What Are the Most Common Attack Vectors for Ransomware? (2024)

A proprietary protocol developed by Microsoft, RDP enables users to remotely connect to other computers over a network connection. This protocol necessitates that both computers involved in the connection run RDP software. RDP typically “hears” that connection through defined listening ports such as TCP port 3389 and UDP port 3389, per Microsoft’s documentation.

The issue is when organizations leave their RDP ports exposed online. As noted by ZDNet, some digital crime groups specialize in scanning the web for these exposed ports. When they find them, they carry out brute-force attacks to gain access. They can then sell that access on dark web marketplaces, giving attackers like ransomware groups an opportunity through which they can establish a foothold in an organization’s network.

Ransomware is just one of the threat categories that’s commonly distributed by phishing emails. A typical attack attempt begins when a user receives a malicious email that instructs them to open a tainted file attachment. It can arrive as a PDF document, a ZIP archive, or a Microsoft Office file that tricks a recipient into enabling macros. An attacker can use any of those file formats to trick the recipient into running an executable file that downloads ransomware onto their machine.

Phishing emails don’t always use attachments to infect recipients with malware. They can also direct victims to click on a malicious link. If they do click, the campaign can redirect the recipient to a website containing fake software downloads or other ruses designed to distribute ransomware or exploit kits as their payload.

Let’s revisit the phishing scenario discussed above in which an attack email’s embedded link redirects a recipient to a website containing an exploit kit. A phishing email might be the initial attack vector in this case, but it’s not the ransomware payload’s delivery vector. The exploit kit functions as the delivery vector in that it evaluates the visitor’s web browser, operating system, and/or other software for vulnerabilities. If it detects a supported vulnerability, the exploit kit activates its exploit code and uses it to install ransomware on the victim’s machine.

This type of scenario is known as a “drive-by download.” Email attackers can set up their own websites to conduct a drive-by download, but in doing so, they need to use redirect chains, typo-squatting, and other evasive tactics so that email gateways won’t flag their embedded links outright. Alternatively, attackers can attempt to compromise a legitimate website and misuse its reputation to distribute malicious code.

Fortunately, organizations can take several steps to protect themselves against the ransomware delivery vectors discussed above. They can block RDP port 3389 if they don’t need to use it, for instance. If they need some systems to support RDP, they can put them behind a firewall and monitor them for potential signs of abuse.

As for phishing and drive-by downloads, organizations can conduct phishing simulations across their entire workforce on a regular basis and confirm that their vulnerability management programs cover the plugins and other software that help to power their websites.

Organizations can also focus on augmenting their security posture so that they can defend against ransomware and other threats. One of the ways they can do that is by implementing an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal an attack earlier.

Such a tool allows organizations to visualize the entire story of a ransomware attack wherever it’s occurring in their environment, even an operation that’s not been detected elsewhere before, so that their security teams can quickly shut it down.