How the Biggest Ransomware-as-a-Service (RaaS) Operators Gain Initial Access to Your Environment

Did you know that the entity that deploys ransomware in an environment may not actually be the entity that originally breaks in? In recent years, separate threat actors known as Initial Access brokers have emerged, specializing in obtaining and reselling covert access to their victims. These Initial Access Brokers then sell the access to ransomware-as-a-service (RaaS) threat actor groups and affiliates, who use the access to get into your environment, compromise sensitive data, and deploy ransomware.

Think of it this way – instead of a burglar breaking and entering into a house and rummaging it to steal the valuables, a RaaS operator obtains access through some method (e.g., a window left ajar, a door left unlocked) and then markets and sells that access on the dark web to someone else to burgle.

Once stealthy access is gained, the threat actor maintains connectivity to the victim and publishes their access to potential purchasers. These purchasers can then choose to perform their nefarious tasks, including potentially ransomware deployment, data theft and extortion, and espionage.

Most Common Initial Access Vectors Used

How do these Initial Access Brokers even gain initial access in the first place? There are several methods, some requiring subterfuge or misdirection, some being direct attacks against the organization, others using upstream service providers or trusted partners. These include:

Out-of-Scope Endpoints / Unknown Access

While many of these initial access vectors can be minimized or at least better-defended-against with proper cybersecurity defense tactics and rigor (including modern and effective endpoint software, hardened infrastructure, monitoring, and response capabilities) we have discovered that in many instances there are significant gaps or “blind spots” in coverage.

For example, a customer may choose not to install endpoint software on all of their servers, resulting in what’s known as ‘out-of-scope’ endpoints. If a server is externally facing and a vulnerability is discovered by an attacker, that “blind spot” provides a convenient vector of entry. From that single instance, it is considerably more difficult to defend the entire organization once the attacker gains a firm foothold within the blind spot.

Email-based Attacks (Phishing or Business Email Compromise)

These are among the most classic inbound vectors to gain illicit access. An attacker sends emails out to innumerable email addresses with either malicious attachments, URLs, or more recently QR codes. While only a small fraction of the targets will actually click on the links or open the attachments, this is a relatively low-risk method to gain access.

Due to a combination of improved anti-phishing technology, security awareness training and reporting, the proportion of email-based attacks used to gain initial access has fallen in recent months but has been supplanted by browser-based attacks.

Browser-based Attacks

Browser-based attacks require the end user to initiate the download of malicious materials intended to gain initial access. There are four primary methods threat actors use to socially engineer employees:

• Malvertising: Using Google Ads to publish fake advertisements for webpages that host malware.
• Search Engine Optimization (SEO) Poisoning: Using keyword search terms to get their attacker-controlled webpages to rank first in search engine results.
• Watering Hole: Compromising pages that their targets are already visiting, planting malware, and tricking users into downloading and executing it.
• Freeware: When users download “free software” or “cracked software” from third-party software repositories, they can sometimes get “software bundles” that include adware, RATs, and infostealers in addition to the legitimate file they wanted to download.

Valid Credentials

Some attackers will comb through credential caches from websites that have been previously exploited. In situations where two-factor authentication (2FA) is not used, static usernames and passwords can be obtained and reused.

Along with this, brute force password login attempts can yield initial access to attackers. Note that the use of strong 2FA can minimize much of the significance of these attacks but it is not a panacea; attackers have built other attack methods to impersonate legitimate users through 2FA.

External Vulnerabilities

All non-trivial software hosts vulnerabilities, and often attackers will probe targets for vulnerabilities in externally facing infrastructure, including weak code or misconfiguration. Websites running unpatched code are a frequent vector, but more concerningly remote access software (including VPN access) has been susceptible to attacks.

Once a remote attacker gains control of the remote access environment, they are generally able to move throughout the organization freely. The ConnectWise/ScreenConnect incidents in the last month are an example of the seriousness of this attack vector. However, there have been many others in the recent past, including Fortinet VPN and Kaseya vulnerabilities.

Trusted Third-Party Entities

Attacking a trusted third-party entity that has administrative-level access into hundreds or even thousands of client entities is one particularly effective method by which initial access can be gained. The effort required to gain access to one entity that holds “the keys to a thousand kingdoms” is not generally much more than of a smaller one, and the payoff can be considerably higher. Trusted third-party service providers must be considered possible vectors of attack, and rigor should be used to evaluate third party vendors, and to monitor and secure access accordingly.

Key Recommendations to Defend Against Initial Access Vectors

The best defense against modern ransomware attacks is to continually defend against the “thin edge of the wedge” – the initial access vector used. These tactics include:

• Implementing robust endpoint protection with a modern endpoint software solution that provides comprehensive coverage to intercept User Execution tactics. Make sure there are no blind spots or out-of-scope endpoints in your environment.
• Using modern multi-factor authentication methods (especially for externally-facing infrastructure).
• Leveraging a strong phishing and security awareness training program that uses real-world attack methodologies and scenarios to educate your users on how to identify and report potentially malicious content.
• Implementing 24/7 threat detection and response capabilities with true multi-signal intelligence for full threat visibility, around-the-clock coverage, and access to unlimited threat intelligence & incident handling to shut down attacks before they disrupt your business.