Main initial access vectors in ransomware attacks

Overview

Ransomware attacks represent one of the most critical cyber threats, given the increasing number of organizations affected each month by numerous global operating groups. These attacks disrupt operations, cause reputational and informational losses, and result in significant financial detriments. The attackers aim to encrypt victims’ data, demanding a ransom to restore access and threatening to distribute the information on underground forums if the payment is not made.

Over time, initial access vectors —methods attackers use to introduce malware into systems— have evolved significantly. This evolution is driven by changes in the technologies employed by organizations, the security controls implemented, and the new techniques acquired by threat actors.

During the early rise of ransomware, initial access vectors were relatively simpler, exploiting basic security flaws, exposed credentials, or misconfigurations. A significant factor contributing to this was the greater lack of cybersecurity awareness within organizations. As this awareness has increased, attackers have gradually become more sophisticated in their operations, highlighting the crucial role of education and training in preventing cyber-attacks.

Examples of early ransomware families are “Reveton” and “CryptoLocker,” primarily spread through phishing emails and malicious downloads from compromised websites. Reveton, for instance, disguised itself as a police warning to trick victims into paying a “fine“. CryptoLocker, on the other hand, was distributed via emails with malicious attachments impersonating legitimate companies, sending fake FedEx and UPS notifications that, when opened, infected the victim’s system and encrypted their files.

As system defenses improved, attackers diversified their TTP (tactics, techniques, and procedures). They began using exploit kits such as Angler and Nuclear, which automated exploiting vulnerabilities in outdated software. For example, the Angler exploit kit exploited vulnerabilities in Internet Explorer, Silverlight, and Flash Player, among others, and was known for its ability to evade security tools like Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) through sophisticated obfuscation and exploitation techniques.

Similarly, the Nuclear exploit kit was noticeable for its dynamic use of payloads, adapted to evade signature-based detections and employing advanced techniques to ensure each payload was unique for every victim.

In 2017, the ransomware “WannaCry” marked a significant milestone. This ransomware spread using the EternalBlue exploit, infecting approximately 200,000 computers in 150 countries and causing an estimated of $4 billion in damages. WannaCry demonstrated the potential of ransomware attacks to cause large-scale disruptions and underscored the importance of updating systems.

Today, the Ransomware-as-a-Service (RaaS) business model is the most used by criminal groups. This model features affiliate programs, where affiliates receive assistance to carry out attacks in exchange for a pre-agreed payment or a percentage of the profits from a successful compromise. According to SCILabs’ analysis, this trend has increased the number of ransomware families and threat groups. It is important to note that some threat actors occasionally announce the end of their operations, only to reemerge after a few months with a new name and novel infection techniques. This indicates that the activity of these threat groups is constant.

The following section addresses the main initial access vectors currently used by threat actors and some reasons why these vectors are exploited.

What are threat actors’ main initial access vectors to compromise organizations?

Threat actors use a variety of initial access vectors to compromise organizations, adapting their TTP to exploit both technological and human vulnerabilities.

Figure 1 – Main Initial Access Vectors

 

The following are some of the main methods used:

 

Phishing emails, spear-phishing and malvertising

Phishing emails are one of the most common techniques. Attackers send legitimate emails, deceiving users into clicking on malicious links or downloading infected attachments. These emails can be highly personalized to increase effectiveness, using spear-phishing techniques to target specific individuals within an organization. Additionally, attackers employ malvertising, placing malicious advertisements on legitimate websites or search engines to redirect users to infected pages and automatically download malware without the user’s knowledge.

How does it work? Attackers send emails that appear to come from trustworthy sources but actually impersonate organizations. These emails contain malicious links or attachments designed to trick victims into revealing credentials or downloading malware. In the case of malvertising, malicious ads on legitimate websites redirect users to malicious pages that download malware.

Why does it happen? These techniques exploit social engineering, a form of psychological manipulation that preys on people’s emotions and trust. Attackers can customize emails based on information gathered about the victim, increasing the likelihood of success. In addition, by leveraging malicious ads and personalizing their campaigns during tax seasons, mortgage payments, and government processes, to name a few, threat actors have more opportunities to compromise victims.

Figure 2 – Example of a phishing email used by GlobeImposter ransomware operators

Figure 3 – Malvertising campaign

Compromised websites

It is common for threat actors to use compromised websites to distribute malware and gain access to victims’ systems.

How does it work? Attackers compromise legitimate websites by inserting malicious code into their pages. This can happen through vulnerabilities in the website’s software, such as an HTTP Apache server, outdated plugins, or unauthorized access to the website’s administration panel due to weak passwords. Once compromised, the website can redirect visitors to malicious pages or directly download malware onto their devices without their knowledge.

Why does it happen? This technique is effective because users trust legitimate websites. Attackers exploit this trust to silently and massively distribute malware. Additionally, many websites do not conduct application security testing, leading to vulnerabilities in their source code: the lack of updates and security patches on website platforms makes them easy targets for compromise.

Figure 4 – Message showed by compromised website

Vulnerabilities exploiting

Threat actors seek out and exploit vulnerabilities in outdated or unpatched software, especially in remote applications or those exposed to the internet.

How does it work? Attackers conduct reconnaissance on organizations’ internet-exposed infrastructure, identifying and exploiting vulnerabilities in outdated or poorly configured software. They use or develop exploits for these vulnerabilities, gaining unauthorized access to systems.

Why does it happen? Many organizations do not apply security patches promptly, leaving known vulnerabilities exposed. Remote applications and internet-exposed services, such as web servers and databases, are frequent targets. Furthermore, exploit kits can quickly detect and exploit these gaps before implementing necessary updates.

Figure 5 – CVE-2022-30190, “Follina” exploit example

Brute Force Attacks and stolen credentials

By exploiting weak or reused passwords, attackers can perform brute force attacks to gain access to user accounts. Additionally, stolen credentials from data breaches, known as data leaks or combos, are used to access corporate systems.

How does it work? Attackers use automated tools to try multiple combinations of usernames and passwords until they find a valid one. They may also use stolen credentials from previous data breaches.

Why does it happen? The reuse of passwords and the lack of robust password policies facilitate these attacks. Compromised credentials obtained through malware are often sold on underground markets, Telegram groups, or cybercriminal forums, providing attackers with a ready-made database to exploit.

Figure 6 – Brute Force attack example

Infostealers

Infostealers are a type of malware designed to steal sensitive information (such as passwords, financial data, and other personal data stored on infected devices). Threat actors use them to download and execute other threats, including ransomware.

How does it work? This malware is installed on the victim’s device, typically through phishing emails, malicious downloads, or by exploiting software vulnerabilities. Once installed, it collects sensitive information and sends it to the attacker without the victim’s knowledge. In some cases, it also downloads additional malware.

Why does it happen? The lack of EDR (Endpoint Detection and Response) tools or antivirus software, as well as the download of unverified software, facilitate infostealers to be spread. The stolen data is sold on underground markets and cybercriminal forums, providing attackers with privileged information that can be used to gain initial access and commit fraud.

Figure 7 – Fake office installer to deploy an infostealer

 

Abuse of VPN, Citrix, and RDP

Attackers exploit weak configurations or vulnerabilities in VPN, Citrix, and RDP services to gain unauthorized access to internal networks and sensitive data.

How does it work? With the increasing adoption of remote work, Remote Desktop Protocol (RDP) and other remote access technologies with poor security configurations have become key targets. Attackers look for exposed RDP, VPN, or Citrix servers and use tools that automate brute-forcing of passwords to gain entry or exploit critical vulnerabilities to access corporate networks. Once inside, they can move laterally through the network, steal data, and deploy malware. Specifically for RDP, attackers exploit misconfigured settings or weak credentials to access systems remotely.

Why does it happen? Misconfigurations, lack of multi-factor authentication, and the failure to promptly apply security patches facilitate these attacks. Immediate application of security patches is crucial to prevent attackers from exploiting these vulnerabilities and penetrating corporate networks.

Figure 8 – Example of RDP exploits search in Kali Linux

Pirated software

Pirated software refers to legitimate software that has been intentionally modified to bypass licensing checks. This type of software can include backdoors or malware and is often distributed through unofficial channels or low-trust domains.

How does it work? The infected software is installed on users’ devices, providing attackers with remote access and control over the compromised systems. This can lead to the installation of other types of malware, such as info stealers and ransomware.

Why does it happen? Excessive trust in software sources and the lack of independent verification of updates are key factors that allow pirated software to spread. It’s essential to independently verify updates to ensure the security of your systems and prevent the infiltration of corporate and personal systems by attackers.

Figure 9 – Pirated software example

Supply chain attacks

Attackers compromise software suppliers or third-party service providers to insert malware into legitimate software updates, affecting multiple organizations simultaneously. This attack is dangerous because it can infiltrate internal systems through a trusted channel, as seen in the SolarWinds case.

How does it work? Attackers compromise software suppliers or third-party service providers to insert malware into legitimate updates distributed to multiple clients.

Why does it happen? Organizations often trust the integrity of their suppliers and do not independently verify software updates. This creates a backdoor that attackers can exploit to infiltrate multiple systems simultaneously.

Figure 10 – Supply chain attack example

 

Exploitation of Internet of Things (IoT) Services

Attackers exploit vulnerable IoT devices, add them to botnets, and orchestrate various types of attacks, such as Distributed Denial of Service (DDoS).

How does it work? Attackers look for poorly configured IoT services and devices, using tools to brute-force entry with weak passwords or by exploiting specific vulnerabilities.

Why does it happen? The massive adoption of remote work has increased the attack surface. Insecure configurations and the lack of multi-factor authentication in remote access services provide attackers a direct route to the organization’s internal systems.

Figure 11 – Framework used at times to exploit IoT in Kali Linux

Social engineering

Social engineering methods have evolved to become more sophisticated. They include phone calls, text messages, and fake profiles on social networks to deceive employees and obtain confidential information or access to systems. Attackers may impersonate suppliers or business partners to gain the victim’s trust.

How does it work? Threat actors use social engineering techniques to deceive victims, including creating fake profiles on social networks, making fraudulent phone calls, and using other OSINT (Open Source Intelligence) methods to obtain confidential information or system access.

Why does it happen? Attackers exploit human psychology and trust in social interactions. The personalization and perceived authenticity of these attacks make them particularly effective.

Figure 12 – Social engineering tools in Kali Linux

Insiders (Abuse of Trust)

Abuse of trust refers to situations in wich an insider within an organization or system uses their position or privileged access to act harmfully. For example, an employee with access to confidential data might leak that information or intentionally deploy malware.

How does it work? It can manifest in various ways:

  • Unauthorized Access: Employees with privileged access to systems or confidential data can use their authorization for personal or malicious purposes, such as selling access on cybercriminal forums or deploying malware.
  • Misuse of Privileges: A system or network administrator can use their position to access restricted areas and make unauthorized changes.

Why does it happen? It is often related to the need for more internal controls within an organization.

Threat actors with the most activity in the region over the past year

According to SCILabs telemetry, the most active threat actors over the past year were LockBit 3.0, Akira Ransomware, ALPHV/BlackCat, Ransom Hub, and Qiulong Ransomware. This publication does not provide a detailed investigation of these threat groups, but it explains their initial access vectors to raise awareness about their potential dangers.

LockBit 3.0

The main initial access vectors used by LockBit 3.0 include remote RDP connections, propagation through phishing emails, and primarily the exploitation of vulnerabilities in ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), PaperCut (CVE-2023-27350), Apache Log4j (CVE-2021-44228), and Citrix Bleed (CVE-2023-4966).

Akira Ransomware

The operators behind this malware gain initial access to victims’ environments through VPN services, particularly those lacking multi-factor authentication (MFA), or by exploiting the CVE-2023-20269 vulnerability present in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD), which could allow an unauthenticated remote attacker to perform a brute-force attack to guess valid username and password combinations.

Additionally, it has been identified that they use tools such as AnyDesk, WinRar and PCHunter during their intrusions; these tools are often used legitimately by some organizations, making their use potentially unnoticed.

ALPHV/BlackCat

The operators behind this malware obtain legitimate credentials from the victim organization (via phishing or purchase from underground forums) which they can use in remote access tools or when attempting to exploit vulnerabilities such as CVE-2021-268551, CVE-2021-268572, CVE-2021-268583, CVE-2021-270654, CVE-2021-312075, CVE-2021-344736, CVE-2021-345237, CVE-2021-278768, CVE-2021-278779, and CVE-2021-27878 in the victim’s internet-exposed infrastructure to gain access to the organization.

RansomHub

According to open sources, this ransomware buys initial access brokers (IAB), primarily of Russian origin, on Deep Web and Dark Net forums. It is hypothesized that RansomHub typically purchases these accesses to infiltrate their victims’ networks.

Qiulong Ransomware

According to open sources, this threat group uses phishing emails with malicious links to gain initial access.

Conclusion

The evolution of techniques used by threat actors to gain initial access to organizational systems underscores the critical need to stay ahead in cybersecurity. From simple phishing emails to sophisticated supply chain attacks and exploitation of remote access services, attackers’ methods have evolved along with improvements in technology and security defenses.

Understanding these initial access vectors and the factors that make them effective is essential for developing robust defense strategies. Additionally, continuous cybersecurity training, regular patches and updates, and advanced detection and response tools are fundamental to mitigating these risks. Furthermore, adopting a layered security mindset that includes prevention, detection, and response measures, can help organizations more effectively protect themselves against growing threats, including ransomware, intrusions, DDoS attacks, and data breaches.

Cybersecurity is not just a matter of technology but also of organizational culture and resilience to attacks. Organizations must continuously improve their security posture and be prepared to effectively respond to any intrusion attempt with a proactive and adaptive approach that can significantly reduce the risk of compromise and protect the organization’s critical assets.

We invite you to visit our blog post, “Recommendations: Before, During, and After a Ransomware Incident,” for key recommendations that SCILabs believes are critical for organizations to follow.