Remote access ransomware attacks VNC Connect

Remote Access and the Current State of the Ransomware Attack: A Threat Actor’s Favorite Tool

With more ransomware attack analysis including specific details, it becomes clearer how ransomware gangs are leveraging your organization’s remote access against you.

One of the benefits of more news stories detailing attack specifics, as well as security vendors putting out analyses of attacks they’ve encountered, is the incredible sharing of details that provide those that are paying attention with great insight into exactly what actions are being taken and malicious methods are being used by cybercriminals. It also provides an understanding of how specific tools – such as remote access solutions (both those organization-sanctioned or threat actor-utilized) – are used time and time again.  This kind of detail can be used to prioritize what needs to change about the environment to a) make it more secure and b) make it less prone to cyberattacks. 

So, I want to take the opportunity to look at some recent news and analysis of ransomware attacks in order to make some recommendations that will make the remote access solution you use today less of an asset to the cybercriminal. Let’s begin with initial access

Gaining Entry with Remote Access

It’s long been a known fact that a material percentage of ransomware attacks (regardless of the variant involved) bounce between phishing- and remote desktop-based attacks as their initial attack vector. The reasoning behind phishing is evident – it provides the attacker direct access to an endpoint and a set of user credentials should the phishing attack succeed.  But so do remote desktop attacks using commercial remote access solutions – regardless of whether they are brute force attacks (where thousands of passwords are tested in succession) or using stolen credentials derived from a previous attack – which is why remote desktop attacks stand toe-to-toe with phishing.

In recent months, ransomware attacks involving MedusaLocker – a variant introduced in 2019 that is making a “comeback” enough to warrant a Joint Cybersecurity Advisory about it in June of this year – primarily leverage exposed RDP connections (whether intentional or accidental) to establish a foothold in a victim organization.

Another egregious example of inappropriate access via RDP is one documented by security researchers at Sophos, in which a cybercriminal group that uses LockBit ransomware gained access to a U.S. Government network via RDP and was able to poke around the network for five months without being detected before deploying LockBit.

Moving Around Once Inside

Once in, if you’re familiar with the normal chain of malicious events and/or are paying attention to the MITRE ATT&CK Framework, you know lateral movement is eventually another use of remote access. According to the latest data from ransomware incident response vendor Coveware (who puts out a quarterly ransomware report), lateral movement occurs in approximately 70% of ransomware attacks. This includes the exploitation of remote services, which Coveware analysts comment “mainly consists of abusing internal remote desktop (RDP) after initial access has been made.”

Learning from the Current State of Ransomware and Remote Access

With all the current data and attack examples demonstrating how threat actors leverage remote access for devious purposes, what steps should you take to stop the misuse?  There are a few impactful actions you can take to keep cybercriminals from taking advantage of and misusing your remote access:

There are plenty of other solutions designed around providing secure remote access available on the market that also have better granularity, control, and configurability than the build-in RDP.

  • Enable Secure Authentication – The use of multi-factor authentication is a show-stopper for ransomware actors. By requiring a second factor – such as an SMS text, a smartcard, certificate, etc. – you effectively take away any power the threat actor would normally have with a credential in hand.

Responding in Kind to Ransomware’s Misuse of Remote Access

It’s imperative for cybersecurity strategies to continually be updated to reflect the current state of attack – this is one of the reasons MITRE’s framework exists today; to keep every organization updated. And this often includes going beyond security solutions in place and looking at how cybercriminals misuse your internal resources, providing you with obvious opportunities to further secure your environment.

Until remote access is implemented with security in mind first (and then productivity), it will always be a top-of-mind tool to be taken advantage of by the ransomware threat actor. By learning from the current state of ransomware attacks, and evaluating the recommendations above, you not only will find your remote access to be in a far-greater security state but also find your threat surface – both externally and internally – to be significantly reduced.

See how other customers are using RVNC® Connect

100.3 FM

“Being able to operate in two markets is really important for our business. VNC Connect allows us to do this without needing …
Learn more »
Azimuth OW League

Azimuth Digital

"Deploying the software was easy for everyone involved and made it seem as though we were right there in the same room …
Learn more »
University of Miami

University of Miami

"RealVNC® remote access software has decreased the amount of downtime when our onboard systems do not perform properly, allowing us to increase …
Learn more »

Experience secure remote freedom, like never before

We don’t require credit card data. 14 days of free, secure and fast access to your devices. Upgrade or cancel anytime

G2 stars review

4.7 stars, 400+ reviews
Top 50 IT Management
Products 2020

Apple App Store

4.8 stars, 11,700 reviews
Apple Store 5M+ downloads

Google Play Store

4.7 stars, 55,000 reviews
Google Play Store 5M+


4.5 stars, 100+ reviews
Best Software Reviews