How ransomeware spreads: 9 most common infection methods and how to stop them.
Jareth . December 19, 2019 (copied from Emsisoft’s website blog section)
Cybercriminals are looking for creative new ways to hold your data hostage.
However, while ransomware might be getting more sophisticated, it’s important to remember that it still has to abide by the same rules as regular old malware.
That means it still has to be distributed, it still has to infect your system before it can deliver its payload – and it can still be avoided by taking a proactive approach to security.
How does ransomware infect your computer? In this article, we’ll show you some of the most common ways ransomware propagates and how you can reduce the risk of infection.
1. Email attachments
Ransomware is commonly distributed via emails that encourage the recipient to open a malicious attachment. The file can be delivered in a variety of formats, including a ZIP file, PDF, Word document, Excel spreadsheet and more. Once the attachment is opened, the ransomware may be deployed immediately; in other situations, attackers may wait days, weeks or even months after infection to encrypt the victim’s files, as was the case in the Emotet/Trickbot attacks.
Attackers may conduct extensive research on their target (often a specific company or high-ranking individual in an organization) to create credible and very believable emails. The more legitimate the email looks, the more likely the recipient is to open the attachment.
- Only open attachments from trusted senders.
- Check that the sender’s email address is correct. Remember that domain names and display names can easily be spoofed.
- Do not open attachments that require you to enable macros. If you believe the attachment is legitimate, seek guidance from your IT Department.
- Read this guide for more information on how to avoid phishing emails.
Attackers also use emails and social media platforms to distribute ransomware by inserting malicious links into messages. During Q3 2019, almost 1 in 4 ransomware attacks used email phishing as an attack vector, according to figures from Coveware.
To encourage you to click on the malicious links, the messages are usually worded in a way that evokes a sense of urgency or intrigue. Clicking on the link triggers the download of ransomware, which encrypts your system and holds your data for ransom.
- Be wary of all links embedded in emails and direct messages.
- Double-check URLs by hovering over the link before clicking.
- Use CheckShortURL to expand shortened URLs.
- Manually enter links into your browser to avoid clicking on phishing links.
RDP, a communications protocol that allows you to connect to another computer over a network connection, is another popular attack vector. Some examples of ransomware that spread via RDP include SamSam, Dharma and GandCrab, among many others.
By default, RDP receives connection requests through port 3389. Cybercriminals take advantage of this by using port-scanners to scour the Internet for computers with exposed ports. They then attempt to gain access to the machine by exploiting security vulnerabilities or using brute force attacks to crack the machine’s login credentials.
Once the attacker has gained access to the machine, they can do more or less anything they wish. Typically this involves disabling your antivirus software and other security solutions, deleting accessible backups and deploying the ransomware. They may also leave a backdoor they can use in the future.
- Use strong passwords.
- Change the RDP port from the default port 3389.
- Only enable RDP if necessary.
- Use a VPN.
- Enable 2FA for remote sessions.
Cybercriminals frequently target managed service providers (MSPs) with phishing attacks and by exploiting the remote monitoring and management (RMM) software commonly used by MSPs.
A successful attack on an MSP can potentially enable cybercriminals to deploy ransomware to the MSP’s entire customer base and put immense pressure on the victim to pay the ransom. In August 2019, 22 towns in Texas were hit with ransomware that spread via MSP tools. Attackers demanded $2.5 million to unlock the encrypted files.
- Enable 2FA on RMM software.
- MSPs should be hyper-vigilant regarding phishing scams.
Malvertising (malicious advertising) is becoming an increasingly popular method of ransomware delivery.
Malvertising takes advantage of the same tools and infrastructures used to display legitimate ads on the web. Typically, attackers purchase ad space, which is linked to an exploit kit. The ad might be a provocative image, a message notification or an offer for free software.
When you click on the ad, the exploit kit scans your system for information about its software, operating system, browser details and more. If the exploit kit detects a vulnerability, it attempts to install ransomware on the user’s machine. Many major ransomware attacks spread through malvertising, including CryptoWall and Sodinokibi.
- Keep your operating system, applications and web browsers up to date.
- Disable plugins you don’t regularly use.
- Use an ad blocker. The Emsisoft lab team recommends uBlock Origin.
- Enable click-to-play plugins on your web browser, which prevents plugins such as Flash and Java from running automatically. A lot of malvertising relies on exploiting these plugins.
A drive-by download is any download that occurs without your knowledge. Ransomware distributors make use of drive-by downloads by either hosting the malicious content on their own site or, more commonly, injecting it into legitimate websites by exploiting known vulnerabilities.
When you visit the infected website, the malicious content analyzes your device for specific vulnerabilities and automatically executes the ransomware in the background.
Unlike many other attack vectors, drive-by downloads don’t require any input from the user. You don’t have to click on anything, you don’t have to install anything and you don’t have to open a malicious attachment – visiting an infected website is all it takes to become infected.
- Always install the latest software security patches.
- Remove unnecessary browser plugins.
- Install an ad-blocker such as uBlock Origin.
While older strains of ransomware were only capable of encrypting the local machine they infected, more advanced variants have self-propagating mechanisms that allow them to move laterally to other devices on the network. Successful attacks can cripple entire organizations.
Some of the most devastating ransomware attacks in history featured self-propagation mechanisms, including WannaCry, Petya and SamSam.
- Segment your network and apply the principle of least privilege.
- Implement and maintain a reliable ransomware backup strategy.
Ransomware is known to spread through pirated software. Some cracked software also comes bundled with adware, which may be hiding ransomware, as was the case in the recent STOP Djvu campaign (free decryptor available here). In addition, websites that host pirated software may be more susceptible to malvertising or drive-by downloads.
The use of pirated software may also indirectly increase the risk of ransomware infection. Typically, unlicensed software doesn’t receive official updates from the developer, which means users may miss out on critical security patches that can be exploited by attackers.
- Avoid using pirated software.
- Don’t visit websites that host pirated software, cracks, activators or key generators.
- Be careful of software deals that are too good to be true.
USB drives and portable computers are a common delivery vehicle for ransomware. Connecting an infected device can lead to ransomware encrypting the local machine and potentially spreading across the network.
Typically this is inadvertent – a member of staff unwittingly plugs in an infected USB drive, which encrypts their endpoint – but it can also be deliberate. For example, a few years ago, residents of Pakenham, a suburb in Melbourne, discovered unmarked USB drives in their mailboxes. The drives contained ransomware masquerading as a promotional offer from Netflix.
- Never plug in unknown devices to your computer.
- Don’t plug in your devices to shared public systems such as photo-printing kiosks and computers at Internet cafes.
- Businesses should implement and maintain robust BYOD security policies.
- Use reputable antivirus software that can scan and protect removable drives.
Ransomware spreads in many different ways. Some attack vectors such as malicious email attachments, phishing links and removable devices rely on human error, while others such as malvertising, drive-by downloads and network propagation are effective with no user input whatsoever.
Regardless of how ransomware propagates, there are many things you can do to reduce the risk of infection and mitigate the effects of an attack. Investing in proven antivirus software, maintaining backups and being cautious with your clicks can go a long way toward protecting your data and keeping your system safe from ransomware.