Files can take the form of standard
formats like MS Office attachments, PDF
files or JavaScript. Clicking on these
files or enabling macros allows the
file to execute, starting the process of
encrypting data on the victim’s machine.
2. Infection via
compromised websites
Not all ransomware attacks have to be
packaged in a maliciously crafted email.
Compromised websites are easy places
to insert malicious code. All it takes is
for an unsuspecting victim to visit the
site, perhaps one they frequent often.
The compromised site then reroutes
to a page that prompts the user to
download a newer version of some
software, such as the web browser,
plugin or media player.
If the site has been primed to deliver
ransomware, the malware could be either
activated directly or more commonly run
an installer that downloads and drops
the ransomware.
3. Malvertising and breaching
the browser
If a user has an unpatched vulnerability
in his or her browser, a malvertising
attack can occur. Using common
advertisements on websites,
cybercriminals can insert malicious code
that will download the ransomware once
an advertisement is displayed. While this
is a less common ransomware vector,
it still poses a danger since it doesn’t
require the victim to take any overt
action such as downloading a file and
enabling macros.
4. Exploit kits that deliver
custom malware
Angler, Neutrino and Nuclear are exploit
kits that have been widely used in
ransomware attacks. These frameworks
are a type of malicious toolkit with prewritten
exploits that target vulnerabilities
in browser plugins like Java and Adobe
Flash. Microsoft Internet Explorer and
Microsoft Silverlight are also common
targets. Ransomware like Locky and
Crypto Wall have been delivered through
exploit kits on booby-trapped sites and
through malvertising campaigns.
5. Infected files and
application downloads
Any file or application that can be
downloaded can also be used for
ransomware. Cracked software on illegal
file sharing sites are ripe for compromise
and such software is as often as not
laden with malware. Recent cases of
MBRLocker, for example, took this route.
There is also potential for hackers to
exploit legitimate websites to deliver an
infected executable. All it takes is for the
victim to download the file or application
and then the ransomware is injected.
6. Messaging applications as
infection vectors
Through messaging apps like WhatsApp
and Facebook Messenger, ransomware
can be disguised as scalable vector
www.intelligentciso.com | Issue 29
75