Ransomware was rampant in 2017, and ill prepared users were caught off-guard. This spiralled into widespread panic as victims scrambled to safeguard valuable data, often succumbing to criminal demands to pay increasingly expensive ransoms via cryptocurrency, which skyrocketed in value itself. Unfortunately, meeting these demands did not guarantee files would be returned undamaged, if at all, making it a favourable year for ransomware authors.
Over time it’s become increasing difficult for ransomware authors to scare victims into paying to salvage their data, with more adoption of simple best practices like timely and cloud backups. This combined with more users turning to Windows 10, a more secure operating system, has forced hackers to get more creative. The ransomware threat is still real, and is in fact adopting a more targeted business model through unsecured Remote Desktop Protocol (RDP) connections as the attack vector.
Exploiting unsecured RDP connections
While RDP connections support modern working practices, by enabling off-premise access to a machine and network, they can act as a weak link in an organization’s cybersecurity defences. This attack vector is gaining popularity with cybercriminals who use tools like Shodan to scan for businesses that have not created adequate RDP settings, leaving their environments open to infiltration. Even the less sophisticated cybercriminals can visit the ‘dark web’ to buy RDP access to already hacked machines. Once a given system has been accessed, criminals can browse all data on the system or shared drives to assess its value. This helps the criminal decide whether to deploy ransomware or other payloads – whichever will have the most impact and profitability. This targeted approach improves the chances of an organization paying the ransom, as the encrypted content will be of highest value and importance.
Cybercriminals in action
This isn’t theoretical. The notorious SamSam Ransomware group and their campaigns made millions in cryptocurrency earlier this year, thanks to improperly configured RDP. High profile attacks dominated headline news when they shut down government sectors of Atlanta and Colorado, along with medical testing giant LabCorp. In the cases of Atlanta and Colorado, these states chose not to pay the ransom and instead decided to rebuild their IT systems, to the tune of over $2.5 million (in the case of Atlanta). But there are now multiple viable choices for payloads in an RDP compromise. Because the criminal can see all the hardware installed, it’s easy to determine if the installed CPU and GPU would deliver more profit mining cryptocurrency than if attackers simply deployed a ransomware infection.
Defending against attacks
The importance of education cannot be understated and plays a crucial role in protecting an organization from compromise. IT departments often leave default ports open and are lax about password policies, underscoring the reality that employees are the weakest link. Continuous training on how to configure the environment and establish a baseline of resilience is as important for a company with 50 employees as for a multinational corporation. According to the Webroot Mid-Year Threat Report 2018, organisations who implemented 11 or more security awareness campaigns saw their phishing email click-through rate drop to 13%. In addition, assessment of the impact of this training should be made, bolstered by a comprehensive disaster recovery plan.
Ransomware continues to plague organisations of different sizes and industries. The recent attacks on the San Diego Port Authority and Bristol Airport highlight the direct impact and disruption that can occur, even to public services. The best defence is security awareness education for employees – particularly around avoiding phishing attacks that could compromise their system’s credential – coupled with installing anti-malware software to protect valuable information. No organization is exempt from attacks and only a robust security posture will mitigate these threats.
Tyler Moffitt, Senior Threat Research Analyst at Webroot