Even before the global COVID-19 pandemic, ransomware stood out as one of the biggest security challenges facing CISOs and their security staffs. These malware incidents exploded in 2019, and the switch to a nearly all work-from-home workforce in the past several months has opened up new avenues for cybercriminals to exploit.
In May, security firm Sophos released a study on ransomware attacks that included responses from 5,000 IT managers around the world; it found that over 50 percent of the organizations surveyed reported a ransomware attack. The study was conducted between January and February, just before the pandemic hit.
The average cost to an organization that didn’t pay the ransom totaled more than $732,000, while victims that did pay off their attacker saw their cleanup and recovery costs rise to more than $1.4 million, according to the Sophos study. It’s one reason law enforcement agencies, including the FBI, urge those targeted by ransomware not to pay cybercriminals.
Once the COVID-19 pandemic began, ransomware attacks continued, including incidents involving healthcare and research organizations at the frontlines of treating the virus, according to Microsoft, which published its own in-depth study of the issue in April.
And there’s no letup in sight. Take the recent case of the high-powered New York law firm of Grubman Shire Meiselas and Sacks, which has a roster of A-list celebrity clients, including Lady Gaga, U2 and Madonna. Here, a cybercriminal gang dubbed REvil (also known as Sodinokibi) attacked, stole and encrypted thousands of legal documents and files, threatening to release them if a $42 million demand wasn’t met.
It appears that the operators of REvil may have gained access to the law firm’s networks months prior to announcing the actual attack in early May, so while COVID-19 might explain some ransomware attacks, it can’t account for all of them. Still, security experts are warning that work-from-home environments, which rely on employees remotely connecting to a network, lack security controls. Cybercriminals are more than willing to exploit this situation.
“The pandemic-induced remote workforce model has made getting an initial toehold easier, as many company-owned laptops are now logging many more hours outside the relatively protected shelter of the corporate office,” Oliver Tavakoli, the CTO of security firm Vectra, told Dice.
Locking Down RDP
One of the consequences of work-from-home environments is the increasing use of remote access tools to connect with corporate resources. For many employees, it’s using VPNs. For system administrators and IT workers, it’s through remote desktop protocol (RDP).
Since COVID-19, the amount of attacks against RDP and other types of remote access tools has increased. In April, for example, Kaspersky published a report that found brute-force attacks targeting the usernames and passwords of RDP connections had increased with the rise of the new remote workforce. Once RDP is compromised, attackers can deploy malware, move laterally through the network and steal data.
In addition, ransomware gangs favor using compromised RDP connections, along with phishing emails, to gain footholds in networks and begin extensive reconnaissance before finding which files and data they want to encrypt and steal, according to a recent report from security firm Coveware. This gives them the maximum leverage against their victims when demanding ransom.
The operators of REvil, which attacked the New York celebrity law firm, are one of several ransomware gangs that are known to target vulnerable RDP connections.
In the rush to create these types of remote connections to support employees in the wake of COVID-19, organizations may have opened the door to future attacks if proper security procedures aren’t in place.
“If the data that is of high value—and which would command a large ransom—is behind the firewalls on the corporate network, only employees who generally access the corporate network—via VPN or RDP or VDI—can be used as conduits for the lateral spread,” Tavakoli said. “In such scenarios, attacks on employees who utilize this type of access become more central elements in deeper ransomware attacks. In their haste to get everyone working from home, some organizations exposed bastion hosts via difficult-to-secure protocols like RDP directly to the Internet. Such shortcuts can contribute to the likelihood of a successful ransomware attack.”
Xue Yin Peh, a senior cyber threat intelligence analyst at security firm Digital Shadows, believes that now is the time for CISOs and their teams to reassess some of the ways employees and staff use remote connections before giving ransomware gangs additional ways to infiltrate corporate networks.
One sure-fire way is to disable connections for those who don’t need the access for their jobs, Peh said: “Where RDP is required, organizations should look to restrict access… Standard methods like putting RDP access behind a VPN, using Remote Desktop Gateway, or using firewalls to limit access to remote desktop listening ports will make it more challenging for unauthorized RDP connections.”
Think Retraining
Security experts agree that now is also the time to rethink the way employees are trained, which also includes IT professionals and developers who rely on remote access connections such as RDP for their job. An increase in security awareness, especially with how ransomware attacks start and the weaknesses that cybercriminals look for, could make a big difference for how organizations secure their networks and data.
“So, should these dangers shift the way an organization hires and trains their security workforce and employees? Not the way in which the organization hires—continue to look for smart people who are willing to user their judgment and consider risk in their decisions,” Tavakoli said “But training on how to provide secure remote access to sensitive parts of the network is clearly something that should be front-and-center during a time when almost no one is in the office.”
In addition, Peh believes, now is the time for CISOs to implement best-in-class security protections and insist that all employees use multi-factor authentication and be aware that attackers are looking to compromise credentials.
“As compromised credentials are often used to gain access to a network, these programs should also teach employees to identify suspicious websites and not to provide their credentials on potentially malicious websites,” Peh said. “Remembering complicated passwords is tedious, but enforcing a strong password policy is a necessary evil, as weak credentials are common points for failure in cyberattacks.”
Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.