Ransomware has been a source of major problems for many organizations in recent years. Many of them, aware of this situation, attempt to concentrate their efforts on protecting themselves against this class of threats. This often means that they shift their budgets away from web security. Unfortunately for them, it means they are actually making their IT systems less secure against ransomware.

Here are 5 reasons why taking care of your web security is very important to avoid ransomware.

Reason 1. Ransomware is a result of attack escalation

Ransomware is not the attack itself, it is the result of the actual attack.

If we were to compare the effect of ransomware to an illness, ransomware software would represent a virus or bacteria. Once the virus or bacteria gets into the body of the host, it is able to multiply and infect the entire system, often with fatal results. It is the same with ransomware, once it enters the system, it may be impossible to stop.

However, just like a bacteria or a virus does not simply fly from one host to another on its own, neither does ransomware. It must somehow be introduced into the system. And the most effective measures of defense are at this stage – aimed to prevent ransomware from entering the system in the first place.

Just like bacteria and viruses, ransomware may be delivered using different paths. For example, a bacteria or a virus may spread by touch or by saliva droplets. Similarly, ransomware may just as easily be delivered by phishing and social engineering or by exploiting vulnerabilities in the system. And nowadays, most such vulnerabilities are web vulnerabilities (for an explanation of why – see Reason 3 below).

Conclusion: To protect from ransomware, you must focus on protecting yourself against the attacks that can be used to deliver ransomware to your systems. Once ransomware is in your system, it is too late.

Reason 2. Web attacks are used to spread ransomware

Phishing and social engineering are believed to be the most common way to deliver ransomware. However, phishing is often empowered by common web vulnerabilities such as cross-site scripting (XSS). Such vulnerabilities allow attackers to use renowned domain names, for example, your business name, to deliver attacks to your employees and others.

Just imagine that your web application has an XSS vulnerability. This allows the attacker to send your employees an URL with your domain name. However, upon visiting this domain, your employee would be automatically redirected to a malicious download location and download a ransomware installer. Do you think that your employees won’t fall for such a trick? Think again.

Even worse, the attacker may use your vulnerable web application to attack your business partners, your customers, and even the general public, exposing your system’s weakness and harming your reputation irreparably. If you want to avoid this, you must make sure that none of your systems that use your domain names have such XSS vulnerabilities.

Conclusion: Your web vulnerabilities may enable phishing attacks against your own organization, your partners, your clients, or even the general public. This may cause irreparable harm to your reputation.

Reason 3. Move to the cloud means that more criminals aim for the cloud

As mentioned in Reason 1, ransomware may be delivered to the target system using different methods, very often taking advantage of vulnerabilities. A while ago, most such vulnerabilities would exist in on-premises systems – these would be network vulnerabilities, for example, resulting from out-of-date software or misconfiguration of local networks. Now, when many businesses moved to remote work after the recent pandemic, on-premises networks are losing even more ground.

Such on-premises networks are being replaced by the cloud. And the cloud is based completely on web technologies. Therefore, the move to the cloud is associated with the growing importance of web vulnerabilities. Vulnerabilities that used to, perhaps, affect just marketing websites now may affect business-critical systems and business-critical data.

The creators of ransomware also stay ahead of the times. They are aware that it is no longer enough for a malicious encryptor to crawl through a local network and infect local desktops and servers. They are aware that nowadays, more and more potential victims use thin clients (browsers) and access data that is being stored in the cloud. Therefore, they realize that they must take advantage of more and more web/cloud vulnerabilities to ensure their ransomware software is the most effective.

Conclusion: Most organizations either already use the cloud or are moving to it, making network security obsolete. Focusing on network security instead of web security in this day and age makes security efforts futile.

Reason 4. Organizations do not report attack details

It is very difficult to know how to defend your business against ransomware because other organizations that have fallen victim to ransomware most often do not share their experiences. They simply inform the public that they have been the victim of a ransomware attack – nothing more.

Such behavior is understandable. First of all, attacked organizations may be unable to fix their security weaknesses immediately. Second of all, organizations are afraid to share attack vector details so that they don’t make themselves more open to other attacks. Third of all, many organizations wrongly believe that admitting their mistakes may hurt their reputation.

Unfortunately, this behavior slows down the development of efficient protection methods and has an overall negative impact on IT security worldwide. This situation could be compared to a country that was affected by a deadly virus and would not share any details about it for political reasons.

Conclusion: Not sharing the details of attack vectors used to deliver ransomware to victim systems makes it more difficult for other businesses to avoid ransomware.

Reason 5. Media focuses on the problem, not the solution

What makes the situation even worse is the fact that in those rare cases when attack details are known, most media decide not to mention any such details. This is true in the case of all security breaches. Instead, the media focus on popular topics such as the business impact of the ransomware attack. For example, to find out that the Capital One data breach from 2019 was caused by a server-side request forgery (SSRF), you would have to dig very deep in search engines. Most media sources did not bother to mention this crucial information.

In the light of media and business behavior that leads to ransomware being even more of a problem for businesses everywhere, it is a pleasant surprise to see that there are major enterprises that follow the best possible practices. There is probably no better example of this than Cloudflare. For example, when in 2019 Cloudflare experienced a major outage caused by human error and the use of a web application firewall (WAF), they described the entire incident using an impressive level of detail – and this is their regular practice.

Conclusion: We heartily recommend that the media share known attack details. If we share the information and learn about the first steps of a ransomware attack, we will all have a better chance to protect ourselves against such attacks in the future.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.