US CERT has issued an advisory on a ransomware campaign leveraging remote access technologies. Malicious cyber actors are targeting organizations’ networks through remote access tools, such as Remote Desktop Protocol and virtual private networks, to exploit unpatched vulnerabilities and weak authentication. After gaining access, cyber actors use various tools—including mimikatz, PsExec, Cobalt Strike, and Nefilim ransomware—for privilege escalation, lateral movement, persistence, and data exfiltration and encryption. Due to the level of access gained before deploying ransomware, the issue cannot be resolved by simply restoring data from backup.
With the increase in personnel working remotely over VPN or remote desktop tools such as Citrix, RDP, or VNC, it\’s no surprise that malicious actors have focused more of their efforts towards these targets. Not every organization has properly enabled strong authentication and, as we have recently seen, phishing schemes and drive-by web exploits are also being used to access people\’s systems.
Ransomware is a particularly destructive and frustrating attack, but there are ways to mitigate it. User education and good authentication practices can reduce the chance of infection, while frequent backups and a good disaster recovery plan can help mitigate the infection once it happens. An advanced security analytics platform can help identify an infection if it happens, starting with unusual user or device behavior, and can start mitigation and remediation procedures before the ransomware has infected more than a handful of systems.