Phishing emails and unsecure remote desktop protocol access are two common types of attack methods used to spread ransomware, says cyber breach firm Beazley Breach Response Services.
Ransomware is a serious threat to organizations under any circumstances. But as the coronavirus spreads and more people work from home, cybercriminals are exploiting the situation to hit more potential victims. The latest ransomware campaigns are targeting businesses and their remote workers through such methods as phishing emails and vulnerabilities in Microsoft's Remote Desktop Protocol (RDP). But there are ways to strengthen your defense against these ransomware attacks, as described by Beazley Breach Response Services.
SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
Released on Monday, Beazley's 2020 Breach Briefing found a dramatic rise in ransomware long before the coronavirus outbreak emerged. In 2019 overall, the number of ransomware attacks reported to Beazley by the firm's clients jumped by 131% from 2018. Certain ransomware variants, including Ryuk and Sodinokibi, were launched in combination with banking trojans such as Trickbot and Emotet. As such, targeted organizations had to not only deal with the ransomed data, but also determine whether the information was stolen.
Looking at the methods used to spread malware, phishing emails are one common vector. Emails with malicious attachments or links to credential-stealing sites have led to a huge number of incidents, according to Beazley. Though certain defenses are available, including email filters and extra levels of authentication, these aren't yet broadly in use, leaving many organizations vulnerable.
Microsoft's Remote Desktop Protocol is another common technology ripe for exploitation, especially now as more people are working remotely in the wake of the coronavirus. Hackers will use brute force attacks to try to obtain the login credentials of an employee with remote desktop access. If successful, the attack can then give the hacker access to critical workstations or servers.
RDP itself is flawed. It runs on a standard port, so it can easily be identified during a scan. It's also been saddled with various security vulnerabilities over the years, many of which allow hackers to gain unauthenticated access to an internal workstation or server. Even when a patch becomes available, such as Microsoft's fix for BlueKeep, organizations are not always diligent about deploying it.
"The coronavirus has forced many more employees to work from home and in this pressured environment it is very important that companies take the right steps to reduce the vulnerability of their IT infrastructure," Katherine Keefe, Beazley's global head of BBR Services, said in a press release. "Always ensure employees can access their computer using a virtual private network with multi-factor authentication. It is important to whitelist IP addresses that are allowed to connect via RDP, and make sure that unique credentials for remote access are in place--particularly for third parties."
One more ransomware strategy gaining traction is to attack a vendor rather than individual organizations. As more businesses rely on outside vendors to manage key services and assets, a cyberattack against a single vendor can target a wide range of customers. At least 17% of the ransomware incidents reported to Beazley last year came from attacks on third-party vendors.
To better prevent ransomware from hitting your organization and your workers, Beasly offers the following tips:
- Lock down RDP. The RDP attack vector is regularly targeted by ransomware attacks. Disable RDP where not required. Apply secure configurations where RDP is enabled, including use of strong passwords (at least 16 characters in length) and multi-factor authentication (MFA).
- Require MFA. Turn on MFA for internal administrative accounts and for external access to all applications, particularly sensitive ones such as email, RDP, and VPNs.
- Disable PowerShell. Update PowerShell to the latest framework on all computers. Improved logging and security controls are available with the latest version. Disable PowerShell on workstations where possible. Where PowerShell cannot be disabled, logging and continuous monitoring of PowerShell activity is critical.
- Patch systems. Allow automatic patching of the operating system and internet browsers. Stay on top of anti-virus software updates to detect new emerging threats that can go unnoticed in a system if the anti-virus program is out of date.
- Apply web filtering. Ransomware infections can occur through malicious websites or malicious ads hosted on legitimate business websites that will redirect a user to a bad site. Apply filtering at the network and endpoint level that blocks connections to known-malicious sites.
- Limit administrative rights. Admin rights should be limited to IT roles requiring these privileges and be protected with MFA. IT staff should have non-privileged accounts for day-to-day activities such as email and browsing.
- Conduct security awareness training. Train employees on how to recognize common threats and scams and how to report any suspicious security incident. Conduct phishing exercises periodically to enhance security awareness and prepare employees for responding to cyber attacks
As preventing ransomware isn't always possible, Beazly offers the following three suggestions to help you better recover from an attack:
- Back up your data. A well thought out backup and restoration plan is one of the most important countermeasures against ransomware. Back up data regularly and maintain copies offline and/or in cloud storage. Use unique credentials to secure your backups, and store the credentials separately from other user credentials. Encrypt backups, especially when stored offsite at a third-party location or in a cloud environment.
- Test backups. Test backups periodically to validate that recovery is in line with the organization's recovery point and recovery time objectives. Implement automated monitoring that notifies you when backups are not functioning correctly.
- Develop a business continuity plan. Effective business continuity planning helps identify how to carry out essential operations in the event of a business interruption caused by ransomware.
"Although these attacks can be damaging and complex, some of the most effective preventative measures are relatively simple," Keefe said. "More than ever, organizations need to ensure their IT security measures are a top priority and up-to-date, that they have access to authoritative, experienced risk management advice, and importantly, that employees are trained and alert to the potential threats."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)