The vast majority of ransomware attacks begin with cyber criminals exploiting common cybersecurity errors, which -if correctly managed -could prevent most victims from falling prey to attacks.
Microsoft analyzed anonymised data of real threat activity and, according to the company's new Cyber Signals report, found that over 80% of ransomware attacks can be traced to common configuration errors in software and devices.
These include applications being left in their default state, allowing user-wide access across the network, security tools being left untested or misconfigured, cloud applications set up in a way that can easily allow unauthorized intruders to gain access, and organisations not applying Microsoft's attack surface reduction rules, which allows attackers to run malicious code using macros and scripts.
SEE: Ransomware: Why it's still a big threat, and where the gangs are going next
It's these misconfigurations that ransomware attackers are looking for as they seek out vulnerable targets for ransomware attacks -often with the added threat of double extortion attacks, where cyber criminals steal sensitive data and threaten to publish it if they're not paid.
Microsoft warns that this process has been helped along by the growth of the ransomware-as-a-service (RaaS) ecosystem, which allows attackers who lack the technical expertise to create and develop their own ransomware to conduct attacks and extort ransom payments.
RaaS kits are relatively simple to find on underground forums and can include customer support, providing criminals with all the help they need to get started. Some of these ransomware kits are sold via a subscription model, while others are based on affiliate models, where developers take a cut of the profits from each ransom payment made for a decryption key.
The market behind RaaS is also extremely fluid, with new threats appearing as established offerings disappear. For example, the report details how since Conti -one of the most notorious ransomware operations