Ransomware makes headlines daily, with most incidents targeting big corporations sitting on enough capital to make the attack worthwhile. But regular people get infected too. Some attackers opt for slim but consistent pickings with a spray-and-pray approach. And recent events point to an increase in attacks on consumers. It’s high time we look at the key attack vectors threat actors use to infect us with this data-encrypting plague of a malware.
Ransomware is any form of malware that can scramble data by encrypting it. The attackers leave a ransom note behind containing instructions on how to pay them to get the decryption key. Thanks to the advent of digital currency like Bitcoin, attacks have been on the rise in the past decade. Today we look at the five most common ways attackers use to deploy ransomware.
Warez sites, torrents, cracked applications
Some of the most common places to get infected with ransomware are warez sites and torrents, where people typically download pirated content or unofficial software packages that are barely vetted by anyone. These questionable mediums are the perfect hub to sneak ransomware through. Threat actors upload their infected software packages – say, a popular game or movie – and advertise them as legit. Users unwittingly download the malware-laden files and, as they attempt to run them, they deploy the ransomware with their own hands.
Stay away from unofficial software repositories, warez sites and torrents! Not only is pirating software bad, but there’s also a good chance you might get ransomware on your computer.
Easily the most popular attack vector for any type of cyber-attack, phishing is a common technique to get ransomware onto people’s computers. Attackers either spoof a website or set a trap through spam emails so that unwary users end up downloading malware.
Be wary of spam emails that try to get you to do something, such as access a link, claim a prize, download and view an attachment, etc. When in doubt, double check the sender’s address and message content. If it claims to be from an entity you can contact on a different channel, do so to confirm it’s not a scam.
Sometimes even downloading official software can land you a dose of malware. This vector is called a supply chain attack, meaning the attackers somehow manage to enter the supply chain, breach the official software vendor – say, your favorite freeware video player, like VLC – and infect official software builds with ransomware.
As far-fetched as it may sound, this does occur from time to time. The most famous example is actually a ransomware strain designed to infect Macs through a popular BitTorrent client. In 2016, malicious actors somehow breached The Transmission Project and tainted the official Transmission binary build with KeRanger ransomware. Using Transmission’s valid security certificate, they managed to get past OSX’s crude antivirus mechanism, XProtect. Because the app had been signed with an official security certificate that OSX would deem vetted, users would end up deploying the ransomware-laden Transmission with their own hands. Scary, right?
This is one of those rare examples where even if you’re making all the right choices, you can still get ransomware. Which means it’s always a good idea to have an advanced security solution running on your computer at all times, regardless of your OS.
Exposed IoT devices
Internet-connected gizmos are everywhere these days. While most of them aren’t directly affected by ransomware, there are exceptions. For example, if you have an unpatched or misconfigured router on your home network, bad actors can find a way inside your computer by scanning the web using specialized tools.
A more common example is a vulnerable or misconfigured Network Attached Storage (NAS) device. Recently, attackers have been increasingly targeting users of QNAP NAS units, either through exposed shares or security flaws in the product itself.
NAS users should always follow the vendor’s security guidelines and have the latest firmware version installed.
If there is any reason to believe the attackers are exploiting a zero-day flaw, users should keep the device behind a firewall and completely secluded from the web until there’s a fix.
Tech support scams
Falling for a tech support scam is another way you can land yourself a case of ransomware. Typically targeting a vulnerable demographic – like the elderly – threat actors convince the victim to grant them remote access to their computer, at which point they do the deed.
In fact, tech-support scammers have been known to carry out ransomware attacks even without using actual ransomware. Instead, they have relied on Syskey, a now-defunct component of Windows NT that encrypts the Security Account Manager (SAM) database using a 128-bit RC4 encryption key.
It was only removed decades later in Windows 10 because its cryptography grew insecure as technology advanced, and because it was abused in ransomware-type attacks.
Make no mistake: tech support scammers are still at it using actual ransomware, and they will not pass on the opportunity to encrypt your data and demand payment in exchange for restoring it to its original form.
Remember, always use a trusted security solution on your computer to keep malware – not just ransomware – at bay.