Anti-Ransomware Day


Ransomware remains a persistent threat to all organisations, with the ability to stop business operations, cause reputational damage, and have real-world consequences. Despite ransomware gaining the attention of everyday citizens with attacks like that on Colonial Pipeline that led to fuel shortages, and WannaCry that led to British hospitals diverting patients, ransomware attacks continue to plague organisations.

One reason ransomware as a threat is so hard to eradicate is that cyber criminals find new pathways to deliver the malware. A newer attack vector is organisations’ digital supply chains, which include the vendors, suppliers, and other third-parties with network access. As organisations’ own internal networks become more secure, a third-party may have weaker security. If compromised, the attackers can spread to connected networks, leaving behind malware to enable a ransomware attack. Even if an organisation isn’t ransomed itself, having a critical supplier facing an attack can hurt business operations.

Another common attack vector for ransomware is Remote Desktop Protocol (RDP), which is ironically what the cyber criminals exploited for the WannaCry attack. Given the rise of remote work, more organisations are looking for external remote access for employees, but may not always consider all the security implications.

Unfortunately, it is very easy to expose RDP unintentionally by leaving the RDP port open to the internet, including on a forgotten system, cloud instance, or network segment. This protocol, easily detected and exploited, can lead to loss of data, downtime, costly remediation, and brand damage for organisations.

Recently, according to BlueVoyant’s threat intelligence, threat actors have more frequently probed for open RDP ports as an easy-access attack vector, since they can find vulnerable open RDP services by simply running an external scan of an organisation’s network. It is a foregone conclusion that RDP will be targeted at some point if left open on an organisation’s network.

To help prevent ransomware attacks, organisations need to consider the security of their supply chain. They should know which vendors, suppliers, and other third-parties have network access and which are critical to business continuity. Organisations should then continuously monitor their supply chain so that if any signs or compromise occur, they can quickly work with third-parties to remediate the issue.

When it comes to RDP, organisations need awareness of the risks. The ports should always be closed unless there is a valid business reason. Any remote access should be regularly audited by security teams to ensure nothing is unnecessarily left open. For necessary access, organisations should require the use of VPN, multi-factor authentication, and limit login attempts.