When we think about ransomware attacks, it's easy to imagine sophisticated hackers using advanced automated tools to exploit vulnerabilities. However, the reality is that many attacks are manual, leveraging well-known exploits to gain control over target systems. This blog explores how attackers often use various exploits to manually hack administrator passwords and launch ransomware attacks. We'll look at real-world statistics and examples to understand the prevalence of these methods and highlight proactive measures to protect your organization.

The Reality of Manual Ransomware Attacks

Statistics on Exploits Used

Remote Desktop Protocol (RDP) remains one of the most common vectors for ransomware attacks. In 2020, RDP was used in 50% of ransomware attacks. However, attackers also exploit other vulnerabilities in commonly used software to gain remote control of systems.

Common Exploits Used

1. Weak or Default Passwords: Attackers exploit weak or default passwords to gain access to systems.
2. Unpatched Vulnerabilities: Exploits targeting unpatched software, such as the BlueKeep vulnerability (CVE-2019-0708), allow attackers to execute remote code.
3. Phishing Emails: Phishing emails trick users into providing credentials or downloading malware that grants remote access.
4. Vulnerable Software: Software like VPNs, email servers, and web applications often have vulnerabilities that attackers can exploit.

Real-World Example: The Colonial Pipeline Attack

In May 2021, Colonial Pipeline, the largest fuel pipeline in the U.S., was hit by a ransomware attack. The attackers gained access to the network by exploiting a VPN account that was no longer in use but still active. This account used a weak password, which the attackers managed to crack. Once inside, they manually navigated the network and deployed ransomware, causing significant disruption to fuel supplies across the Eastern United States.

Steps Taken by the Attackers

1. Initial Access: Attackers gained access through a compromised VPN account.
2. Lateral Movement: They moved laterally across the network, identifying critical systems.
3. Payload Deployment: After mapping out the network, they manually deployed ransomware, encrypting data and disrupting operations.

Impact and Response

The attack caused a major fuel shortage, highlighting the critical need for robust access controls and proactive security measures.

Proactive Measures to Prevent Exploit-Based Ransomware Attacks

Strengthening Security

1. Enable Multi-Factor Authentication (MFA): Adding an extra layer of security makes it significantly harder for attackers to gain access even if they crack the password.
2. Regularly Update and Patch Software: Ensure all software is up-to-date with the latest security patches to protect against known vulnerabilities.
3. Conduct Regular Security Audits: Regularly review and audit access controls, network configurations, and software to identify and mitigate vulnerabilities.

Monitoring and Response

1. Set Up Intrusion Detection Systems (IDS): Deploy IDS to detect and alert on suspicious activity.
2. Regularly Review Logs: Continuously monitor and review login attempts and system logs for signs of brute force attempts.
3. Automate Response: Implement automated tools to block IP addresses after detecting multiple failed login attempts.

Disabling Malicious PowerShell Commands

Attackers often use PowerShell to establish persistence. To mitigate this risk:

1. Log and Monitor PowerShell Activity: Use tools like Sysmon to log PowerShell activity.
2. Disable Unnecessary PowerShell Features: Restrict the use of PowerShell remoting and execution of unsigned scripts.
3. Remove Malicious Scripts: Regularly audit and remove unauthorized PowerShell scripts.

Conclusion

While the idea of sophisticated automated attacks is prevalent, many ransomware attacks are executed manually, exploiting basic vulnerabilities like weak RDP security. By understanding these risks and implementing proactive measures, organizations can significantly reduce their exposure to such threats.

If you found this informative and want to learn more, visit AMEOT and check out the rest of the "Proactive 101" series.

If your organization could benefit from developing an effective breach and ransomware strategy, book a 30-minute call with one of our security professionals.

Thank you for your time and attention. Implementing proactive security measures can save your organization from significant financial losses and operational disruptions. Let’s work together to secure your future.

References

1. Kaspersky: RDP Attacks and Ransomware
2. Microsoft BlueKeep Vulnerability
3. Colonial Pipeline Ransomware Attack