Microsoft Security blog officially released the latest “Cyber Signals” report points out that the vast majority of ransomware attacks begin with cybercriminals taking advantage of common network security mistakes, which, if managed correctly, can prevent most victims from falling victim to attacks.
Microsoft analyzed anonymous data on real threat activity, and according to the report, Microsoft found that more than 80 percent of ransomware attacks can be traced to common configuration errors in software and devices. These errors include: applications being in a default state that allows access to users across the network; security tools being untested or improperly configured; cloud applications being set up in a way that makes it easy for unauthorized intruders to gain access; and organizations not applying Microsoft’s attack surface reduction rules, which allows attackers to use macros and scripts to run malicious code.
Ransomware attackers are looking for exactly these misconfigurations as they seek out vulnerable targets for ransomware attacks and often the threat of double ransom attacks, in which cybercriminals steal sensitive data and threaten to publish it if they don’t pay.
Microsoft warns that the attacks are made more severe by the growth of the ransomware-as-a-service (RaaS) ecosystem, which allows attackers lacking the technical expertise to create and develop their own ransomware to carry out attacks and extort ransoms. RaaS kits are relatively easy to find on underground forums and some include customer support, providing criminals with all the help they need. Some of these ransomware kits are sold through a subscription model, while others are based on an affiliate model in which the developer takes a portion of the profits from each ransom payment for the decryption key.
To prevent cybercriminals from taking advantage of common mistakes and misconfigurations, Microsoft detailed several recommendations for improving cybersecurity. These recommendations include closing security blind spots by verifying that cybersecurity tools and programs are properly configured in a way that protects the system while disabling macros and other scripts commonly utilized by cybercriminals to execute malicious code.
The report also recommends improving the security of people, networks and cloud services through the use of multi-factor authentication, which can prevent cybercriminals from using stolen usernames and passwords to carry out attacks. Organizations should also apply security patches and updates as soon as possible to prevent attackers from being able to exploit known vulnerabilities.