Ransomware attacks are everywhere. They’ve gone from being a niche problem to a headline-grabbing nightmare across the globe, writes John Trest, Chief Learning Officer at the cyber company, VIPRE Security Group.
With a single click on a malicious link, your company’s data can be held hostage, bringing operations to a grinding halt. Traditionally, the defense strategy has been straightforward: train your employees on behaviours such as hovering over links and scrutinise emails before clicking. But as with any battle, the tactics are always evolving, and the bad guys are getting smarter.
In recent times, ransomware attackers have upped their game by exploiting vulnerabilities in web applications—specifically, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Open Redirect. These vulnerabilities not only make phishing campaigns more convincing but also make traditional user training less effective. Late last year, we learned about the Quishing Campaign exploiting Microsoft vulnerabilities to carry out credential theft phishing attacks. And earlier this year, HP warned us of a considerable uptick in attackers exploiting vulnerabilities like open-redirect to carry out “cat-phishing” attacks. Here’s the thing… mitigating these threats requires us to mitigate vulnerabilities in the software itself!
To truly defend against ransomware, a more comprehensive approach that includes endpoint security, application security, and updated user awareness training is now essential.
Evolution of ransomware tactics
Ransomware used to be relatively simple. Attackers would send an email with a link or attachment, hoping to catch an unsuspecting employee off guard. If the employee clicked on the link or opened the attachment, the ransomware would get to work, encrypting files and demanding payment for their release. To combat this, companies began focusing on user training, teaching employees to hover over links, check for suspicious domains, and think twice before clicking.
But as companies got better at training their employees, attackers found a new way to bypass these defences: exploiting vulnerabilities in web applications. These attacks are particularly sneaky because they take advantage of applications that users already trust. When users hover over the malicious links, they see the legitimate domain, so they feel safe clicking. But once they do, it’s game over—the attack is triggered, and the ransomware gets installed on the victim’s PC, spreading through the corporate network like wildfire.
Anatomy of an exploit
Let’s take a closer look at how these web application vulnerabilities are exploited to carry out increasingly sophisticated ransomware attacks. Understanding these mechanics is crucial to developing an effective defence strategy.
Cross-Site Scripting (XSS) is like the silent ninja of web vulnerabilities. It works by allowing attackers to inject malicious scripts into web pages that are viewed by other users. Imagine you’re visiting a web page on a trusted site, maybe reading an article or checking out a product. If that page has an XSS vulnerability, the attacker can inject a malicious script into it. This script could do anything from stealing your session cookies (which could lead to account hijacking) to redirecting you to a fake login page. Because the page looks legitimate, you might enter your credentials or download a file without thinking twice. And that’s when the ransomware strikes… heck, in this case, the legitimate website is sending malicious code to your browser!
Cross-Site Request Forgery (CSRF) is another crafty tactic. It works by tricking your browser into making an unwanted request on a site where you’re already authenticated. For example, let’s say you’re logged into your online banking account. An attacker sends you an email with a link that, when clicked, sends a request to your bank’s site to transfer money. Since you’re already logged in, the request is processed, and the money is transferred—without you ever realising what happened. In the context of ransomware, CSRF can be used to trigger the download or execution of a malicious file, again using the trust you’ve placed in a legitimate site to catch you off guard. Would you click the “Run” button if a website you trusted promoted you to do so?
Finally, there’s Open Redirect, the trickster of the bunch. This vulnerability allows attackers to create URLs that initially point to a legitimate domain but then redirect to a malicious site. Let’s say you receive an email that appears to come from your company’s HR department, asking you to review your latest performance evaluation. You hover over the link, and it points to your company’s domain—so far, so good. But when you click, you’re redirected to a site that installs ransomware on your machine. The initial legitimacy of the link makes you less suspicious, and before you know it, the attack is underway!
Defending against ransomware
Given how sophisticated these attacks have become, it’s clear that traditional defences are no longer enough. While endpoint protection remains crucial, it must be paired with strong application security and an updated approach to user training.
Endpoint security solutions should be capable of detecting and blocking ransomware before it can do any damage. This means regular updates, patches, and the use of advanced detection algorithms that can spot suspicious behaviour before it leads to a full-blown attack.
On the application security front, regular security testing is essential. Applications should be tested for vulnerabilities like XSS, CSRF, and Open Redirect, and any issues should be addressed immediately. Secure coding practices should be enforced, ensuring that vulnerabilities don’t slip through the cracks during development.
But perhaps the most important element is user awareness training. As attackers evolve, so too must our approach to training. Users need to be made aware of these new types of attacks, and they need to be trained on how to recognise them. This includes understanding that just because a link points to a legitimate domain doesn’t mean it’s safe. Continuous training and reinforcement, through simulated phishing exercises and other methods, can help keep these lessons fresh in users’ minds.
Bringing it all together
Ransomware isn’t going away any time soon, but with a multi-layered defense strategy, it can be thwarted. By integrating endpoint security, application security, and up-to-date user awareness training, enterprises can stay one step ahead of attackers.
About the author
As Chief Learning Officer at VIPRE Security Group, John Trest leads the development of eLearning courses, integrating 2D animation, 3D animation, live action filming, video, and graphic art. He has developed curricula for Security Awareness, Harassment, Ethics, Privacy, HIPAA, GDPR, PCI, DEI, and HR compliance training. Visit vipre.com.
