Ride the Lightning

Microsoft Report Identifies Cyber Mistakes That Lead to a Ransomware Infection

August 25, 2022

ZDNET reported on August 23 that Microsoft has released its second edition of Cyber Signals, spotlighting security trends and insights gather from Microsoft’s 43 trillion security signals and 8,500 security experts.

Microsoft analyzed anonymized data of real threat activity and found that over 80% of ransomware attacks can be traced to common configuration errors in software and devices.

These include applications being left in their default state, allowing user-wide access across the network, security tools being left untested or misconfigured, cloud applications set up in a way that can easily allow unauthorized intruders to gain access, and organizations not applying Microsoft’s attack surface reduction rules, which allows attackers to run malicious code using macros and scripts.

These misconfigurations are what ransomware attackers are looking for as they seek out vulnerable targets for ransomware attacks – often with the added threat of double extortion attacks, where cyber criminals steal sensitive data and threaten to publish it if they’re not paid.

Microsoft cautions that this process has been aided by the growth of the ransomware-as-a-service (RaaS) ecosystem, which permits attackers who lack the technical expertise to create and develop their own ransomware to conduct attacks and extort ransom payments.

RaaS kits are easy to find on underground forums and can include customer support, providing criminals with all the assistance they need to get started. Some of these ransomware kits are sold via a subscription model, while others are based on affiliate models, where developers take a cut of the profits from each ransom payment made for a decryption key.

The market behind RaaS is also extremely fluid, with new threats emerging as established offerings disappear. For example, the report details how since Conti – one of the most notorious ransomware operations – has seemingly shut down (but see Thursday’s blog post – maybe not!), the gap has been filled with the rise of other ransomware schemes including LockBit, Hive, Quantum Locker, and Black Basta.

AS the report note, it seems likely that some of the cyber criminals behind Conti are involved with these new threats, which are targeting organizations around the world.

Microsoft says falling victim can be avoided: “While ransomware or double extortion can seem an inevitable outcome from an attack by a sophisticated attacker, ransomware is an avoidable disaster. Reliance on security weaknesses by attackers means that investments in cyber hygiene go a long way,” said the Cyber Signals report.

 Microsoft offers recommendations for improving cybersecurity.

These include closing security blind spots by verifying that cybersecurity tools and procedures are configured correctly in a way that protects systems, along with disabling macros and other scripts that cyber criminals commonly exploit to execute malicious code.

It’s also recommended that the security of people, networks and cloud services be boosted by using multi-factor authentication, which can prevent cyber criminals from being able to use stolen usernames and passwords to move around the network and lay the foundation for ransomware attacks.

Organizations should also apply security patches and updates as quickly as possible to prevent attackers from being able to exploit known vulnerabilities.

Sound advice which is all too rarely taken.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson