Ransomware soars

Editorial Type: Research Date: 2020-05-01 Views: 860 Tags: Security, Networking, Working from Home, Ransomware, Cybercrime, Phishing, Beazley PDF Version:
Working from home can make IT systems far more susceptible to attack, without the right security measures firmly in place

Ransomware attacks skyrocketed in 2019, according to a newly released breach report, an annual update on cyber trends that is produced by cyber insurer Beazley - and the shift to home working has only heightened the risk of cyber breach via remote desktop protocol and phishing attacks, it states.

Beazley's in-house team of breach experts, Beazley Breach Response (BBR) Services, reported the number of ransomware attack notifications against clients increased by 131%, compared to 2018. Along with this growth in frequency, the sums of money demanded by cybercriminals also increased exponentially, sometimes reaching seven or even eight figures.

Cybercriminals' methods of attack continue to evolve, too. The two most common forms of attack to deploy ransomware are phishing emails and breaching poorly secured remote desktop protocol (RDP). RDP enables employees to access their work computer desktops or company's primary server from home with the press of a button, but the convenience also comes with added risks.

"With the convenience of enabling employees to work from home, using RDP can make IT systems more susceptible to attack without the right security measures in place," states Katherine Keefe, Beazley's global head of BBR Services. "The coronavirus has forced many more employees to work from home and, in this pressured environment, it is very important that companies take the right steps to reduce the vulnerability of their IT infrastructure. Always ensure employees can access their computer using a virtual private network with multi-factor authentication. It is important to whitelist IP addresses that are allowed to connect via RDP, and make sure that unique credentials for remote access are in place - particularly for third parties."

In 2019 and into 2020, BBR Services recorded an increase in reported attacks by policyholders whose systems were breached via cyber-attacks against their IT managed service providers. In some cases, these attacks stopped the operations of hundreds of customers downstream from the IT provider.

Keefe adds: "BBR Services handles thousands of breaches every year and our data demonstrates how ransomware has developed into a more serious and complex threat over the past four years. Early on, ransomware was typically used to encrypt data as leverage for a ransom demand. However, more recently, attackers have been using ransomware variants in tandem with banking Trojans such as Trickbot and Emotet. This two-pronged attack leaves organisations not only with the debilitating impact of its critical systems and data being encrypted, but with the added risk of data being accessed or stolen.

"Although these attacks can be damaging and complex, some of the most effective preventative measures are relatively simple. More than ever, organisations need to ensure their IT security measures are a top priority and up to date, that they have access to authoritative, experienced risk management advice, and, importantly that employees are trained and alert to the potential threats."

The latest Breach Briefing provides detailed information on the most common forms of attack, including the two most common forms of attack used to deploy ransomware: phishing emails and poorly secured remote desktop protocol (RDP).

Turning first to phishing, Beazley cites how direct email of malware and links to credential-stealing sites lead to a large number of incidents. "There are a lot of protections available, in the forms of email filters and added layers of authentication," it says. "However, few of these solutions are broadly implemented. People have access to the information and technology that the attackers want, and attackers will continue to find new ways to reach people and exploit them. It would be incorrect to view phishing as the vulnerability; phishing just happens to be the most effective way of getting to the real vulnerability - people."

Exactly how do you mitigate phishing risk, though? Beazley suggests the following:

  • Enable multi-factor authentication (MFA)
  • Force regularly scheduled password resets, preventing recycled passwords
  • Train employees to recognise and report suspicious email traffic.

Turning next to remote desktop protocol (RDP), Beazley describes this as "a very powerful tool that provides a lot of convenience to its users. It is also extremely easy to enable. If the computer you want to access is on the public internet, you gain immediate access to your work computer from home or your company's primary file server while you are on vacation with the press of a button."

However, problems arise from these basic facts: RDP runs on a standard port (tcp/3389) and is easily identified while scanning; companies have very poor password policies, giving a brute force attack a high probability of success; more than 20 vulnerabilities have been identified within RDP, many of which allow unauthenticated access to the target computer; companies tend to have very poor patching policies. "So, not only is it easy to turn on, it is also very easy to discover and break into." Ways of mitigating RDP risk it recommends include requiring access via a virtual private network (VPN) with MFA; whitelist IP addresses that are allowed to connect via RDP; and unique credentials for remote access, especially for vendors.

Ransomware can be devastating to an individual or an organisation. Traditionally, these attacks were designed to deny access and interrupt business operations. However, the recent shift towards ransomware paired with banking trojans, and towards threats to expose data, changes the landscape.

"Anyone with important data stored on their computer or network is a target - from municipalities or hospitals through to law firms," warns Beazley. "Important data at risk was traditionally thought to be personally identifiable information (PII) and protected health information (PHI), but it could also include intellectual property, litigation strategies, unpublished financials, and project bids. It is a myth that attackers are not interested in small companies. As our data shows, small and medium-sized business are often easier to exploit and therefore very attractive targets."

Many organisations rely on vendors to perform multiple services, which can help reduce overall costs and administrative burdens. But when you no longer control all of your data or when you provide third parties direct access to your systems, it inevitably increases your exposure to data privacy and security risks. "Third-party vendors were aggressively targeted by cybercriminals deploying ransomware in 2019, and at least 17% of all ransomware incidents reported to Beazley originated from attacks on vendors," says the cyber insurer. "These attacks caused business interruption to many downstream customers, ranging from the inability to access data housed in a software application, to a full-blown attack on the customer systems as well."

Why are vendors targeted? Cybercriminals have come to realise that interrupting the dependent and deeply interconnected relationship between vendor and customer creates the most pressure. Hitting a single vendor can cause catastrophic interruptions for hundreds of companies, making it more likely for the vendor to pay.

To read the Beazley Breach Briefing in full, follow the link below :