How Ransomware Spreads

Kurt Baker - July 21, 2021

As ransomware operators continue to evolve their tactics, it’s important to understand the most common attack vectors used so that you can effectively defend your organization.

Ransomware spreads in several different ways, but the most common infection methods include:

  • Social Engineering (Phishing)
  • Website Pop-ups and Exploit Kits
  • Fileless Attacks
  • Ransomware-as-a-Service
  • Malware Obfuscation

Ransomware Infection Methods

Social Engineering

Technology and human nature are two sides of the same coin when it comes to ransomware attacks. In one case observed by CrowdStrike, a CEO’s email was spoofed and the attacker used social engineering to trick employees into clicking a link in a fake email from the executive.

To succeed, this attack required methodical research into the company’s management, its employees and the industry. As BGH attacks increase, social engineering is becoming a more intensive presence in phishing attacks. Social media also plays a huge role, not only enabling attackers to discover information on potential victims but also as a conduit for deploying malware.

Website Pop-ups and Exploit Kits

Website pop-ups and exploit kits can be used together to propagate ransomware that allows attackers to create “Trojan pop-ups” or advertisements containing hidden malicious code. If users click on one of them, they are surreptitiously redirected to the exploit kit’s landing page. There, a component of the exploit kit will discreetly scan the machine for vulnerabilities that the attacker can then exploit.

If the exploit kit is successful, it sends a ransomware payload to infect the host. Exploit kits are popular with eCrime organizations due to their automated nature. In addition, exploits are an efficient fileless technique, as they can be injected directly into memory without writing anything to disk, making them undetectable by traditional antivirus software.

Exploits kits are also proliferating among less sophisticated ransomware attackers, because they do not require a great deal of technical know-how to deploy. With a modest investment on the darknet, virtually anyone can get into the online ransom business.

Fileless Attacks

Fileless ransomware techniques are increasing. These are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the attacker to perform tasks without requiring a malicious file to be run on the compromised system. This technique is popular because fileless attacks are able to bypass most legacy AV solutions.

RANSOMWARE AS A SERVICE (RAAS) AND ACCESS BROKERS

Because cybercriminals are always looking for ways to optimize their operations and generate more profits, they have been inspired by the SaaS (software as a service) model to create a RaaS (ransomware as a service) model. RaaS providers offer all of the ransomware attack components needed to run ransomware campaigns, from malicious code to results dashboards. Some even include a customer service department, putting ransomware within the reach of non-technically savvy criminals. In addition, the subscription cost is usually covered as a portion of the proceeds from the campaign, making this a costefficient model for cybercriminals to adopt. An example of this type is the notorious RaaS CARBON SPIDER. CARBON SPIDER deepened its commitment to BGH in August 2020 by utilizing its own ransomware, DarkSide, and in November 2020, extended its footprint in BGH by establishing a RaaS affiliate program for DarkSide. This program allows other threat actors to use DarkSide ransomware while paying CARBON SPIDER a cut.

Access brokers are threat actors that gain backend access to various organizations (both corporations and government entities) and sell this access either on criminal forums or through private channels. Buyers save time with pre-identified targets and established access, allowing for more targets and faster deployments that result in a higher potential for monetization. Access broker utilization has become increasingly common among BGH actors and aspiring ransomware operators. CrowdStrike Intelligence has observed some access brokers associated with affiliates of RaaS groups.

Malware Obfuscation in the Build Process

In 2020, CrowdStrike Intelligence observed WIZARD SPIDER and MUMMY SPIDER implement open-source software protection tools into their malware build processes. The use of obfuscation techniques in malware is not new, but the inclusion of open source tools into build processes is novel, supporting advanced adversaries seeking agile development processes. Due to open source complexity, this tactic may have limited adoption by less sophisticated threat groups.

How to Protect Against Ransomware

Backups are a good defense but must also be protected as they often are the first thing attackers prohibit or try to destroy in an environment. Making sure backups are secure and separately accessible even in a compromised environment, is a standard precautionary measure. In September 2020, the U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MSISAC) published a joint Ransomware Protection Guide outlining additional cybersecurity measures organizations should take to understand and handle the ransomware threat. The guide advises on how to protect against ransomware, prepare for a potential incident, recover from an attack and where to find help. It includes practical recommendations such as keeping systems patched and up to date, training end users, and creating and executing an incident response plan.

Get to Know the Author

Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.