top of page

Ransomware - How Did They Get In?

A ransomware attack is a type of cyberattack in which a hacker uses malicious software (known as ransomware) to encrypt the victim's computer files, making them inaccessible. The attacker then demands payment in exchange for providing the victim with the decryption key needed to regain access to their files.

Ransomware attacks can have serious consequences for individuals, businesses, and organiorganisationsations. They can result in the loss of critical data, disrupt operations, and incur significant financial costs.

The most common attack vector in 2021 and 2022 was compromised user credentials.

User credentials are generally compromised through:

Successful interaction with a user through a Phishing email; Weak passwords being brute forced (guessed by a computer program); Credentials being stolen in other data breaches (i.e. Optus, Medibank, and many others).

Password reuse is also an issue faced by many organisations. During a recent engagement the password 'Spring2022!' was chosen at random to test against all users with the surprising outcome that it worked for 22 accounts. We ran the same password test using 'Password1' and that worked for 4 accounts.

Once valid user credentials are known, your external facing systems such as webmail, email, and remote access are vulnerable if there is no additional form of authentication (MFA/2FA).

Internet-facing services, servers with vulnerabilities, and cloud service misconfigurations are also very common entry points for attackers. The ProxyShell and ProxyLogon vulnerabilities that were found in Microsoft’s Exchange email servers in 2021 caused havoc. There are still security patches being released with two new zero-day vulnerabilities recently identified in Exchange email servers.

When a newly discovered security vulnerability is found it is common to see malicious code developed within hours. That means that security vulnerability patches must be applied within <48 hours if an exploit exists.

The takeaway from this blog?

Enforce strong passwords; implement MFA; consider end point monitoring for malicious activity; and monitor security updates and apply as an urgent priority.

In our next blog, we will talk about how to determine if data has been stolen during a compromise.

Feel free to contact us if you would like any further information on 03 8351 5455.


bottom of page