The Three Most Dangerous Ransomware Delivery Vectors: RDP, VPN, and Phishing

By on

Click to learn more about author Gerry Grealish.

Successful attacks using ransomware have proliferated so much that some security researchers are developing viable second careers as “ransomware negotiators,” bargaining with attackers who hold corporate data hostage. Creative — and convincing — ransomware approaches have flourished during the lockdown era, with industry experts noting a 72 percent increase in new ransomware samples. In other words, there are more ransomware attacks and more attackers trying out — and successfully leveraging — new kinds of ransomware.

That said, the vast majority of all ransomware falls into three categories. Some use exploits that target RDP, others use exploits targeting VPN, and the rest use phishing attacks. If you’re able to secure these three vectors against ransomware threats, you’ll have dramatically minimized your attack surface.

Protecting Yourself Against Ransomware That Exploits RDP

As ransomware has matured, its targets have shifted — moving from individuals who are unlikely to be able to pay large ransoms to deeper-pocketed companies. Even before the pandemic, most companies standardized on RPD as a solution for their remote workers. As such, RDPs became a natural delivery channel for hackers to explore — and exploit.

The hackers quickly discovered three relevant points:

1. RDP vulnerabilities are incredibly common, with new code execution bugs seemingly being discovered once a month. Companies, meanwhile, are slow to patch these bugs.

2. Many companies leave their RDP ports open and discoverable to the public internet. This means that attackers can easily break in with the help of vulnerability scans and credential stuffing attacks.

3. Even if companies keep their RDP implementation patches up to date, there’s every chance that a user has weak credentials, letting attackers steal logins via brute force.

Basically, a vanilla RDP implementation is a gift for attackers, who make money buying and selling RDP credentials to ransomware attackers.

To defend against RDP hackers, it may be worth looking for a third-party vendor that approaches the RPD philosophy with baked-in security tools. It can be difficult to implement common-sense security measures such as SSL VPN integration, built-in encryption, and two-factor authentication using the basic RDP that comes with Windows operating systems. Look for a better version that enforces strong credentials and makes your implementation less discoverable.

Vulnerable VPNs Are a New Avenue for Attackers

VPNs have only recently gained very widespread popularity among hackers as ransomware targets, primarily as a result of the COVID-19 pandemic. With most office workers working remotely, VPN has become the primary conduit for sensitive communications between home and office. This, of course, means it’s become a much wider — and attractive — attack surface for ransomware.

A vulnerability in one of the most widely used VPNs lets hackers connect without supplying a username and password, which makes ransomware installs child’s play. Although a patch is available for this vulnerability, many organizations haven’t yet applied the patch, which means that attacks are still ongoing.

If you have a VPN with this vulnerability, you need to patch it immediately. But those using other VPNs shouldn’t rest easy. Attackers are furiously trying to find vulnerabilities in all VPNs. Your best defense, once again, is to close open ports, hide your VPN application from the public internet, and enforce strong authentication. No unauthorized parties should be able to detect or log in to your VPN.

Additionally, take steps to microsegment the network that your VPN connects remote users into. New technologies, such as application isolation, enable you to microsegment access to applications and IT resources, creating least privileged access policies for your users. These security controls have the benefit of making applications and resources invisible to hackers if they somehow manage to penetrate a network through a VPN vulnerability, preventing lateral movement attacks such as ransomware and data theft.

Phishing Is Back in Style for Ransomware Attackers

Although email and drive-by downloads used to be go-to methods for distributing ransomware, these were eventually overtaken by exploits that focused on finding and attacking open ports. Phishing is seeing a strong resurgence, however. A new campaign known as Avaddon is busy fooling targets by sending them emails supposedly attaching photos that were taken of them. The attachment is, of course, malicious. A similar campaign known as “Mr. Robot” is supposed to be about COVID-19 test results.

The similarity between these two ransomware strains is that they’re both asking for extremely small amounts of money. Avaddon asks for $800 USD in ransom, and Mr. Robot asks for $100 — pocket change as far as most ransomware campaigns are concerned. Not much is known about the groups behind these two ransomware strains, but Avaddon is ransomware-as-a-service — meaning that the people writing the ransomware aren’t sending the ransomware out but are instead selling the software and associated support services.

Many would recommend security awareness training as an antidote to phishing attempts, but the simple nature of the phishing emails getting sent out doesn’t argue well for that approach. In a nutshell: If your employees are getting fooled that easily, training isn’t going to do much for them. And virtually all people can be fooled at least some of the time.

Instead of security awareness training, consider an alternate approach — have your employees use webmail, along with a technology called remote browser isolation (RBI). RBI takes aim at one of the critical assumptions behind phishing emails — that when a target clicks on an embedded URL, the website that opens can download malicious files right to their browser — and from there, it can infect the endpoint and the entire network.

Instead, what RBI does is instantiate a browser within a container hosted in the cloud or in the DMZ. This browser streams only safe rendering information data back to the endpoint, but all files downloaded within the remote browser stay safely isolated within the remote browser. If the employee downloads a malicious executable, the file has nowhere to execute. Employees have the option to save files to their endpoint, but only once the file is disassembled, checked, sanitized, if necessary, and reassembled. The entire process is transparent to the user, who enjoys a fully interactive browsing experience.

By following each of these three best practices for each primary communications technology — email, VPN, and RDP — you’ll be able to significantly narrow your attack surface for ransomware. While many companies are now feeling an economic pinch, hardening your network against new ransomware technologies is one of the smartest investments that you can make.

Leave a Reply