One of the most powerful and lucrative attacks for cybercriminals is ransomware. Its structure is, in essence, quite simple: they take over your files, encrypting them so that you cannot access them, and you practically remain without the possibility of recovering them.
Supposedly, if you want to get them back, you have to pay a certain amount of money. However, the evidence dictates that this almost never occurs. And if it happens, the victim falls back into the clutches of the attackers and to recover them again he has to … of course, pay again. It is a vicious circle where extortion is the main protagonist.
The need to have these files works against users and lead them to make the mistake of paying to recover the data that the ransomware has encrypted. There is no need to pay for ransom. Never. Even if it seems like the end of the world for having lost your files, this should not be done. Because if you do, maybe you will get the files back, but the ransomware attack will happen again.
The effectiveness of these attacks is tremendous because they take the time to study the target that will be the victim. Generally, they target large organizations where they could very easily have a profitability of millions of dollars.
The phases of ransomware
Now, how are these attacks carried out? Next, we’ll take a look at all the phases of a ransomware attack. In total, there are eight phases. However, and for a better understanding, we will group them together and, of course, we will quote what happens in each phase at a chronological level.
Initial process
This phase corresponds to the bridge between the cybercriminal and the victim. They generally rely on phishing websites and email messages. Above all, emails are used because in general, the email service itself has multiple vulnerabilities. It is practically the responsibility of the email client to implement the appropriate security measures so that users avoid being victims of phishing and consequently other attacks.
Execution and escalation of privileges
One of the reasons why ransomware attacks are very effective is that they are not used to using malicious or specialized tools to distribute malware. It simply uses those that are popular with IT administrators. So from the execution phase to the privilege escalation phase there are not too many steps to take. Once the attacker manages to have administrator permissions on the victim’s system, anything can be done. Even though many security holes already have patches and fixes to fix them, many administrators do not give the necessary importance to software updates. The attacker needs only a few computers that are not up-to-date with security updates, and what comes next can very easily transform into very complex attacks.
Evasion of defenses and access credentials
From the moment an attacker has the necessary permissions to be a system administrator, they can now make security settings the way they want. What does this mean? You can adjust security measures so that as few alarms as possible are triggered by an irregular change. You can even prevent these alarms from fully activating. In addition, there are tools that work “below” that allow the deactivation or uninstallation of any security program that can expose the attacks.
On the credential access side, there are multiple free and open source tools for this purpose. What benefits attackers the most is the fact that they are just open source. Cybercrime has long since ceased to be a small world that is hidden somewhere. It is a tremendous industry that has a profitability like no other. However, these tools that help to obtain privileged access credentials to the system are very popular among those specialists who are dedicated to pentesting.
We must not forget, in any case, that a good part of the tools that attackers use to violate and attack systems were originally conceived in another context. That is, in the professional and / or academic context. For example, Routersploit is a solution that we have already talked about in this article that helps us identify those routers and / or other devices on the network that have their default credentials. Unfortunately, this is one of the allies of those who make attacks on routers in order to alter the configuration of the gateway, the DNS servers, among other malicious actions.
Discovery
After having executed all the necessary processes to gain privileged access to the system, one of the most important phases is reached: access to the system structure. Above all, on the logical side. Extremely useful data such as how many endpoint devices, what type of services are hosted on the servers, whether these services are also hosted in the cloud or if any of them are still on-premise (physically hosted). Even attackers can identify if you have backups, either online or physically hosted. Therefore, it will also be useful for them if the backups correspond to the servers, both physically hosted and those in the cloud.
Why would they be interested in backups? Well, if the victim realizes that their backup or if both their original copy and the backup are under the ransomware, there would be more possibilities for the victim to pay. This, of course, comes from desperation and the urge to get it all back. On the other hand, ransomware can go even further. In addition to hijacking your files by making them inaccessible, if they succeed, they can hijack critical databases. This, to unsubscribe them, then makes the execution of the ransom even easier and, as a cherry on the cake, they gain control of those databases to execute other attacks if they wish.
Lateral movement and finally the impact
This instance is reached thanks to protocols such as RDP (Remote Desktop Protocol) . This is available on virtually any Windows operating system, only it is not always mentioned. Allows you to connect remotely to another Windows computer, as long as the other also has RDP enabled. To connect to another computer using this protocol, you must have a password. In fact, there are tools that help to guess the password based on several attempts to hit it, it is like the brute force attack . However, if there is no RDP enabled no problem, you can count on other remote desktop tools and from there the possibilities are endless and there are several program options to choose from.
The final phase is the impact, that is, the execution of the ransomware. In this phase, you only depend on solutions that have everything you need to create the ransomware. The funny thing about this is that you don’t have to make too much effort to search, because you don’t even need to go to the dark web to find one. It is just a matter of searching Google and most likely you will find some program to create ransomware. In most cases, they are presented as paid applications. However, money is not usually a problem for cybercriminals and they will pay for it. Even if there are not too many resources, the costs are relatively affordable.
Recall that the most popular ransom payment method is the Bitcoin cryptocurrency. Despite the fact that its value is quite volatile and time has proven it, it is the most valuable cryptocurrency per unit. According to ransomware, the payment in Bitcoins can easily reach thousands of dollars. Doing the sum for each victim computer, you could already reach millions of dollars for a single attack executed.
Frequent errors that make us victims of ransomware
There is no doubt that all computer attacks can be easily avoided by taking some security measures. Anyway, and although we know that applying several of them will not take too much time, we do not. Another reason why we do not attach importance to the security and privacy of our data, is because we do not think that we could be the victim of such an attack, until it happens to us.
Sophos Labs lists five errors and, in turn, five essential measures to avoid falling into this type of eventuality.
Protect access to systems
Above we had commented that services such as those of the RDP protocol, are very accessible bridges to have control of other Windows computers that contain the enabled protocol. Even if they do not have it, they can use even free and easy-to-use tools to take over especially those computers that can escalate our access privileges. A quick but effective tip is to scan the networks to know what our status is from the Internet. This will help us identify which services through which ports we have enabled, so that we can close those that are not strictly necessary. One way to do it quickly is through the Shodan search engine which is free to use and you only need to create an account to access all the features.
Choose appropriate passwords and additional authentication methods
On the business side, if you are a systems and network administrator, you must ensure that users use strong passwords to access their resources. This is especially important if a good part or all of the workforce is working from home. Another determining aspect is that many of the applications and resources are accessible through simplified accesses such as SSO. The latter does not require you to type the password at all times, nor does it require you to create a password for everything. Here is one of the main risks, if an attacker gets your credentials, they will most likely have access to all your resources and that will be a big problem.
On the side of end users, our day to day and especially on mobile, is undermined by applications. Many of them contain sensitive information such as banking, financial, location (Google Maps, for example) and email. It is necessary to have additional authentication methods such as the MFA that makes that each time you log in you enter a code that is only valid for that session, below we leave you a recommendation: Google Authenticator for Android (free) and for iOS (free)
Pay attention to system logs
If we know how to read and interpret logs, we will have done a lot in favor of the security of our systems and networks. It is important to know how to do it because cybercriminals tend to take their time to execute attacks. Evidence of all this is precisely all the phases that an effective ransomware attack usually has. There are occasions when they manifest “without warning”, but if we take the time to analyze the logs, we could find several surprises.
Do not ignore any of the alerts
It is not enough to implement SIEM- type systems, for example, that help us manage the various events that would compromise the security of our systems. We must also have a permanent eye on what type of alarms are triggered, how often, what events they refer to and, of course, analyze them with the main objective of knowing the root cause of the potential security hole. Many times, as a system administrator, network or computer security, we are with so many emails of alerts, reports or whatever, that we end up ignoring some or several of them. It is not advisable to ignore anything because that could be the bridge to a potential ransomware attack that could even compromise the operation of the organization for which you work.
If we are not in such an environment, we should also be aware of potential alerts. Avoid opening suspicious emails, especially the content of them. The ransomware is usually embedded in attachments, which are curious to most who receive them … even if they did not expect to receive that email. It is just a matter of opening the attachment so that in a few seconds, your files are unavailable by the ransom.
Keep the software updated
This applies to both enterprise and individual software, updated software is one of the most effective protection shields against major cyber attacks. Also, according to the software in question, it can protect you against threats and / or zero-day vulnerabilities, which could lead to other even more severe attacks. In many cases, it only takes a few minutes, so you should update the software you use whenever there is an enhancement or security patch available.