Many sources report that ransomware attacks are on the rise. Additionally ransomware tactics are improving, becoming more targeted and together with that, bigger payouts are demanded by attackers.
Ransomware attacks follow an attack pattern where the first phase is getting some form of initial access to an IT system. Depending on the ransomware variant it will then continue to execute various activities including: encrypting local and/or shared file systems, spreading deeper into the network, disable backups, steal data and finally demand money to recover from the damage done.
The most important access vectors as documented by the US CISA Ransomware Guide are:
- Internet-facing vulnerabilities and misconfigurations
- Malware infections
- Third parties and managed services
Let's focus on 3 countermeasures mentioned in the ransomware guide, that are supported by the Sweepatic Platform and that will help to reduce the external attack surface of organizations.
1. Regularly scan your internet facing assets
According to the guide, organizations should conduct regular vulnerability and configuration scanning to identify and address vulnerabilities and weaknesses - especially those on internet-facing devices - to limit the attack surface exposure. The end goal is to prioritize timely patching of internet-facing servers, as well as software processing internet data, such as web browsers, browser plugins, and document readers—for known vulnerabilities.
Sweepatic is specialized in discovering all internet-facing assets of organizations without the need to provide technical data like IP addresses. The goal is to discover and catalog both the known an unknown IT assets. Based on this asset inventory, additional security checks are done. Discovered risks are categorized across application categories in security dimensions including: encryption, vulnerabilities, insecure configurations, hygiene, exposed (admin) services and reputation.
2. Avoid weak or poorly configured remote access services
Remote access services giving attackers immediate access to a system are popular. These include: Windows Remote Desktop (RDP), VNC, SSH and telnet.
According to several reports, RDP is specifically targeted and many claim that it should never be publicly available. Some even nickname RDP as a "Ransomware Deployment Protocol". It has also been named: "Do Really Path". RDP was never designed with strong security in mind and over the years we have seen many important security vulnerabilities giving attackers direct administrative access to systems.
Ideally these remote access services are made available via VPN security solutions as explained in CISA Enterprise VPN advice. Microsoft also offers a RDP gateway with better security features. Europol's nomoreransom.org also advises on disabling or heavily restricting RDP access.
Sweepatic constantly discovers the internet-facing infrastructure of its customers for open RDP and other remote access services. When found, the security team is alerted in order to remove or restrict the remote access.
3. Phishing: Lower the chance of spoofed or modified emails
Delivering a malicious payload via an email remains one of the most popular initial attack vectors. Antimalware combined with personal awareness training to detect suspicious email is a must have.
Additionally, deploying and verifying proper email security configurations as specified in DMARC and DKIM DNS records authenticates and signs emails secure email communications so they cannot be modified in transit.
Sweepatic discovers and checks for insecure email configurations for email services of its customers. When best practices are not followed, the platform will alert and advice on what can be improved and remediated.
Our customers leverage the Sweepatic Platform's discovery capability to continuously find known and unknown IT assets. Additionally they use our platform to follow up on a prioritized list of security issues discovered, start the remediation process and thus become as an organization more cyberresilient.
On top of our powerful discovery engine, we automatically inspect and report on security issues like vulnerabilities, misconfigurations in email/DNS/Web, weak encryption, expired and weak SSL certificates, exposed databases and file shares, exposed administrative access and much more.