Understanding how ransomware
infects a device and spreads across
a network is crucial to ensuring that
your organisation does not become
the next victim of an attack.
graphics (SVG) to load a file that bypasses traditional extension
filters. Since SVG is based on XML, cybercriminals are able to
embed any kind of content they please. Once accessed, the
infected image file directs victims to a seemingly legitimate site.
After loading, the victim is prompted to accept an install, which
if completed, distributes the payload and goes on to the victim’s
contacts to continue the impact.
7. Brute force through RDP
Attackers use ransomware like SamSam to directly compromise
endpoints using a brute force attack through Internet-facing
Remote Desktop Protocol (RDP) servers. RDP enables IT admins to
access and control a user’s device remotely, but this also presents
an opportunity for attackers to exploit it for malicious purposes.
Hackers can search for vulnerable machines using tools like
Shodan and port scanners like Nmap and Zenmap. Once target
machines are identified, attackers may gain access by bruteforcing
the password to log on as an administrator. A combination
of default or weak password credentials and open source
password-cracking tools such as Aircrack-ng, John The Ripper
and DaveGrohl help achieve this objective. Once logged on as a
trusted admin, attackers have full command of the machine and
are able to drop ransomware and encrypt data. They may also be
able to disable endpoint protection, delete backups to increase
likelihood of payment or pivot to achieve other objectives.
Conclusion
Ransomware continues to evolve, with Ransomware-as-a-Service
now growing in popularity. Malware authors sell custom-built
ransomware to cybercriminals in exchange for a percentage of
the profit. The buyer of the service decides on the targets and
the delivery methods. This division of labour and risk is leading to
increasingly targeted malware, innovation in delivery methods and
ultimately a higher frequency of ransomware attacks.
Along with the threat of extortion through data leakage, these
recent trends make it vital for organisations to invest in securing
endpoints and networks and preventing breaches from occurring
in the first place through AI-powered behavioural detection engines
that do not rely on reputation nor rely on cloud connectivity. u
76
Issue 29 | www.intelligentciso.com