Email phishing attacks and brute force attacks against exposed remote desktop protocol (RDP) services are the most common methods cyber criminals are using to gain an initial foothold in corporate networks to lay the foundations for ransomware attacks.
Cybersecurity researchers at Coveware analysed ransomware attacks during the second quarter of this year and have detailed how phishing attacks and RDP attacks are the most popular entry points for starting ransomware attacks. Part of the appeal for cyber criminals is that these are low-cost to carry out while also being effective.
Phishing attacks – where cyber criminals send emails containing a malicious attachment or direct victims towards a compromised website which delivers ransomware – have slightly grown in popularity over the last quarter, accounting for 42 percent of attacks.
Meanwhile, attacks against RDP services, where cyber criminals brute force weak or default usernames and passwords – or sometimes gain access to legitimate credentials via phishing emails – remain extremely popular with ransomware groups, also accounting for 42 percent of attacks.
Both phishing and RDP attacks remain effective as they’re relatively simple for cyber criminals to carry out but, if carried out successfully, can provide them with a gateway to a whole corporate network. Breaching RDP credentials is particularly useful, because it allows attackers to enter the network with legitimate logins, making malicious activity more difficult to detect.
Software vulnerabilities are in a distant third place as the most popular vector for breaching networks to deliver ransomware, accounting for 14 percent of attacks, but that doesn’t make them any less dangerous – especially as they’re often leveraged by some of the most sophisticated and disruptive ransomware gangs.
According to Coveware, Sodinokibi – also known as REvil – accounted for the highest percentage of ransomware attacks during the reporting period at 16.5 percent. REvil is responsible for some of the most high-profile ransomware attacks this year, including the massive ransomware attack on customers of Kaseya. In recent weeks, REvil’s infrastructure has mysteriously gone offline.
The second most prolific ransomware during the period was Conti, accounting for 14.4 percent of ransomware. One of the most high-profile attacks by the group was the attack against the Irish healthcare system. In the end, Conti provided the decryption key for free, but healthcare services across Ireland remained disrupted for months.
The third most prolific ransomware during the three months between April and June was Avaddon, a form of ransomware distributed via phishing emails, which accounted for 5.4 percent of attacks. In June, the group behind Avaddon announced they were shutting down and released a decryption key for the ransomware.
New forms of ransomware Mespinoza and Hello Kitty make up the rest of the top five – and it’s likely that with groups like REvil and Avaddon seemingly shutting down, new ransomware groups will attempt to replace them.
What all these ransomware groups have in common is how they exploit the likes of phishing attacks and weaknesses in RDP services to lay the foundation for attacks.
To help protect networks from being compromised organisations can apply multi-factor authentication across the network, something which can help stop intruders from breaching accounts.
It’s also recommended that organisations apply software updates and security patches when they are released in order to prevent attackers from exploiting known vulnerabilities to gain access to networks.
MORE ON CYBERSECURITY