How Ransomware Infections Take Place

Ransomware, Cyber Crime, Malware, Encryption, MaliciousIf cybersecurity consultants and IT admins have learned anything of the current threat environment, it’s that ransomware will continue to be a pervasive and dangerous threat to individual users, enterprises and organizations at large.

When they first emerged, these infections were unlike anything that tech experts had ever seen, combining strong encryption and blackmail tactics to force victims into payment. But, as past cases have shown, even sending Bitcoin to perpetrators doesn’t guarantee that access to important data and platforms will be restored.

According to Trend Micro’s report, Unseen Threats, Imminent Losses, there has only been a slight increase in ransomware detection so far in 2018. However, this doesn’t make ransomware any less of a threat to enterprise security.

Decrease in ransomware families

In the recent past, it seemed like a new ransomware family was emerging on a near-daily basis. New samples – many of which came with interesting and even catchy names – and particularly the different ways in which the ransomware was being served up made it difficult to put proactive protection in place.

Thankfully, Trend Micro researchers identified a 26 percent decrease in new ransomware families during the first half of 2018. In addition, there was only a 3 percent increase in detected ransomware activity overall.

And while this may sound like good news, the level of ransomware activity taking place overall is still high, and this infection strategy remains a favorite among malicious attackers who keep a trained focus on the considerable profits that can result from ransomware delivery.

“Though its prevalence in the cybersecurity landscape has plateaued, ransomware is still something that enterprises should be vigilant against,” Trend Micro stated in its Unseen Threats, Imminent Losses report. “But this change of pace is likely due to the increased attention on ransomware and the resulting improvements in prevention and mitigation methods.”

One of the first steps organizations can take to help bolster their prevention and protection efforts is to understand the different ways ransomware samples and delivered, and how these strategies lead to successful infections. By being aware of and guarding specifically against top ransomware delivery means, organizations can reduce the chances that they’ll be impacted by this threat.

As Trend Micro’s TrendLabs noted in a separate report, Ransomware: Past, Present and Future, samples can be delivered in a number of ways, including through spam and phishing campaigns, compromised websites and webpages, as well as exploit kits. We’ll take a closer look at recent examples of each type.

Despite a drop in ransomware families in early 2018, attacks remain prevalent across all business sizes and industries.

GandCrab: Phishing campaign serves up thousands of malicious spam messages daily

A popular delivery method includes phishing campaigns and connected spam email messages, which often hinge upon social engineering and other strategies to trick users into opening an infected email, link or downloadable attachment.

As ZDNet’s Danny Palmer reported, this approach was used in connection with a recent ransomware phishing campaign, which attempted to infect users with the GandCrab ransomware sample. GandCrab was first identified in January 2018, and security researchers have seen several subsequent updates on the part of ransomware creators to boost potential ransom profits.

This recent phishing campaign centering around GandCrab encompasses phishing email messages that mention important things like payments, invoices, tickets and orders, and also includes a JavaScript attachment that executes the ransomware from an infected URL. The email message directs readers to “open the attachment and reply as soon as possible,” and is signed “HTF Customer Support,” according to a screenshot from Fortinet.

Victims infected with GandCrab are routed to a Tor browser site, which demands $400 in ransom for the decryption key.

Tens of thousands of GandCrab spam emails are being distributed each day, with mail servers hosted in the US by far the most common target, accounting for three quarters of deliveries,” Palmer wrote. “When it comes to successful infections, the US currently accounts for the fourth largest percentage of victims, behind Peru, Chile and India.”

Ransomware is a continuing problem in the enterprise threat landscape.

Guarding against ransomware

Let’s take a look at a few best practices enterprises should leverage in the proactive fight against malware infection:

  • Awareness and user education: As the GandCrab phishing and spam campaign, as well as the drive-by download case in Issaquah, show, awareness of ransomware tactics is imperative. User education should be a top priority, as users who understand the suspicious signals – as well as proper actions like not opening an email or attachment from an unknown sender – can represent a first line of defense against infection.
  • Timely patching and updating: GandCrab leverages common and previously patched system vulnerabilities to support its malicious infections. In these instances, proper patching could have helped prevent attack. In this way, it’s imperative that enterprises work to apply patches and updates as soon as possible after they are released by vendors.
  • Secure browsers: It’s especially imperative in the case of exploit kit-delivered ransomware that commonly used browsers are appropriately secured. Elements like infected websites, landing pages or malvertisements have proven successful for ransomware hackers in the past. Techniques like URL categorization, which can help filter out malicious websites and content, can be a beneficial, proactive protection practice.

To find out more about current ransomware samples, infection and delivery strategies, as well as top solutions for protection, connect with the experts at Trend Micro today.

The original blog appeared here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.