How Ransomware Spreads
Ransomware and viral infections have a lot in common. Both are miserable to deal with, and can spread very easily. But, unlike the common cold, washing your hands isn’t going to prevent a ransomware outbreak. Hackers have developed multiple sophisticated methods for accelerating the spread of ransomware, with disastrous consequences for the organizations they target. Global ransomware costs were estimated to be over $5 billion in 2017. These costs reflect the actual ransoms paid by businesses, as well as associated damages such as increased downtime, legal and reputational repercussions of data breaches, and recovery costs.
Understanding how ransomware spreads is a good starting point in developing an effective battle strategy against it. To start with, the ransomware infects a single computer or other connected endpoint. Once the initial ransomware infection has gained a foothold , it spreads throughout the network. Let’s have a more detailed look at how this occurs.
The Initial Infection
When it comes to the initial infection, ransomware usually gains access through one of the following attack vectors:
When it comes to malicious emails, phishing emails are perhaps the most insidious — anyone with an email address has probably seen their fair share of examples. At first glance, a phishing email may look genuine; it may even be embellished with company logos and a personalized greeting designed to trick the user. The sender’s email address may also be spoofed to make it look like it was sent by a trusted third party such as a friend or colleague, or a well-known organization such as Microsoft. Many phishing emails also contain malicious links or attachments that can trigger a ransomware download when opened. In a matter of minutes, ransomware encrypts your important files and sends a ransom demand. A speedy infection like this is often the result of just one erroneous click. And if the infected computer is connected to the organizational network, the entire network is now at risk.
Hacked websites and malicious online advertisements (aka, malvertising) are all common sources of ransomware infections that target users through web browsers. Downloading free software from unreliable sources can also bring a dose of ransomware with it.
In some instances, where a user’s computer can become infected just by visiting a compromised website, with no clicking or downloading required. In this type of attack, referred to as a “drive-by” download, cybercriminals add several lines of malicious code, known as an exploit kit, to the infected site. That code is able to seek out and exploit any of a number of known web browser limitations and vulnerabilities that allow it to initiate an automatic ransomware download. The website doesn’t have to be a suspicious one; even legitimate websites can be compromised through malvertising.
Spreading Across the Network
Once the initial infection occurs, which often takes just a few seconds, ransomware may start to spread laterally throughout the network, encrypting additional PCs and servers for maximum damage – and maximum profit for the cybercriminals. It may also read the infected files, in search of golden nuggets such as usernames and passwords that enable it to spread farther and faster, using “shortcuts” such as remote desktop connections between network computers, or mapped drives. Getting rid of mapped drives, or backing up data on a cloud, isn’t always enough. Newer types of ransomware also target files on shared network drives and cloud backup services. In this manner, a single ransomware infection can paralyze an entire organization.
RaaS – Increasing the Spread of Ransomware
Cyber criminals don’t even have to be tech-savvy any more, due to the proliferation of Ransomware as a Service (RaaS). These ready-made ransomware packages can be purchased from a dedicated RaaS portal on the Dark Web, sometimes even offering customization, so that criminals no longer need to write their own code. For cyber criminals, RaaS is a quick and dirty way to extort companies and gain profits, making it one of the primary reasons for the recent increase in both the number and variety of ransomware attacks.
Preventing the Spread
Ransomware is becoming increasingly sophisticated and finding new ways to spread. The best way to deal with it is to prevent ransomware infection in the first place, through a carefully thought out combination of employee education and comprehensive security policies, together with hardware and software security solutions.
Educating employees and establishing clear best practices and protocols can assist in preventing attacks, in addition to the usual endpoint protection tools such as URL filters, firewalls and antivirus software. However, additional layers of security are needed to prevent more evasive threats that may still penetrate network devices undetected, leveraging drive-by-downloads and other devious techniques.
Analysts such as Gartner are now recommending that organizations adopt a Remote Browser Isolation (RBI) solution to isolate high-risk internet browsing and access to URLs in email, calling it a “key preventative strategy” for blocking browser-borne threats such as ransomware. With RBI, all active web code is run in a virtual container outside of the organizational network instead of on the user’s local browser. This allows users to browse as normal, while ensuring that any ransomware or other malicious code hiding within the browsing session never gains access to the user’s computer – and keeping your organizational network out of harm’s way.