Ransomware is infecting the computers of unsuspecting victims at an astronomical rate. The various methods that cybercriminals use to take over a machine and encrypt its digital files are called the attack vectors, and there are quite a few.
In this article, we’ll explore the top 10 ransomware attack vectors. The first five exploit human weaknesses through social engineering attacks. In other words, they use carefully crafted messages to entice victims into clicking a link, downloading software, opening a file or entering credentials. The second five spread ransomware computer to computer. Humans may be somewhat involved in the process by navigating to a site or using a machine, but they are primarily automated processes. Let’s take a closer look at each attack vector:
Phishing is a social engineering technique where phony emails are sent to individuals or a large group of recipients. The fake messages—which may appear to come from a company or person the victim knows—are designed to trick people into clicking a malicious link or opening a dangerous attachment, such as the resume ransomware that appeared to be a job candidate’s CV.
SMSishing is a technique where text messages are sent to recipients to get them to navigate to a site or enter personal information. Some examples include secondary authentication messages or messages purporting to be from your bank or phone service provider. Ransomware that targets Android and IOS-based mobile devices often use this method to infect users. For example, after infecting your device, Koler ransomware sends an SMSishing message to those in your contacts list in an effort to infect them as well.
Vishing is a technique where ransomware distributors leave automated voicemails that instruct users to call a number. The phone numbers they call from are often spoofed so that messages appear to come from a legitimate source. When victims call in, they are told that a person is there to help them through a problem they didn’t know they had. Victims follow instructions to install the ransomware on their own machine. Cybercriminals can be very professional and often use a call center or have sound effects in the background to make it seem like they are legitimate. Some forms of vishing are very targeted to an individual or company and in such cases, criminals usually know quite a bit of information about the victim.
4. Social media
Social media posts can be used to entice victims to click a link. Social media can also host images or active content that has ransomware downloaders embedded into it. When friends and followers view the content, vulnerabilities in their browser are exploited and the ransomware downloader is placed on their machine. Some exploits require users to open a downloaded image from the social media site.
5. Instant message
Instant message clients are frequently hacked by cybercriminals and used to send links to people in a user’s contact list. This was one technique used by the distributors of Locky ransomware.
The ‘drive-by’ technique places malicious code into images or active content. This content, when processed by a web browser, downloads ransomware onto the victim’s machine.
7. System vulnerabilities
Certain types of ransomware scan blocks of IP addresses for specific system vulnerabilities and then exploit those vulnerabilities to break in and install ransomware onto the machine.
Malvertising is a form of drive-by attack that uses ads to deliver the malware. Ads are often purchased on search engines or social media sites to reach a large audience. Adult-only sites are also frequently used to host malvertising scams.
9. Network propagation
Ransomware can spread from computer to computer over a network when ransomware scans for file shares or computers on which it has access privileges. The ransomware then copies itself from computer to computer in order to infect more machines. Ransomware may infect a user’s machine and then propagate to the company file server and infect it as well. From here, it can infect any machines connected to the file server.
10. Propagation through shared services
Online services can also be used to propagate ransomware. Infections on a home machine can be transferred to an office or to other connected machines if the ransomware places itself inside a shared folder.
Be cautious and skeptical of the messages you receive, whether they come from email, instant message, text, voicemail or social media. Ransomware distributors are crafty and one click could be all it takes. Technical controls are also necessary to screen out unwanted content, block ads, and prevent ransomware from spreading. The most important thing is to have adequate backups of your data so that, if you ever are attacked, you can remove the virus and download clean versions of your files from the backup system.