Ransomware Revealed: Top 4 Technologies Exploited by Threat Actors
Ransomware continues to be a leading cyber threat for organizations of all sizes, particularly small and midsize businesses (SMBs) with limited IT and security resources. The cost of these attacks can be devastating, with an average loss of $353,000 per incident.
Ransomware is a type of malicious software that encrypts a business’s data or systems, rendering them inaccessible until a ransom is paid to obtain a decryption key. Ransomware events can result in significant operational disruption and financial loss, regardless of whether a business chooses to pay a ransom demand, with costs including business interruption, forensic investigation, and data recovery.
However, these attacks aren’t particularly innovative. Most attackers follow a playbook of sorts: They exploit technologies that are highly common among SMBs and use the same tactics to get inside a network.
Below, we’ll explore the ransomware playbook and examine the technologies most frequently exploited in ransomware attacks. We'll also examine our blueprint of how SMBs can prioritize their riskiest security issues to reduce the likelihood of an attack.
Top 4 technologies exploited in ransomware attacks
An initial access vector (IAV) describes how attackers gain network access. Ransomware attacks include those initiated through two characteristics of IAVs: the technology exploited, what was accessed, and the attack vector, how it was compromised.
Below are the top 4 technologies exploited in ransomware attacks.
1. Virtual private networks
Virtual private networks (VPNs) bridge the internet and a business’s primary network, allowing remote employees to conduct business from home or on the road.
Attackers most commonly exploit VPNs using compromised credentials and software vulnerabilities. Compromised credentials follow from attackers’ unauthorized access to accounts or systems obtained through weak or reused passwords or insider threats. Attackers also exploit software vulnerabilities, such as bugs, weaknesses, and out-of-date or unpatched software, to gain access to the network or intercept data.
VPNs are the most commonly exploited type of technology in ransomware attacks.
2. Remote desktop software
Remote desktop software gives remote users cursor-level control over a system without needing physical PC access. Support technicians often use this technology to resolve technical issues virtually. However, attackers can also use this software to move laterally within a business’ network and deploy ransomware.
Like VPNs, remote desktop software is frequently exploited using vulnerabilities and compromised credentials. Threat actors often use social engineering tactics, like tech support scams, to steal logins and passwords to remote access technologies that are then used to conduct malicious activity.
Remote Desktop Protocol (RDP), developed and maintained by Microsoft, is the most commonly exploited type of remote desktop software, accounting for nearly 80% of ransomware incidents of this type. Leaving RDP open to the public internet creates a significant security risk because it exposes systems to unauthorized access, allowing threat actors to scan for open ports and launch attacks, potentially leading to data breaches, malware infections, and other cyber threats.
Microsoft's RDP accounts for nearly 80% of all ransomware incidents targeting remote desktop software.
3. Email
Email is used in nearly every organization, enterprise, and SMB and is an essential productivity tool. Attackers deliver ransomware through email server vulnerabilities that exist due to unpatched or out-of-date software, misconfigurations, and weak authentication practices to verify users' identities properly. These flaws all create risk, creating access opportunities for attackers.
Most ransomware attacks targeting email systems originate from social engineering. These include phishing emails that trick recipients into clicking on malicious attachments that install malware, con them into installing remote access technologies, and convince them to reveal their login credentials. When victims comply, these actions give attackers network access to deploy ransomware.
4. Firewalls
Firewalls are the barrier between a private internal network and the internet and monitor and block traffic based on a defined set of security rules.
While designed for security, attackers can exploit firewall technology due to software vulnerabilities, unpatched security flaws, and zero-day exploits. Any of these flaws or weaknesses would expose a firewall, allowing attackers to infiltrate the internal network and deploy a ransomware attack.
Why SMBs are at high risk
All organizations are at risk for technology exploits, but SMBs are especially vulnerable due to limited IT resources and a general lack of security expertise.
Nearly 82% of ransomware attacks are on SMBs, and approximately 60% of SMBs fold within six months of a ransomware attack.
Additionally, SMBs often don’t have employee training on social engineering tactics. They may have exposed attack surfaces and unpatched vulnerabilities, leaving them at greater risk of ransomware attacks than enterprise organizations.
Nearly 82% of ransomware attacks target small and midsize businesses.
Consequences of ransomware attacks
Ransomware attack damage can devastate SMBs with limited financial, IT, operational, and other resources.
Financial impact is significant in any ransomware attack — the average loss is $353,000 per incident. The ransom payment is just one of many costs facing SMB attack victims.
Business revenue loss is also an issue during attack downtime and potential recovery costs for system repairs, legal fees, public relations efforts, cybersecurity expert assistance, or software upgrades. The financial impact of a ransomware attack can be so severe that it threatens an SMB's viability.
The average loss in a ransomware attack is $353,000, according to Coalition data.
Permanent data loss is a critical attack consequence if ransomware-encrypted data is not recovered and no backups exist. Data is often an SMB's most important asset, and losing vital and sensitive data, including customer data, financial records, and confidential business information, could impact the business's ability to recover fully.
If sensitive customer or business data is lost or stolen due to an attack, this could also lead to legal issues. SMBs would need to report the incident to regulatory authorities, notify affected individuals, and face any potential legal action from employees, customers, or others affected by the attack. Non-compliance in reporting could result in fines.
Lack of regulatory compliance can also be a consequence of a ransomware attack. SMBs must follow specific data protection and privacy compliance rules, such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). If sensitive customer, employee, or other third-party data is compromised, this may result in non-compliance, which can result in fines and other penalties.
Finally, an SMB’s reputation may suffer after a ransomware attack. Current business can stall due to financial and operational issues, and reputational damage may affect both present and future business. Brand image often declines if customers lose confidence in the company’s ability to protect their data.
How your business can protect against ransomware attacks
You can protect your SMB against ransomware attacks by monitoring your attack surface to address the potential technology exploit risks.
Take a cue from attack surface management (ASM), a disciplined way to minimize your attack surface that is a continuous process of discovering, monitoring, analyzing, and reducing potential risks to eliminate potential attack vectors. Monitor your attack surface for vulnerabilities and flaws.
Prioritize rapid vulnerability discovery and reporting and patch all emergent zero-day vulnerabilities in internet-facing technology for additional protection. Commit to swift patch development by implementing these robust security measures.
Educate your employees about common social engineering tactics with security awareness training. This training empowers your employees to identify and resist potential social engineering exploits by teaching them to recognize the psychological triggers used in social engineering exploits: trust, fear, urgency, and curiosity, and how to verify the legitimacy of phishing emails and validate web links that sound too good to be true.
Security awareness training also uses real-life cases and live phishing simulations to educate employees on cyber threats and how to protect business data. Additionally, it helps SMBs meet compliance training requirements.
Managed detection and response services offer around-the-clock threat detection and response capabilities, accelerating time-to-remediation and minimizing or eliminating the impact of an attack.
Implement 24/7 systems and network traffic monitoring with rapid response procedures by implementing managed detection and response (MDR). MDR offers around-the-clock threat detection and response capabilities, accelerating time-to-remediation and minimizing or eliminating the impact of an attack.
Finally, regular system and network backups are a strong defense against attacks. If ransomware encrypts your files, backups allow you to restore your data to a pre-attack state, minimizing the attack impact and potentially avoiding ransom payments. Backups enable you to restore your systems quickly and resume business as usual, minimizing disruptions and downtime.
Find a security partner with ransomware expertise
If your business is outsourcing security support, make sure you're asking the right questions to ensure you’re getting the best protection against ransomware attacks.
Does your security partner use data-driven guidance?
Seek a partner guided by data from various sources, including in-house data, threat intelligence, and internet monitoring, ensuring they have a thorough picture of current cyber threats.
Do you have shared goals and aligned incentives?
Your business doesn’t want to experience a ransomware attack, and you’re learning about security measures to protect against one. Consider whether your security partner is incentivized to help protect you from and educate you about the effects of an attack with solutions, such as security awareness training and managed detection and response services?
Are there customizable solutions tailored to SMB needs?
With limited IT and security resources, your business needs tailored solutions. Look for a security partner who can meet your needs using security technologies and integrated risk management.
Coalition Security™ can protect your business from the expanding universe of cyber threats with experts invested in minimizing your risk. We offer a wide range of security products and services that can help before, during, and after an attack. To learn more about Coalition Security, click here to schedule a free consultation with our team.
*Coalition Security and Coalition MDR are provided by Coalition Incident Response (d/b/a Coalition Security), a wholly owned affiliate of Coalition, Inc. Coalition Security does not provide insurance products. The purchase of a Coalition insurance policy is not required to purchase MDR or any other Coalition Security service.
This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.
