Recipe for guaranteed ransomware

07 Jan Recipe for guaranteed ransomware

TLDR: if you do not improve your information security, chances are very high that your network will fall prey to criminals who encrypt all data. All you have to do is wait and do nothing!

Introduction

Over the past few months, it has become clear that ransomware is still on the rise. Networks of more and more organisations are completely encrypted. Backups have been removed or are also encrypted, making them unusable. Ransomware is becoming more and more advanced. The moment it’s present in your network, your entire network can be encrypted in minutes.

In this blog I describe the recipe for almost guaranteed ransomware in your network. Unlike many other recipes you don’t have to do anything to make it a success, you simply have to wait and see!

My company isn’t interesting, is it?

Entrepreneurs and management teams still have the misconception that only large companies are a target for criminals. Unfortunately this is not the case, we see more and more SMEs falling prey to ransomware. Every organisation has become completely dependent on IT and automation. Criminals therefore also know that many organisations cannot survive without working IT. What’s more, criminals have largely automated the hostage-taking of networks, so it doesn’t really matter anymore which organisation takes them hostage. Their business case is always solid.

The chance of ransomware is very small, isn’t it?

Unfortunately, the chance of ransomware in your network increases every day. As described before, ransomware is becoming more and more advanced. There are various ‘starter kits’ available for novice criminals, which ensure that they can get in business quickly, without having a lot of knowledge and skills themselves. Many organisations choose to pay hostage-takers, which makes the business case for criminals even better. Criminals also know that it takes organisations months to rebuild a network from scratch. This makes paying ransom more attractive, because many companies can’t afford to be out of business for months. The amounts are by no means low either: criminals charge a few Bitcoins (at January 5th 2021 € 26,000 each), so some year salaries are earned quite quickly. It is also true that many of those hostage-takers work from countries that are not so adept at detecting and prosecuting online criminals, all this makes it increasingly attractive for these criminals.

So what is the recipe?

In order to get ransomware into your network, there are a number of ingredients that are important. Please note that not all ingredients need to be present to get ransomware into your network.

Incorrect password policy and missing multi-factor authentication

In order to access a network from the outside, login details are required. It has long been emphasised that passwords must be unique and sufficiently long. Because it is fairly easy to generate and test weak passwords automatically, criminals manage to retrieve passwords relatively quickly. In addition, multifactor authentication is very important: in addition to username and password, another means of authentication is needed to log in.

How do they get the usernames? For example, they just look at how your email address is built up: E.G. initial.last name@ or first name@. Thanks to the rise of services like Office365, it has become very easy to guess a username, which in many cases simply is your email address. That email address is already known in various mailing lists, distribution groups or other sources, so malicious parties can find out relatively easily. Since guessing usernames can also be automated, it is only a matter of time before your username and password are guessed. Unless you have a long password, but that is difficult to remember, of course.

No insight into login attempts and network traffic

Many organisations still lack the insight to detect criminals. If you don’t keep an eye on who tries to log in at what times, you won’t notice that someone from Eastern Europe tries to log in 100 times in a row with different usernames and/or passwords.

There are several logs in which this kind of activity is logged, but if no one is looking at it…

The same is the case for strange network traffic within your network. If no one is monitoring the network traffic, you won’t be able to tell if a system is connecting to a suspicious source. Or when large amounts of data are suddenly being sent, which normally does not happen.

Users with domain admin rights

When a criminal is able to take over a workstation from a user who has management rights in the network, it is even easier for the malicious to compromise a network. This is because the malicious person does not have to make any effort to encrypt all systems, he can easily access everything. Even if a user with management privileges has ever logged in to the acquired workstation, it may still be possible to retrieve the login details of this user from the memory of the workstation. This makes it relatively easy for the attacker to have working admin rights.

Systems not updated

Updates are continuously offered by software suppliers. Annoying, because it takes time to install them and you often have to restart your software or entire computer. Malicious parties know this too and therefore like to make use of weak spots in software systems. Assuming there is always a user who doesn’t have the latest updates, or who feels that they can’t be hacked.

Missing segmentation

Segmenting networks is dividing networks into different parts. Super annoying if you think you have to be able to access everything, right? Criminals are grateful, because if you don’t divide your network into a number of solved segments, it will be considerably easier for them to take over and encrypt your entire network.

Backups not offsite

Making backups went on tape only a few years ago. That took a lot of time and was manual work for many organizations. Fortunately, there is also a possibility to have your files backed up automatically. Many organizations choose to keep these backups within the network, because then you can easily access them. Criminals think so too: the available backups are neatly encrypted!

Aren’t you waiting for ransomware?

Let Guardian360 check daily if your network has the latest updates and patches. We can also quickly detect weak passwords. Several Guardian360 partners can help you with the remaining issues.