Ransomware/exfiltration Campaign Targets Remote Access, Resists Resolution Through Data Restoration

US CERT has issued an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication. After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.

Experts Comments

June 22, 2020
Saryu Nayyar
CEO
Gurucul
With the increase in personnel working remotely over VPN or remote desktop tools such as Citrix, RDP, or VNC, it's no surprise that malicious actors have focused more of their efforts towards these targets. Not every organization has properly enabled strong authentication and, as we have recently seen, phishing schemes and drive-by web exploits are also being used to access people's systems. Ransomware is a particularly destructive and frustrating attack, but there are ways to mitigate it......Read More
With the increase in personnel working remotely over VPN or remote desktop tools such as Citrix, RDP, or VNC, it's no surprise that malicious actors have focused more of their efforts towards these targets. Not every organization has properly enabled strong authentication and, as we have recently seen, phishing schemes and drive-by web exploits are also being used to access people's systems. Ransomware is a particularly destructive and frustrating attack, but there are ways to mitigate it. User education and good authentication practices can reduce the chance of infection, while frequent backups and a good disaster recovery plan can help mitigate the infection once it happens. An advanced security analytics platform can help identify an infection if it happens, starting with unusual user or device behavior, and can start mitigation and remediation procedures before the ransomware has infected more than a handful of systems.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts