Ransomware, Phishing

What to do about the rise of unknown attack vectors in the ransomware playbook

Unknown vectors haunts ransomware plauybook

Just when cybersecurity pros started to feel confident about their mitigation plans – automation, educating users about social engineering scams, and building adaptable security mechanism – cybercriminals have thrown a curveball: a rise in ransomware powered by "unknown" attack vectors.

This new revelation from an April 17 Coveware ransomware report has left security teams scratching their heads again. These bad actors are nothing if not clever and maliciously creative.

The steadily climbing “unknown” category presents a significant challenge: How do we defend against threats we don’t even understand? If we can't pinpoint how attackers are getting in, how can we fight with useful countermeasures? Security teams must peel back the layers of this "unknown" attack vector to ensure that defenses can adequately adapt and respond.

Why there’s a decline in known attack vectors

Phishing has historically been one of the most common attack vectors – if not the most – for spreading ransomware. However, recent advances in email filtering, user education, and tighter regulations have made organizations and users savvier. Remote access protocols had been a favorite vector for attackers, especially with the rise of flexible work arrangements. Over the years, organizations have upped the ante by implementing multi-factor authentication (MFA), strict access controls, and regular audits.

Because it’s no walk in the park to discover previously unknown or zero-day vulnerabilities, the number of bad actors with access to such exploits is limited. However, despite these measures leading to a decline in traditional attack vectors, organizations can’t afford to stay complacent.

Take stats with a grain of salt as attackers get smarter

The decline in typical attack vectors doesn't necessarily mean a decisive win for security teams. Ransomware remains one of the most common attack types, with 59% of organizations being hit last year. Attackers find new ways to exploit vulnerabilities. However, there are only so many ways they can enter an organization. A deeper analysis would reveal that many of these "unknowns" are just old wine in new bottles, familiar threats wrapped in a different package.

Phishing, for instance, often goes unreported by employees, leaving organizations unable to determine where malware on their devices may have originally come from. This underreporting can give organizations a false sense of security. Some attacks are multi-staged exploits where cybercriminals use a blend of various techniques and tactics, blurring the lines between different attack vectors, and making it difficult to pinpoint the initial point of intrusion. 

For example, many RDP compromises stem from credential theft, often facilitated by phishing or obtained through the dark web. The attacker may then exploit an unpatched software vulnerability to escalate privileges and move laterally within the network. Thus, the unknown attack vector can include a sophisticated combination of phishing, remote access attacks, unpatched software, and other vulnerabilities. This intricate combination makes it difficult to categorize the attack under a single vector, hence the rise of the “unknown” category.

How to strengthen defenses against unknown threats

Known attack vectors like phishing remain a major gateway for adversaries, but attribution often becomes harder. Organizations still need to stay as vigilant as ever, focusing on a defense-in-depth approach to cybersecurity that addresses known threat vectors holistically. By doing so, they will naturally notice a drop in those mysterious unknown vectors as well.

Organizations must leverage a combination of user education and technology to address the ever-present threat of phishing attacks. Ongoing education and training on phishing and social engineering tactics empowers users to identify suspicious emails, messages, websites and spoofed voice calls (vishing). At the same time, AI/ML-powered advanced email filtering can bolster security by automatically detecting and blocking malicious messages.

Organizations must foster a culture of open communication, so employees promptly report phishing attacks without fear of recrimination. This lets security teams take swift action and prevents others from falling into similar traps.

Organizations can reinforce remote access security through phishing-resistant MFA and restricting access to only authorized personnel. Conducting regular audits of RDP configurations becomes equally vital. In terms of response capabilities, monitoring access logs for unusual activity can detect an attack in its initial stages, allowing for quick intervention.

Automated patch management systems can go a long way in keeping software updated and away from exploitation. Attack surface management (ASM) tools with integrated threat intelligence feeds, continuously monitor and map the attack surface to identify vulnerabilities. They also prioritize risks based on their likelihood and potential impact, facilitating risk validation through focused penetration testing and red teaming exercises. These proactive exercises simulate real-world attack scenarios to test the effectiveness of defense and response strategies before a real-world exploit occurs.

By strengthening defenses against known threats, organizations can also mitigate many of the unknowns and create a more resilient security posture. In the coming years, vigilance and initiative-taking measures like security awareness training and real-world attack simulations will help teams manage ransomware powered by unknown vectors.

Stu Sjouwerman, founder and CEO, KnowBe4

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.