Remote Access and the Current State of the Ransomware Attack: A Threat Actor’s Favorite Tool

With more ransomware attack analysis including specific details, it becomes clearer how ransomware gangs are leveraging your organization’s remote access against you.
Remote access ransomware attacks VNC Connect

One of the benefits of more news stories detailing attack specifics, as well as security vendors putting out analyses of attacks they’ve encountered, is the incredible sharing of details that provide those that are paying attention with great insight into exactly what actions are being taken and malicious methods are being used by cybercriminals. It also provides an understanding of how specific tools – such as remote access solutions (both those organization-sanctioned or threat actor-utilized) – are used time and time again.  This kind of detail can be used to prioritize what needs to change about the environment to a) make it more secure and b) make it less prone to cyberattacks. 

So, I want to take the opportunity to look at some recent news and analysis of ransomware attacks in order to make some recommendations that will make the remote access solution you use today less of an asset to the cybercriminal. Let’s begin with initial access

Gaining Entry with Remote Access

It’s long been a known fact that a material percentage of ransomware attacks (regardless of the variant involved) bounce between phishing- and remote desktop-based attacks as their initial attack vector. The reasoning behind phishing is evident – it provides the attacker direct access to an endpoint and a set of user credentials should the phishing attack succeed.  But so do remote desktop attacks using commercial remote access solutions – regardless of whether they are brute force attacks (where thousands of passwords are tested in succession) or using stolen credentials derived from a previous attack – which is why remote desktop attacks stand toe-to-toe with phishing.

In recent months, ransomware attacks involving MedusaLocker – a variant introduced in 2019 that is making a “comeback” enough to warrant a Joint Cybersecurity Advisory about it in June of this year – primarily leverage exposed RDP connections (whether intentional or accidental) to establish a foothold in a victim organization.

Another egregious example of inappropriate access via RDP is one documented by security researchers at Sophos, in which a cybercriminal group that uses LockBit ransomware gained access to a U.S. Government network via RDP and was able to poke around the network for five months without being detected before deploying LockBit.

Moving Around Once Inside

Once in, if you’re familiar with the normal chain of malicious events and/or are paying attention to the MITRE ATT&CK Framework, you know lateral movement is eventually another use of remote access. According to the latest data from ransomware incident response vendor Coveware (who puts out a quarterly ransomware report), lateral movement occurs in approximately 70% of ransomware attacks. This includes the exploitation of remote services, which Coveware analysts comment “mainly consists of abusing internal remote desktop (RDP) after initial access has been made.”

Learning from the Current State of Ransomware and Remote Access

With all the current data and attack examples demonstrating how threat actors leverage remote access for devious purposes, what steps should you take to stop the misuse?  There are a few impactful actions you can take to keep cybercriminals from taking advantage of and misusing your remote access:

There are plenty of other solutions designed around providing secure remote access available on the market that also have better granularity, control, and configurability than the build-in RDP.

  • Enable Secure Authentication – The use of multi-factor authentication is a show-stopper for ransomware actors. By requiring a second factor – such as an SMS text, a smartcard, certificate, etc. – you effectively take away any power the threat actor would normally have with a credential in hand.

Responding in Kind to Ransomware’s Misuse of Remote Access

It’s imperative for cybersecurity strategies to continually be updated to reflect the current state of attack – this is one of the reasons MITRE’s framework exists today; to keep every organization updated. And this often includes going beyond security solutions in place and looking at how cybercriminals misuse your internal resources, providing you with obvious opportunities to further secure your environment.

Until remote access is implemented with security in mind first (and then productivity), it will always be a top-of-mind tool to be taken advantage of by the ransomware threat actor. By learning from the current state of ransomware attacks, and evaluating the recommendations above, you not only will find your remote access to be in a far-greater security state but also find your threat surface – both externally and internally – to be significantly reduced.

Nick Cavalancia MVP

Nick Cavalancia MVP

Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 28 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, and Master CNI. He has authored, co-authored and contributed to dozens of books on various technologies. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.

Share this post

Partager sur facebook
Partager sur twitter
Partager sur linkedin

Blogs you might also be interested in:

RealVNC® uses cookies. For more information, please read our privacy policy.