Ransomware/exfiltration Campaign Targets Remote Access, Resists Resolution Through Data Restoration

US CERT has issued an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication. After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Saryu Nayyar
Saryu Nayyar , CEO
InfoSec Expert
June 22, 2020 10:35 am

With the increase in personnel working remotely over VPN or remote desktop tools such as Citrix, RDP, or VNC, it\’s no surprise that malicious actors have focused more of their efforts towards these targets. Not every organization has properly enabled strong authentication and, as we have recently seen, phishing schemes and drive-by web exploits are also being used to access people\’s systems.

Ransomware is a particularly destructive and frustrating attack, but there are ways to mitigate it. User education and good authentication practices can reduce the chance of infection, while frequent backups and a good disaster recovery plan can help mitigate the infection once it happens. An advanced security analytics platform can help identify an infection if it happens, starting with unusual user or device behavior, and can start mitigation and remediation procedures before the ransomware has infected more than a handful of systems.

Last edited 2 years ago by Saryu Nayyar
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x