author photo
By Clare O’Gara
Tue | Aug 4, 2020 | 7:30 AM PDT

The digital world of ransomware, malware, and extortion is full of questions.

SecureWorld has some answers.

At our recent New York and Philadelphia virtual conference, cyber attorney Daniel Pepper addressed five major questions surrounding ransomware. Here is a summary.

What are the top ways cybercriminals gain access to a corporate network to launch ransomware?

  • Vulnerable ports that are left open on the internet
  • Phishing emails: threat actors and these groups have become very savvy in creating emails that look legitimate.
  • Social engineering is becoming a little less common, but describes threat actors who try to gain access to a system by convincing the victim to provide credentials to a particular system.
  • And then lastly, what has become probably the most common way in which we're seeing ransomware deployed: through Remote Desktop Protocol (RDP) exploits.

What is the most common attack vector used in ransomware attacks?

Answer: RDP (Remote Desktop Protocol). According to Pepper:

"Generally, the threat actor will conduct port scanning and they'll brute force RDP credentials. And once the phishing of an email to the company occurs, the threat actor will gain access and control the machine, then brute force the RDP access from inside the network via that compromised machine. That's a very common way in which it happens. RDP credentials are very, very cheap, as little as three bucks for sale on the Dark Web."

How can end-users put your organization at risk of a ransomware attack?

"Threat actors will typically take advantage of compromised websites through different kinds of SQL injections or cross-site scripting. We have also seen situations where threat actors have posted some form of advertising or an offer for a free software download.

There was an organization that we worked with last year, where a user was looking for a particular coupon to her favorite grocery store. She saw what appeared to be a coupon, clicked, and ended up installing malware, which then led to a ransomware deployment across the entire organization and shut the entire organization down."

How do you see a ransomware attack spread across a network?

"It will start on a single computer, the files are encrypted. Generally, the ransomware will then move laterally through connected drives. It's generally done programmatically, automatically, and it'll move through as many networks as it can.

In many cases, it will use credentials that are gained through an effective domain controller, or through some other administrative account. This is an example of what we see quite frequently, what we're calling sort of the Triple Threat campaign.

Once they've gained access to the systems, they can poke around and see what they've got. There is a lot of sensitive information; they can oftentimes find out what the financial condition of the target is and then use that to their advantage. Once they are in the systems, they have control."

Should we pay the ransom or not pay the ransom?

"If you talk to law enforcement about ransomware and ask them whether or not you should pay the ransom, typically the FBI will tell you, 'Well, we don't advocate paying,' but they understand that businesses have to evaluate all their options to protect themselves. If there really are no other good options, they understand and they're not going to dissuade you necessarily from paying the ransom.

Most attackers are willing to negotiate. Certain organizations that negotiate with threat actors on a regular basis will know, based upon the ransomware variant and a particular threat actor group, what you can expect by way of negotiation. In some cases, you may be able to negotiate 80% off the demand. In some cases, you may have luck only negotiating maybe five or 10%.

It will depend upon the particular variant and depend upon how you communicate with the attackers. Again, they look at their organization as a business. They demand respect as a business, even though you're dealing with criminals."

Which questions to ask after a ransomware attack?

As Pepper highlighted in his presentation at SecureWorld, a ransomware attack dumps an overwhelming number of questions on a victim.

Here are a few of the considerations facing impacted organizations, according to Pepper:

"Do we have backups? Have we tested them? How old are they? Can we restore from these backups? How long? Or how much will it cost us? If we're going to be down for a week or more? Is revenue going to be impacted? Is customer satisfaction going to be impacted? What data is encrypted? Is it critical? Is it sensitive? Is it personal information? If we've decided to pay, what do we do?"

That uncertainty can feel like a minefield.

But hopefully, by considering these questions before a successful ransomware attack, you can mitigate some of the risk from ransomware and the risk while you respond to it.