Much ado has been made (by this very author on this very blog!) about the incentives for attackers and defenders around ransomware. There is also a wealth of information on the internet about how to protect yourself from ransomware. One thing we want to avoid losing sight of, however, is just how we go from a machine that is working perfectly fine to one that is completely inoperable due to ransomware. We'll use MITRE's ATT&CK as a vague guide, but we don't follow it exactly.
Ransomware targeting and delivery
As LockFile is ravaging Exchange servers just a few short weeks after widespread exploitation was documented, we can draw two conclusions:
If you're running an Exchange server, please stop reading this blog and go patch right away.When a widely exploitable vulnerability is available, ransomware actors will target it — no matter who you are.Highly targeted attacks have certainly leveraged ransomware, but for nearly all of these actors, the goal is profit. That means widespread scanning for and exploitation of server-side vulnerabilities that allow for initial access, coupled with tools for privilege escalation and lateral movement. It also means the use of watering hole attacks, exploit kits, and spam campaigns.
That is to say, there are a few ways the initial access to a particular machine can come about, including through:
Server-side vulnerabilityLateral movementWatering hole or exploit kitSpam or phishingThe particular method tends to be subject to the availability of wi ..
Support the originator by clicking the read the rest link below.
