Ransomware attackers often use one of three main vectors to compromise networks and gain access to organizations’ critical systems and data, according to Kaspersky’s recently released report, “The Nature of Cyber Incidents.” These main vectors have remained consistent from the previous year, with the most significant vector in successful ransomware attacks in 2022 involving the exploitation of public-facing applications, accounting for 43% of all breaches. The use of compromised accounts increased to 24% in 2022, while malicious email declined to 12%.
The report shows that by doubling down on these common attack vectors, companies can take preventive measures and decrease the likelihood of becoming victims of ransomware. According to Konstantin Sapronov, head of the global emergency response team at Kaspersky, “A lot of companies are not the initial targets for attackers but have weak IT security and [allowing them to] be hacked easily, so cybercriminals take the opportunity.” The top three vectors accounted for almost 80% of all cases. Hence, implementing some defensive measures to mitigate them can go a long way in preventing ransomware attacks.
The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors accounted for the top three techniques – exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%). Ransomware actors, however, tend to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.
Ransomware took off in 2020 and 2021 but leveled off last year, even dropping slightly. But this year, ransomware attacks and related attacks such as data leaks appear to be increasing. The number of organizations posted to data leak sites increased in the first part of 2023, says Jeremy Kennelly, lead analyst for financial crime analysis at Mandiant. He also stated, “This may be an early warning that the respite we saw in 2022 will be short-lived.”
Attackers commonly use five initial access vectors, according to the Cybersecurity and Infrastructure Security Agency (CISA). They include the three identified by both Kaspersky and Mandiant, external remote services such as VPNs and remote administration software, and third-party supply chain attacks, also known as trusted relationships. Most compromises are either quick or slow, with quick attacks compromising systems and encrypting data in days, while in slow ones, threat actors typically infiltrate deeper into the network for months, possibly conducting cyber espionage and then deploying ransomware or sending a ransom note, according to Kaspersky’s report.
Companies should continue to prioritize vulnerabilities that have exploits in the wild. By paying attention to the shifts in the threat ecosystem, companies can make sure that they are prepared for likely attacks. However, avoiding putting too much emphasis on protecting against specific initial access vectors, as attackers continually adapt to defenses, is also essential.
“The specific infection vectors that are most common at a given time should not broadly change an organization’s defensive posture, as threat actors continually shift their operations to focus on whichever vectors prove most successful,” Kennelly says. “A decrease in the prevalence of any given vector does not mean it poses a significantly lower threat – for example, there has been a slow decline in the proportion of intrusions where access was obtained via phishing, but email is still used by many high-impact threat groups.”
To sum up, ransomware attacks are increasingly prevalent and become more challenging to prevent. By knowing the most common approaches that attackers are likely to take can help inform defenders. Paying attention to the shifts in the threat ecosystem and tracking exploitation trends can help companies prepare for likely attacks. However, putting too much emphasis on protecting against specific initial access vectors can become futile, as attackers continue to adapt to defenses.