• Cybersecurity

Ransomware Attacks, 5 ways of errors


Information security should be made part of the values and culture of any organization. Many organizations forget about safety, only to be jolted into action once an incident has occurred(Ransomware Attacks, 5 ways of errors). That should not be the case. Employees must be persuaded to become good stewards of information security through behavior change. Organizations that are adept at getting everybody on board are more successful at keeping attackers at bay. 

Under my researches, these are the 5 common ways businesses are targete by ransomware attack:

1) Email Attachments

Email is still the largest attack surface in organizations. Every organization is reliant on email for communication. There should be a concerted effort to address email attacks holistically and boost email security. Many attacks start with a simple email attachment that will execute malicious code and spread a ransomware payload across the entire organization within minutes. Most of the time, the attachment can be a JavaScript file or a ZIP file. These files are popular email attachments and make it easy for attackers to introduce malicious code and execute an organization’s attack. 

One effective way of preventing email-based ransomware attacks is by assessing all inbound emails and identifying the most common attachments. For most organizations, the most common attachments are Word docs and Excel files. If that is the case, all other attachments should be block and dealt with on a need-to-need basis. Take note that exceptions can be made to ensure that non-typical file types can be handle differently when the need arises. 

2) External Facing Assets

You have two types of external-facing assets – intended and unintended assets. There are specific assets such as remote desktop protocol (RDP) or server message block protocol (SMB) that are particularly vulnerable to attacks. Both intended and unintended assets are targete for the attack through existing vulnerabilities and brute force attacks. The involuntary assets present the most significant problems to security teams since they are not supposed to be exposed. Businesses must fully understand their external-facing infrastructure and have in place measures that will help identify infrastructure changes or suspicious activity.

The ideal scenario is to use a third party to verify all the external-facing assets of the organization. Solutions developed to help in-house teams determine all assets that appear in the public IP address. This information should be collecte and reviewed regularly to keep track of any changes. Institute measures to ensure that user accounts that attempt numerous logins are lock out. The most critical charges to protect are service accounts that typically have more privileges than end-user accounts. Server accounts also carry back-end configurations that help auto-reset login attempts or disable lockout policies that may disrupt business operations. 

3) Process Injection

Process injection will entail arbitrary code execution. Malicious actors use process injection to introduce arbitrary code into normal running processes. For example, TrickBot uses legitimate svchost.exe to inject and run arbitrary code to finally take control of a business environment. Process injection relies on stealth to mask attacks and make them difficult to detect. Such is the use of stealth that you may not see malicious processes when looking at the currently running processes on a host. The execution of arbitrary code is entirely dependent on the user context their processes are running.

A legitimate executable running through a signed-in user is different from an executable running from a system administrator account. The solution is to disengage as many administrative rights from end-users. Reducing administrator access brings down the success rate of arbitrary code execution.  When an endpoint becomes compromised or suspects suspicious activity, work to identify any legitimate executables that may perform abnormal actions. Using the svchost.exe example, check if the process establishes a connection to a remote IP address without a command-line argument. 

Ransomware Attacks, 5 ways of errors

4) Inventory Asset Management

A big challenge for incident responders is that they have to fully understand how incidents affect core business operations. That’s in addition to having the required technical skills and keeping abreast of the latest tactics being use by malicious actors. Small businesses have to grapple with small IT security teams or none at all, whereas the large corporations have to deal with numerous assets and more infrastructure. During incident response, having visibility into more infrastructure will provide a more significant opportunity to detect abnormalities. Attackers have gained the upper hand where an asset is not correctly monitore by security teams.

Repeated damage has occurred when numerous environments recover from ransomware attacks only to get compromise a second time since preventive policies were not applly for all endpoints. In some instances, security teams were unaware that the endpoints existed, and malicious actors compromised them. Asset inventory management calls for organizations to be relentless in understanding their environments and all assets. Security teams can use inventory management software or built-in tools such as PowerShell to regularly collect information and ascertain every purchase status. Inventory management is a never-ending process characterized by continual learning and tracking of changes. 

5) User/Human Error

Human error is the weak point for organizations even when they have the best security team assembled and the best security tools in place. Many attacks start with an employee opening an email attachment and allowing actors to gain access. Even the most diligent employees still fall for phishing attacks. Beware of devices that are unaccounte for but are use to connect to your organization’s network. These devices and apps increase the surface of attack exploited by malicious actors. The security team must keep track of all external-facing assets and put in place policies that govern the use of personal devices in the organization’s network. Human error can be minimize through policies and procedures, software, and security awareness training. Organizations that view end users as part of their security assets will fare better in the fight against malicious actors. 

The solutions? Prevention, training, and the right working habits.


Subscribe to our newsletter

Your emaill address should be use only for updating you on our articles, in the respect of the privacy law

Share post:

More like this

Cybercriminals in the Metaverse: Interpol’s Response to Fraudsters Targeting Users

The use of the metaverse by Interpol is a step forward in combating virtual crimes, and developing a legal framework for accountability

How AI is Revolutionizing Cyberattacks

Learn how artificial intelligence (AI) is being used in cyberattacks and how to protect yourself

Robotics in the Workforce: Navigating the Challenges and Opportunities

Discover the impact of robotics on the workplace and employment, including efficiency, safety, and economic consequences.

New European Initiative Provides Safe Space for Blockchain Experimentation

Learn about the European Blockchain Regulatory Sandbox and how it aims to promote secure and transparent transactions while enabling innovation with blockchain technology.