Ransomware attacks have ratcheted up significantly since the first quarter of 2016 as more and more cybercriminals attempt to extort money from victims by using ransomware to encrypt their data and hold it for ransom. An Osterman Research survey from July of 2016 found that 54% of U.S. businesses surveyed had come under attack from ransomware in the trailing 12 months. Of the 540 companies surveyed by Osterman, the most commonly targeted types of business were in the healthcare or finance industries. With a surge in ransomware attacks, it’s important that you learn about the three most common attack vectors so you can start protecting your assets today.
PowerWare
While traditional ransomware installs files on your machine to run the ransomware attack, PowerWare utilizes Windows Powershell, a native Windows framework that uses a command-line shell to manage tasks, to both install malware and embed malicious functionality within the script. PowerWare is spread in email campaigns to thousands of different addresses at a time. Attached to the email is a Microsoft Word document that claims to be an invoice or utility bill which encourages the recipient into opening the email attachment. Opening the document prompts the user to enable macros. Once macros are enabled the macro opens cmd.exe which then calls Powershell to download the malicious ransomware script into RAM. Once downloaded, PowerWare uses Powershell to run the script and encrypt files. Using Powershell avoids writing files to disk and helps the ransomware evade detection by AV security products.
Example PowerWare Invoice
JavaScript
As it got harder to run a ransomware attack using macros, some cybercriminals have switched to attacks using a JavaScript file. The attacks are initiated in email campaigns and rely on the fact that Windows will shut off viewing of file extensions by default. You can name a JavaScript document invoice.txt.js. and when you turn off file extensions in Windows the document is viewed as invoice.txt. The .js icon also looks somewhat believable as a text document because it has an icon that looks like a scroll, fooling people into believing they are in fact documents. The JavaScript malware will connect to a download server to grab the actual ransomware, download it as an .exe and launch the executable to encrypt the files. The screenshot below is an example email that contains the JavaScript file in the .zip attachment.
Example JavaScript Ransomware Email
Compromised Websites
Visiting a website compromised by an exploit kit is another method that can infect workstations with ransomware. In this type of attack, a cybercriminal will probe websites to find ones that have a certain vulnerability that they can exploit. Anyone visiting the compromised websites will launch the payload onto their computer which then encrypts the files and holds them for ransom. Thousands of WordPress sites were targeted in September 2015. In this attack, the compromised websites redirected visitors to a Nuclear Exploit Kit landing page. The landing pages then attempt a variety of available browser exploits to infect the computers with ransomware.
The Best Protection Against Ransomware
There is a wide range of things you can do today to protect your network from ransomware attacks. In the article Best Ransomware Protection we outline a number of steps you can take to stop ransomware but out of all the suggestions; there is only one way to stop ransomware that doesn’t require constant administration of updating things like whitelists or software restriction policies and doesn’t rely on signatures like antivirus. CryptoStopper developed by WatchPoint uses deception technology in the form of watcher files placed in your important network shares. CryptoStopper continuously monitors the watcher files for the encryption process to start and will identify the ransomware attack in seconds. CryptoStopper will immediately isolate the infected workstation from the network then shut down the workstation. Lastly, it will send you an email notification letting you know a ransomware attack has been discovered and contained.
Watch CryptoStopper Isolate and Shutdown a Workstation Infected with TeslaCrypt Ransomware
Further Reading: