Ok, so you know what ransomware is but how do criminals do it? In this article, I will explain common ways that criminals do ransomware.
1. Phishing: Phishing is when a criminal hacks someone’s email (usually a trusted company) and sends an email containing malware downloads to someone. It could also be sent from an email address that is legitimate, like a free email address on Gmail or Hotmail, and have a malicious link in the message body. Holiday sales, tax, and bank-related things are popular ways to disguise this. The link the victim clicks on doesn’t have to be malware but can also lead them to a website with malware download links to make it look less suspicious. A lot of criminals use this method because it is reliable.
2. Brute force attacks: Brute force attacks are when criminals scan the internet for open ways into the company, like RDP ports and use a brute force tool to gain access. Brute forcing may be connected to user enumeration, and then brute force may be used to access user credentials, generally passwords. The tool they are using uses trial and error to guess passwords, login credentials, and encryption keys to get access to information. Often, threat actors find similar passwords on the dark web, which came from the same user, just a different website compromise.
3. Session hijacking: An attacker breaks into a session by hijacking the session ID and posing as the computer making a request. This allows them to log in as users and gain access to information they should not have access to. Some Multifactor Authentication tokens have been stolen this way and used to sign in as a legitimate user.
4. Software vulnerabilities: Software vulnerabilities are when there are weaknesses or problems in software applications that a criminal can use to break into the system and all the data it interacts with. Recent Palo Alto vulnerability CVE-2024-3400 shows that web servers do not only have critical vulnerabilities. Criminals scan the software of companies to figure out if they have software vulnerabilities or look for integration weaknesses, wrong configurations, or exposed backups online.
5. DDoS attack: A DDoS attack is when a criminal floods a server with internet traffic to prevent users from accessing online services and holds it hostage. It could also be a border router, a device that points traffic in the company’s direction and makes routing traffic impossible. Applications also limit how many users they can serve at one time, so if a threat actor opens and keeps enough sessions, no one else can sign in.
Every company has online visibility called Attack Surface Intelligence, which, if reduced and made more cyber resilient, can reduce the likelihood of cyber risk attacks. Ransomware has a deep negative impact on the organization, and feeling held hostage is very psychologically demanding for productivity.