attack.

See How Secureworks® Covers MITRE ATT&CK® Framework TTPs and how Taegis XDR maps defenses and countermeasures against more than 90% of all adversarial TTPs used by the malicious software tracked by MITRE

Lastly, good old vulnerability management is the best way to protect against the Scan and Exploit attack method. Vulnerability management has long been a time-consuming and heavily manual task, but technology is changing this. Secureworks Taegis VDR (Vulnerability Detection and Response) for example, uses AI and analytics to automate much of the manual burden of vulnerability management.

Once they are in

After a threat actor establishes a presence in a victim's network, the activities they perform are fairly predictable. We often see them:

1. Conduct reconnaissance in the network
2. Move laterally
3. Elevate privileges to domain administrator
4. Extract data and destroy backups
5. Distribute and detonate ransomware

Many times, ransomware attackers will conduct these activities using a method called "living off the land," meaning they use the tools that you use to administer the network. Sometimes the attackers use these tools in a way you wouldn’t, like encoding PowerShell commands. Detecting and blocking malicious tools and malicious use of authorized tools falls squarely into the job of the tool which handles your endpoint detection and response.

Secureworks Taegis XDR customers often get calls from us when we see this behavior, indicating that ransomware is coming. Our incident responders spring into action to guide the victim through the steps to evict the threat actor from the estate in a timely fashion.

Other controls that can help make it harder to compromise your network include strengthening the security of your Active Directory. Without privileges, it is harder to perform the malicious activities in the kill chain. Our Active Directory Security Assessment is an incident readiness service available with the Incident Management Retainer that can help you with this.

Lastly, we have seen threat actors who have compromised a victim's network divert their attention elsewhere upon discovering that they cannot destroy the victim's backups. Think about it: If you were trying to make money, would you waste your time with a company that had the means to recover data without paying you? I think not. It pays to store your backups off-line.

One final thought

And as always, logging to a central collection facility is going to be key in detecting badness in your network. Our Taegis XDR security operations and analytics platform allows you to send as many infrastructure log types as you want at no additional cost, giving Secureworks the ability to apply our intelligence, correlate infrastructure logs with endpoint logs, and enable threat hunting and incident response, all in the same program.

Further Reading:

• Webinar: Changing the Rules of Ransomware
• Preparing for Post-Intrusion Ransomware
• Hacking MFA: Office 365 MFA Bypass – Wireless Guest Network
• Think MFA is Hack-Proof? Think Again
• Post-Intrusion Ransomware Incident Response
• Webinar: The Hacker Mindset in Incident Response