Ransomware attacks: Weak passwords are now your biggest risk

Researchers at F-Secure analysed attacks over the course of six months and found that brute force attacks are now the preferred means of spreading ransomware - but phishing emails remain popular.
Written by Danny Palmer, Senior Writer

Brute force and remote desktop attacks have become the most common means of cyber criminals distributing ransomware, overtaking phishing emails and spam as the top technique for conducting file-encrypting malware campaigns.

The shift in attack technique follows a rise in ransomware during 2019, with a number of high-profile incidents demonstrating the damage that can be done when whole networks are encrypted.

It's why so many ransomware victims choose to give into hackers and pay the ransom – with the sum demanded in the biggest attacks amounting to hundreds of thousands of dollars, usually to be paid in Bitcoin or other cryptocurrency.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cybersecurity researchers at F-Secure set up honeypots – decoy servers facing the internet designed to be appealing to hackers – to track cyberattacks and cyber-criminal activity during the first half of 2019.

The Attack Landscape H1 2019 report details what they found and it shows that, when it comes to ransomware, brute force is the main means of infection vector, accounting for 31% of attempts to deliver file-encrypting attacks.

Brute force attacks – also known as credential-stuffing attacks - see hackers attempt to compromise servers and endpoints by inputting as many passwords as possible, usually with the aid of bots, just to see if any of them work against the target. The attacks are successful due to the number of systems that use default credentials or extremely common passwords.

"Plain and simply, brute-force attacks are the primary choice for hackers because it works, we're seeing that there are an abundance of accounts that have way too many insecure and weak passwords – making it too easy for hackers to bypass them," Jarno Niemela, principal researcher at F-Secure, told ZDNet.

Remote Desktop Protocol (RDP) attacks can also be conducted in this way, with attackers attempting to guess passwords in order to remotely gain control of internet-facing endpoints. It's also possible for hackers to use underground forums to buy the usernames and passwords required to attack previously compromised endpoints.

But despite the rise in brute force attacks, spam and phishing remains a highly common attack vector for ransomware: almost a quarter of the ransomware attacks targeting F-Secure honeypots looked to deliver ransomware via email.

All it can take for an attack to potentially compromise an entire network is for one user to download a malicious attachment – especially if the network is running unpatched software or doesn't have anti-virus. GandCrab ransomware was commonly distributed by email during the first half of this year.

SEE MORE: Game Over for GandCrab: New free decryption tool allows victims to unlock all versions of this ransomware

Other methods attackers are using in attempts to deliver ransomware include compromised firmware, fake software, malvertising and specially constructed exploit kits – toolboxes containing various exploits for attackers to take advantage of – with each of these accounting for around 10% of attempted attacks.

With the report finding that all forms of cyberattack are on the rise, it might sound like a cause for concern for organisations of all kinda and in all sectors. However, researchers note that, with a few simple techniques, organisations can help themselves to remain secure.

These include keeping systems and applications patched and up to date, so cyber criminals can't exploit old vulnerabilities, and enforcing a password policy, which means default credentials are never used and that multi-factor authentication is deployed.

"Users can protect themselves by setting strong passwords to accounts, making sure RDP is used only when needed and have proper endpoint protection in place," said Niemela.  


Editorial standards