What is Ransomware and Why are Attacks So Dangerous?
By design unlike other malware, ransomware is usually “resident” on a computer temporarily with “authenticated” credentialed access. To avoid detection before its encryption algorithm has completed its objective, ransomware tends to search for and neutralize endpoint protection to guarantee successful payload delivery. Additionally, the encrypting hostile code attached to ransomware may show up on the target system just prior to the encryption process being completed.
Is It Me, Or Is It Raining Ransomware?
Over the past 10 days, there has been a dramatic increase in ransomware attacks throughout the general public market, which has impacted many organizations as part of this growing problem. We continue to see this pervasive problem threaten the business landscape. We have noticed patterns of activity that should be addressed as part of proper IT security hygiene to improve cyber defense.
According to a recent report, ransomware detections have rocketed beyond 365% year-over-year in just the second quarter of 2019!
Many of the points of origin for these recent ransomware attacks are stemming from an initial compromise associated with Port 3389 (RDP). In June 2019, Synoptek sent out a public service announcement that reported the critical RDP exploit, also known as BlueKeep.
While there is no evidence to support that BlueKeep is the entry exploit that is impacting organizations, it does, however, contribute to the increased interest among bad actors to search for exploitable public facing RDP. In some observed cases, ransomware was a secondary malicious payload delivered after the attacker gained authenticated access to the system by leveraging publicly accessible RDP.
Reducing the Threat of Ransomware
Given the range and size of our client portfolio, Synoptek is working to ensure we are actively advising our clients of the potential risk associated with critical vulnerability such as the publicly accessible RDP issue (which may be either open by design or inadvertently, due to the communication protocols tied to the Microsoft Windows Operating System), and provide the appropriate contingencies ahead of a compromise.
With the introduction of SaaS services (i.e., Azure & AWS), vendors may not have considered security foremost because the implementation of quality-of-life features comes at the expense of basic security parameters.
There are some preemptive actions that can and should be taken. Preemptive measures aid in greatly reducing the threat of a ransomware attack. Additionally, it may improve the overall threat defensive posture of a computing environment against pervasive exploits.
How to Prevent Ransomware Attacks
While this problem continues to burden the general population, the following steps will go a long way to help businesses improve their chances of driving the bad guys elsewhere. Just like being chased by the bear in the woods—you don’t have to be faster than the bear, just faster than the guy next to you!
The tools are available; they just need to be used!
- Secure configurations: The basics can go a long way. For example, proper network segregation, network and endpoint protection strategy, suspicious activity detection and response are just a few things that can help mitigate impact.
Don’t just give anyone the keys to the kingdom.
- Role-based access and the “Least Privilege” principle: Restricted user permissions (relating to installing and running software applications), and “least privilege” end-user access based on the role should be core to business operations, maintenance, monitoring and management of IT systems. Keeping privileges restricted will impact the movement of threats including malware. The single most impactful configuration as part of a security strategy for authentication is to add multi-factor authentication for all publicly accessible assets and services.
Did you lock the front door?
- Edge firewall basics: Be sure to regularly review all firewall configurations to ensure any unintended exposure is closed immediately. Consider subscribing to an OSINT reputation service to automagically block access to known malicious actors. As a result of this Port 3389 exploit, any external RDP access should be moved behind a VPN or at least IP restricted to known office locations.
What did you fix that needed fixing?
- Patch management: Vendors provide fixes to known and exploitable vulnerabilities. Make it a point to implement the fixes and be sure that all systems and software are current with respect to their patching and updates. Ransomware and exploit kits hosted on compromised websites are the usual route for spreading ransomware, thus routine review of patching of vulnerable software play an essential factor to reducing the threat of compromise.
How Synoptek can Help
As a standard practice for all customers, Synoptek works to ensure that we are actively advising all clients of the potential risk associated with critical vulnerability, such as the publicly accessible RDP issue and providing appropriate contingencies ahead of a compromise.
By helping businesses cover the basics of security, we take preemptive actions listed above that could greatly reduce the threat of a ransomware attack, which may improve the overall threat defensive posture of a computing environment against these pervasive exploits.
Learn more about how Synoptek keeps up with the latest security practices to protect your systems.