We recently asked renowned Ransomware Expert Allan Liska: “What are the “big” common attack vectors that ransomware actors use?” see his response in this video, and in case you’ve missed it, here’s the transcript:
James Green:
Ransomware attackers often get in using one of only a couple popular mechanisms, and so if we can be watching for and on top of those things we stand a better chance of preventing a ransomware attack. What are the big couple of common attack vectors that ransomware actors use?
Allan Liska:
So there are really three major attack vectors for sort of the manual hands on keyboard ransomware. There are phishing attacks, credential reuse or credential stuffing attacks, and then there is exploitation against known vulnerabilities. But that is a fairly diverse area of protection and explains one of the reasons why ransomware attacks are so prominent is that you have to defend against all three of those because there are different ransomware groups that are conducting all three types of attacks right now and you have to figure out how to protect against all of them at the same time. You can’t say, well I’m going to do phishing this year, I’m going to do credential reuse next year and I’ll do patching the following year. You have to do all of them now.
So phishing is pretty self explanatory, send an email with either an attachment or a link and deploy a ransomware from there. Credential reuse, there are a lot of credentials available in underground markets. The last count I heard in 2021 alone 8 billion credentials have been dumped to underground markets. Now a lot of those are old, a lot of them are repackaged and all that other stuff, but there’s still a whole bunch out there. And the fact is that employees tend to reuse passwords. So if you sign up for an event with your employee email address you’ll probably use the same password that you’re using to log into the network. And so ransomware actors know that, they look for exposed systems, they figure out what organization it belongs to, and then they just go hunt for credentials that are readily available and start trying those credentials until they find something that matches, or they use a credential stuffing attack, which is basically common username and password combinations and try and get those through.
And then exploitation, exploiting known vulnerabilities on publicly exposed systems, so VPNs, Citrix servers, anything that is connected to the internet.
James Green:
So as far as securing against those things, like you said it’s each one is a big, hairy problem on its own.
Allan Liska:
Right.
James Green:
But let’s just briefly touch on each one and offer a little piece of advice here. So for phishing what’s the one step everybody should be thinking about taking to secure against phishing attacks?
Allan Liska:
So the biggest thing is if you can keep the phishing email from getting to the employees, that’s going to provide the most benefit. So anything you can do to put in a security overlay to your existing mail service is going to benefit you. Things that are specifically looking for those kind of attacks, and especially for ransomware attacks that will stop them and quarantine those emails before they have a chance to get to the employee.
James Green:
Okay. And then when it comes to patching, having everything all patched all the time is probably not realistic, but what should we aim for?
Allan Liska:
So again, public scanning of your network infrastructure to make sure that you know everything that is exposed to the internet, and then prioritize patching those systems that are publicly exposed. That is going to give you the most value. For the most part ransomware actors are not using zero day vulnerabilities or anything like that so you’re going to be best protected by prioritizing, patching those things that are connected to the internet.
James Green:
And then finally for credential reuse how can we tighten up systems and keep our users accounts secure?
Allan Liska:
So there are a few things you can do. One is wherever possible enable multifactor authentication, that goes a long way toward defeating these kind of attacks, and then make sure that when employees leave that you remove their access to everything, and do that immediately and make sure you have a process in place for everywhere they may have had access that all of that gets removed. And then if you can monitor for employee credentials being dumped on underground markets. A great resource for that is have I been Pwned, no cost, you can put in your company domain and get alerts anytime new employee credentials are found on underground markets, and then have a process in place to get passwords for those employees changed and let them know hey, this has been exposed here so wherever else you may have been using that password you may want to go change it as well.
James Green:
Great. Thank you, Alan.
Allan Liska:
Thank you.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery
