The vast majority of ransomware attacks begin with cyber criminals exploiting common cybersecurity errors, which – if correctly managed – could prevent most victims from falling prey to attacks.
Microsoft analyzed anonymised data of real threat activity and, according to the company’s new Cyber Signals report, found that over 80% of ransomware attacks can be traced to common configuration errors in software and devices.
These include applications being left in their default state, allowing user-wide access across the network, security tools being left untested or misconfigured, cloud applications set up in a way that can easily allow unauthorized intruders to gain access, and organisations not applying Microsoft’s attack surface reduction rules, which allows attackers to run malicious code using macros and scripts.
It’s these misconfigurations that ransomware attackers are looking for as they seek out vulnerable targets for ransomware attacks – often with the added threat of double extortion attacks, where cyber criminals steal sensitive data and threaten to publish it if they’re not paid.
Microsoft warns that this process has been helped along by the growth of the ransomware-as-a-service (RaaS) ecosystem, which allows attackers who lack the technical expertise to create and develop their own ransomware to conduct attacks and extort ransom payments.
RaaS kits are relatively simple to find on underground forums and can include customer support, providing criminals with all the help they need to get started. Some of these ransomware kits are sold via a subscription model, while others are based on affiliate models, where developers take a cut of the profits from each ransom payment made for a decryption key.
The market behind RaaS is also extremely fluid, with new threats appearing as established offerings disappear. For example, the report details how since Conti – one of the most notorious ransomware operations – has seemingly shut down, the gap has been filled with the rise of other ransomware schemes including LockBit, Hive, Quantum Locker, and Black Basta.
It’s likely that some of the cyber criminals behind Conti are involved with these new threats, which are targeting organisations around the world – but Microsoft says falling victim can be avoided.
“While ransomware or double extortion can seem an inevitable outcome from an attack by a sophisticated attacker, ransomware is an avoidable disaster. Reliance on security weaknesses by attackers means that investments in cyber hygiene go a long way,” said the Cyber Signals report.
To prevent cyber criminals from exploiting common errors and misconfigurations, Microsoft details several recommendations for improving cybersecurity.
These include closing security blind spots by verifying that cybersecurity tools and procedures are configured correctly in a way that protects systems, along with disabling macros and other scripts that cyber criminals commonly exploit to execute malicious code.
It’s also recommended that the security of people, networks and cloud services are boosted with the use of multi-factor authentication, which can prevent cyber criminals from being able to use stolen usernames and passwords to move around the network and lay the foundation for ransomware attacks.
Organisations should also apply security patches and updates as quickly as possible to prevent attackers from being able to exploit known vulnerabilities.
MORE ON CYBERSECURITY