Over half of ransomware attacks now begin with criminals exploiting vulnerabilities in remote and internet-facing systems as hackers look to take advantage of unpatched cybersecurity issues.
According to analysis of ransomware incidents during the past year by researchers at security company Secureworks, 52% of attacks started with malicious hackers exploiting remote services.
Vulnerabilities in internet-facing applications have become the most common attack vector for ransomware operations. Often, these internet-facing applications are standard across enterprise environments around the world, making them a very tempting target for malicious hackers.
These applications and services could be internet-facing because organisations need them to enable employees to work remotely – or organisations might not even be aware that these applications are exposed to the internet at all.
According to Secureworks, some of vulnerabilities that have been used to launch ransomware attacks include vulnerabilities in Microsoft Exchange Server, vulnerabilities in Fortinet VPNs, a vulnerability in Zoho ManageEngine ADSelfService Plus, and more – all of which have official fixes available from vendors.
But even when security patches have been made available, many organisations remain vulnerable to the exploits because the update doesn't get applied.
That's particularly the case when the vulnerability is newly disclosed and cyber criminals are moving as quickly as possible to exploit it before patches are made available and organisations have had the chance to apply them.
"Even where a patch exists, the process of patching a vulnerability in an enterprise environment is far more complex and slower than the process for threat actors or OST [offensive security tool] developers of weaponising publicly available exploit code," warns the report.
Patching can be a laborious and cumbersome process, but it's still vital to help protect against ransomware and other malware attacks that target vulnerabilities in services exposed to the internet.
While over half of ransomware incidents examined started with attackers exploiting internet-facing vulnerabilities, compromised credentials – usernames and passwords – were the entry point for 39% of incidents.
There are several ways that usernames and passwords can be stolen, including phishing attacks or infecting users with information-stealing malware. It's also common for attackers to simply breach weak or common passwords with brute-force attacks.
Other methods that cyber criminals have used as the initial entry point for ransomware attacks include malware infections, phishing, drive-by downloads, and exploiting network misconfigurations.
No matter which method is used to initiate ransomware campaigns, the report warns that "ransomware remains a major threat and one that feeds on gaps in security control frameworks".
Despite the challenges that can be associated with preparing for ransomware and other malicious cyber threats – especially in large enterprise environments – Secureworks researchers suggest that applying security patches is one of the key things organisations can do to help protect their networks.
Another form of protection that researchers say should be applied to help prevent ransomware attacks is multi-factor authentication (MFA).
By applying MFA, particularly to applications and accounts that access critical services, it becomes much more difficult for cyber criminals to enter and move around the network – even if they have the correct password. Steps like this can be a significant force in disrupting ransomware attacks before they even start.