Remote desk protocol leaving firms open to ransomware attacks
Written by: Vertical Structure on Nov 07, 2019
Written by: Vertical Structure on Nov 07, 2019
Cyber security consultants Vertical Structure work with SMEs from a range of different industries. Increasingly, companies are approaching Vertical Structure to help after their corporate data has been encrypted by hackers. The cyber criminals are looking to earn a ransom before they’ll unlock it.
IT security company SonicWall reported a 117 per cent increase in numbers of ransomware attacks in 2018, compared to the same period in 2017 and although number of infections appear to be reducing in 2019, the impact of the attacks is increasing.
“Attacks are no longer directed at large enterprises,” said Simon Whittaker. “Oftentimes the hackers are only asking for a few thousand dollars in ransom, illustrating that they aren’t making a huge amount of money overall on these attacks, but the havoc, as well as monetary costs from cleaning up after an attack, can be devastating for a small company.”
The recent WannaCry scandal only resulted in $72,000 in ransom paid to the hackers, according to a report provided by the Hashed Out blog on SSL Store – but the time and money spent by organisations to recoup their lost data is irredeemable.
Bad actors will attack any open environment and there have been recent examples of attackers compromising virtualised servers, Simon says. Rather than stealing data, ransomware refers to the specific criminal act of encrypting data and charging a ransom for the mathematical keys required to access their files.
Depending on strategies employed, even if a company has a data backup plan, the backups are impacted too. “These ransomware infections can compromise a host/parent server, but this may compromise any child servers, too – in which case backups may also be lost.”
Still, many organisations have woefully inadequate data backup strategies, Simon notes. “Sometimes companies only keep a backup for one day – and by the time the malware is discovered, the backup will already be written over.”
So how are these hackers getting in? It’s scarily easy, in some cases, demonstrates Simon.
Most companies now, for good reason, desire employees to work remotely. Terminal services are offered to employees, enabling them to get a desktop connection from anywhere. Using the common port for RDP (remote desktop protocol), a Shodan search brings up 53,129 instances in GB alone. (There are 61,650 in the UK and Ireland). The search – open and available to anyone on the internet – displays all the IP addresses, and in some cases even shows employee’s usernames.
“Without strict security protocol – including two-factor identification, very strong passwords, or an extra level of protection – hackers can get into these accounts and take over the entirety of an organisations’ data,” says Simon. “Files, emails, documents, everything.”
The malware Phobos was behind the most recent attack for which Vertical Structure was enlisted to help. Simon notes that although some malware have decryption keys accessible on the internet, Phobos is too new, and no decryption keys have been published.
Amongst the Shodan search results in the UK, insecure RDP user accounts are displayed from organisations including a prominent charity, a well-known school, a medical trust, a travel website, and many others.
In a recent well-publicised case, Norsk Hydro, one of the world’s largest aluminium producers and Norway’s second-biggest employers, was hit badly. Ransomware brought down factory operations, costing the company a reported $40m to-date, even though the company reportedly did not pay any ransom.
The alarming thing is that, by knowing a username, that means employees could also be vulnerable to the work of criminals. Brute-force methods of entry into a system haven’t been unknown.
“The company’s associates are vulnerable, too,” says Simon, “including customers, partners, suppliers etc. Once you have access to their desktop you could find details of anyone that organisation has worked within the past. Of course, with access to the information, these criminals can steal data while also encrypting it…..It not only exposes the organisation to risk, it also exposes real people.”
“We aren’t trying to spread scare stories,” Simon insists. “It's about telling people what is here, and what could happen, and how they can prevent it. We don’t want organisations to have to ring us up in desperate situations.”
Simon points to the National Cyber Security Centre for help. “Their user guides for small business are a great place to start.”
He goes on, “This is scary but it’s so preventable. Nobody is saying don’t allow users to work remotely – but if you’re going to have a remotely exposed machine, use a VPN, use two factor authentication, make sure you have a suitable and updated antivirus protection. We also advise that organisations undergo a security and penetration test to understand their exposure.”
Who are the hackers that are causing so much distress? Recent attacks have pinpointed criminals’ geographic locations as Middle East-based. Other than that, little is known about the cyber criminals and how big their network extends.
Locally, both PSNI and Garda Síochána advise that companies check www.nomoreransom.org for the decryption keys that are already available. Companies can also follow ScamWiseNI on Facebook to educate themselves about reported scams in the area.
Or send us a quick message