Web vulnerabilities are a key part of many ransomware attack chains, even those that start from a phishing email. This post puts together five reasons why eliminating web vulnerabilities is vital to prevent ransomware attacks.
Ransomware has been a source of major problems for organizations worldwide in recent years. Aware of this situation, many have decided to concentrate their efforts on protecting themselves specifically against this class of threats – even if it means shifting their budgets away from web security. Unfortunately, this means they are actually making their IT systems less secure against ransomware.
Here are five reasons why taking care of your web security is critical for avoiding ransomware.
Reason #1: Ransomware is the result, not the attack
Ransomware is one type of payload delivered by a successful attack – but it should not be confused with the attack itself.
If we were to compare being hit by ransomware to getting sick, the ransomware software would represent a virus or bacterium. For living organisms, once viruses or bacteria get inside the body, they can multiply and infect the entire system, often with fatal results. It is the same with ransomware: once it has entered your systems, it may be too late to stop it.
Luckily, bacteria and viruses cannot spontaneously fly from one host to another, and neither can ransomware – it needs to be introduced into the system somehow. In both cases, prevention is better than cure, so your most effective defensive measures are those that prevent ransomware from entering your systems in the first place.
As with bacteria and viruses, there are many ways to spread ransomware. For example, a virus might be airborne, so you can catch it by inhaling, or it might require physical contact. Similarly, a ransomware payload could be delivered via phishing and social engineering or by directly exploiting system vulnerabilities. And because most of these will now be web vulnerabilities (see below to learn why), this is where your first line of defense should be.
“The only way to protect your organization against ransomware is to prevent attacks that can be used to deliver it. Once ransomware has been placed in your systems, it is too late.”
Reason #2: Ransomware spreads through web-based attacks
Phishing and social engineering are believed to be the most common ways to deliver ransomware. However, the success of phishing attempts often depends on common web vulnerabilities such as cross-site scripting (XSS). When these exist, attackers can perform more convincing attacks against your users and employees by abusing their trust in your business and your domain name.
How is this possible? Say that your web application has an XSS vulnerability that lets an attacker send your employees a phishing message containing a malicious URL with your domain name. Upon visiting the vulnerable page on your own site, the victim (one of your authenticated employees) is automatically redirected to a malicious site where the browser downloads a ransomware installer. Do you think that none of your employees would ever fall for such a trick? Think again.
Even worse, attackers may use your vulnerable web applications to attack your business partners, your customers, or even the general public, which could mean exposing your security weakness and harming your reputation irreparably. To minimize this risk, you need to make sure no sites or applications that operate under your domain names have such XSS vulnerabilities.
“Web vulnerabilities in your sites and applications may enable phishing attacks against your own organization, your partners, your clients, or even the general public. This may cause irreparable harm to your reputation.”
Reason #3: Business is moving to the cloud – and so are cybercriminals
As mentioned at the start, there are many ways to deliver ransomware to a target system, and many of them take advantage of vulnerabilities. Not that long ago, the most attractive vulnerabilities would be those in on-premises systems, for example, network security issues caused by out-of-date software or device misconfigurations. With the pandemic-fueled move to remote work, on-premises networks are losing even more ground.
On-prem networks and infrastructures are being replaced by cloud solutions that are completely based on web technologies. In terms of security, the move to the cloud translates to the growing importance of web vulnerabilities. Security issues that were once limited to, say, your marketing websites may now affect your business-critical systems and data.
Ransomware creators are also keeping up with the times. They know that the old method of getting a malicious encryptor to crawl through a local network and infect physical desktops and servers might not work anymore. As more and more potential victims use their web browsers as thin clients to access data stored in the cloud, cybercriminals are shifting towards exploiting web/cloud vulnerabilities to ensure their ransomware can still get at your data.
“Most organizations either already use the cloud or are moving to it, making local network security all but obsolete. Focusing on network security instead of web security in this day and age will leave you with gaping holes for attackers to exploit.”
Reason #4: Ransomware victims do not report their attack details
Finding reliable ways to defend your business against ransomware can be especially difficult because organizations that have fallen victim to a ransomware attack usually don’t share any details. In most cases, they merely issue a public statement that they have experienced a ransomware attack (or even simply a cyberattack) – and nothing more.
Let’s clearly say that such behavior is understandable for many reasons. First of all, an organization might not be able to find and fix a specific security weakness immediately following an attack. Secondly, sharing attack vector details may be deemed to expose the organization to additional attacks. And finally, many organizations believe that admitting to their security mistakes will hurt their reputation.
But justified or not, such practices ultimately slow down the development of efficient protection methods and have an overall negative impact on IT security worldwide. It’s a bit like a country being hit by a deadly virus but not sharing any details about it for political reasons.
“By refusing to share the details of attack vectors used to successfully deliver ransomware, many organizations are making it more difficult for the entire global community to avoid ransomware.”
Reason #5: Media reports focus on incidents, not solutions
What makes the information gap even worse is that even in rare cases where attack details are known, the media generally choose to omit such technical information (and this is true not only for ransomware). Instead, the media focus entirely on more popular aspects of the story, such as the business impact of a ransomware attack. For example, to find out that the Capital One data breach from 2019 was caused by a server-side request forgery (SSRF), you would have to dig very deep in search engines, as most media sources did not include this crucial piece of information.
With widespread media and business behaviors that do nothing to make ransomware less of a problem for companies everywhere, it is refreshing to see major enterprises that follow the best possible incident disclosure practices. Cloudflare is one example of a company that regularly discloses its security incidents with an impressive level of detail, as with their major outage in 2019 caused by human error when setting up a web application firewall (WAF). If ransomware victims followed similar practices more often, we would all be better off.
“We strongly recommend that the media should share all known details of ransomware attacks. The more the global community knows about the first steps of any ransomware attack, the more chance we will all have to protect ourselves against similar attacks in the future.”