Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

October 7, 2021

How Ransomware Actors Get In

By: Ellie Sjobakken

Share on facebook
Share on twitter
Share on linkedin

The risk of ransomware to businesses is growing faster than ever — attacks have surged more than 700% and morphed into a $20B a year criminal industry. So far this year, attacks have more than doubled compared to 2020 and the financial industry has been particularly hard hit seeing a 1318% increase according to Trend Micro. 

While the high ransoms demanded by attackers grab headlines, the cost to remediate, recover, and restore business operations — even if an attack is unsuccessful — can dramatically exceed the cost of the ransom itself. This means there is a strong economic incentive for teams to reduce the number of infections. A crucial part of knowing how to protect your business is understanding which assets are exposed and the paths ransomware actors could take to gain initial access into your system. 



Credit: NZ Cert

The New Zealand CERT (Computer Emergency Response Team) is challenged with addressing cyber incidents by receiving reports, tracking attacks, and providing advice on how to prevent and respond to future attacks. In a recent guide, they shed light on the lifecycle of ransomware attacks, providing insight into how their research shows ransomware actors today are gaining initial access.

In their report, NZ CERT identifies three pathways ways ransomware actors use to gain initial access:

  1. Compromise of Remote Access Services via stolen credentials 
  2. Exploiting exposed and vulnerable systems
  3. Delivering malware via email.



1. Compromise of Remote Access Services Using Stolen Credentials

 Remote access services allow attackers to connect to a business’s internal network through external locations. It is common that actors gain access to login through remote access services, such as VPNs and RDP servers – but accessing these systems require credentials. Ransomware actors can obtain credentials via phishing, leaked credentials, and occasionally brute-forcing of weak and easily-guessed usernames and passwords. By obtaining compromised credentials, actors may be able to bypass controls and access restricted areas of an internal network. Using brute-force to gain access, actors use a repetitive mechanism to systematically guess weak passwords. 

The first step of defending against ransomware attacks is always to identify and reduce the number of possible targets. The same goes for attacks caused by compromised credentials where hackers are able to login through weak passwords and gain access to multiple accounts. Once you have identified the possible targets, implementing multi-factor authentication and password managers for all employees is an easy and effective way to defend against compromised credential attacks. Protecting your organization’s credentials is more important than ever considering Verizon’s 2021 DBIR found that the most common data type found in 61% of breaches was credentials. Having efficient tracking and notifying systems is also helpful in quickly detecting these types of attacks. 

2. Exploitation of Exposed and Vulnerable Systems 

The first phase of many ransomware attacks have originated from attackers exploiting vulnerabilities in internet-exposed computers or programs using data, software, or commands. These types of attacks frequently unfold quickly after disclosure or even before disclosure, and are often in remote access services, specifically VPNs. While a single vulnerability might not be a massive cause for concern, attackers often combine multiple vulnerabilities to gain access to a network, making it crucial to identify all possible targets. 

Efficiently patching internet-facing systems is the best way to defend against attackers looking to exploit vulnerabilities. It is important to quickly detect attempts to exploit vulnerabilities, making it beneficial to have an effective tracking and notifying system to oversee all of the vulnerabilities that may be discovered in your system. Understanding your attack surface and what internet-exposed systems are most vulnerable is another helpful tool in defending against these types of attacks. 

3. Execution of Malware via Phishing 

Phishing is another common way ransomware actors gain initial access into a network. These emails will often pose as a trusted source and contain an attachment or link, often in the form of .doc or .xls. If the attachment is opened, it will attempt to load malware onto the computer in the location the attachment was opened. Phishing can be targeted to one person, organization, or industry but can also be non-targeted, termed mass malware campaigns. 

The best way to defend against phishing is to simply not click on unknown links from unknown sources. EDR (Endpoint Detection and Response) often detects and blocks this type of activity and can be an effective protection against malware via email, along with an effective tracking and notifying system. 



In the first phase of ransomware attacks, ransomware actors gain initial access into a network in one of three ways: compromised credentials, exploiting vulnerabilities in internet-exposed systems, and malware via email. Defending against these attacks starts by preventing initial access by implementing a combination of the best defenses. Enforcing multi-factor authentication and password managers, timely patching of vulnerabilities, avoiding unknown links and attachments, and implementing an effective tracking and notifying system can all assist in preventing ransomware attacks. While there is only so much you can do, understanding all the possible pathways an actor might take and the best ways to defend against them is the best protection. 

External Attack Surface Management (EASM) is an emerging category defined by SANS as the continuous discovery, inventory, classification, prioritization, and monitoring of an organization’s attack surface from an external attacker’s perspective. EASM can be another beneficial defense against possible ransomware attacks, by helping your organization identify internet and attacker-exposed IT assets and monitor them for unexpected changes and vulnerabilities that increase the risk of attacks. 


Randori can help ensure you’re not blind to the ones your adversaries will exploit and provide a powerful tool for monitoring and improving your existing efforts. 

Click here to get a free review of your attack surface today

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.