Ransomware is a form of terrorism in which infected systems or files are held hostage until the victim pays the ransom demand. Ransom is typically pain in the form of cryptocurrency (e.g., bitcoin) or gift cards. If the ransom is not paid, terrorists may withhold decryption keys, permanently lock access to, or delete the files. Victims are targeted through suspicious emails, application vulnerabilities, and service exploits.
Most organizations have trained employees to avoid clicking on links or opening attachments from suspicious emails. However, attackers are getting smarter. They now engage “social engineering,” in which they are disguised as someone or something else to trigger your action.
Ransomware takes advantage of vulnerabilities for common programs, such as Microsoft Word or Excel. Open Remote Desktop Protocol (RDP) and Server Message Block (SMB) ports are also exploited by cybercriminals. RDP is used for remote access to systems, while SMB is most commonly used for file sharing. It’s key for organizations to limit port access to authorized machines.
Ransomware leverages these vulnerabilities to infect systems. Once ransomware is on the system, it will look to maximize by accessing more of the network to spread the infection. In order to infiltrate a network, ransomware requires certain conditions: 1st – a user needs to take an initial action (such as opening an email attachment); 2nd – the systems used by the user has to have a vulnerability; and 3rd – access to the larger network to be available. This series of conditions is unfortunately fairly common as patching and access control across organizations can be challenging. Inadequate security authorization allows the ransomware to spread across workstations.