Double Extortion Ransomware Attacks and the Role of Vulnerable Internet-Facing Systems

From an information security perspective, one of the trends that is characterizing this second half of 2020 is undoubtedly the new wave of ransomware attacks adopting an approach defined as “double extortion.”

With double extortion attacks, threat actors can maximize their chance of making profit by giving their victims an additional incentive to pay the ransom - the threat to sell or even auction the encrypted data. The gang behind REvil (aka Sodinokibi) was the first to adopt this strategy and was quickly emulated by other groups.

The frequency and impact of ransomware attacks over the past few years has shown that every entity is a potential target. As a consequence, besides additional investments on anti-malware technologies, organizations have been working hard to implement effective backup strategies to cope with the worst-case scenario of a successful destructive ransomware attack.

With double extortion attacks, the availability of a backup could be useless. The threat of a data leak by attackers can in fact put more pressure on the victim to pay a ransom because the potential economic and reputational damage could be equally or even more devastating than the loss of data.

Worryingly, once a footprint is established inside the breached organization, the attackers’ creativity is limitless. In some recent campaigns, the threat actors behind REvil have raised the bar even further by scanning the victim’s networks for credit card and point of sale (PoS) software, enabling them to further monetize attacks.

In parallel to the adoption of the double extortion strategy, attackers have changed their modus operandi, shifting from an opportunistic model to a more targeted approach. They select their victims to exploit vulnerable internet-facing systems to break into the target’s network. In this way, the attackers can establish a footprint, inject the malicious payload and make sure that the outbreak spreads quickly across the entire organization.

As incredible as it seems, attackers have even been helped by those technologies that were supposed to protect organizations against them - virtually every primary VPN vendor has suffered severe vulnerabilities since the end of 2019 to date.

A networking or VPN termination device, if exploitable, is the ideal target for a threat actor because a VPN is directly exposed to the internet and provides network access to the internal resources. CVE-2019-11510, CVE-2018-13379, CVE-2019-1579, CVE-2019-19781, CVE-2020-2021, CVE-2020-5902 are just some examples of the vulnerabilities affecting these devices, actively exploited to inject ransomware (but also to carry out cyber-espionage campaigns by state-sponsored actors).

All of these vulnerabilities were discovered immediately before and during the COVID-19 crisis when organizations, in order to guarantee business continuity, were forced to shift to remote working almost overnight, heavily relying on remote access technologies and putting even more pressure on them.

Involuntarily, organizations themselves provided an additional assist to attackers, and if we consider that several vendors took some days to patch the vulnerabilities (and too many organizations took even longer to apply the patches) it’s easy to understand why these attacks were so successful.

However, vulnerable VPN concentrators are not the only critical Internet-facing systems exploitable by ransomware attackers. Another remote access technology playing an important role during the pandemic is providing an additional opportunity to attackers - RDP (Remote Desktop Protocol).

Opening up RDP connections directly on the Internet is definitely a bad idea, but for many organizations during the pandemic it was the quickest way to provide remote access to internal resources. These connections exposed enterprises to brute-force and password-spraying attacks. Multiple security companies have noticed an uptick in Brute-Force RDP attacks since COVID, to the extent that even the FBI has recently sent Private Industry Notifications to K-12 schools warning them about the risks of ransomware attacks leveraging open RDP connections.

Attackers have been creative here too, finding multiple ways to monetize a breach, depending on their intentions - they can launch a ransomware attack, steal the internal data, or even sell the credentials for the RDP access on dark marketplaces or underground forums (a common practice also for compromised VPN access credentials, even by state-sponsored actors).

Reducing the Attack Surface for Remote Access

If you really need to provide network-level access to the internal resources via a VPN, make sure systems are updated with the latest patches in a timely manner (or at least promptly apply any mitigation measure provided by the vendor if a patch is not yet available).

To protect against brute-force and password-spraying attack, enforce an effective password change policy and, if possible, combine it with multi-factor authentication both at the outer layer and when accessing an internal resource. Of course, always turn off the VPN access for those who don’t require it.

Similarly, in case of RDP, block access to the RDP ports (3389 TCP/UDP) if not required, limit access to those who really need it and use a mediation gateway to avoid exposing the system directly on the internet. As with VPNs, enforce multi factor authentication and network level authentication for RDP.

Remember, it’s harder to breach what you can’t see. As well as multi-factor authentication and password-change policy recommendations, it’s even more effective to adopt a zero trust solution in lieu of traditional VPNs. A zero trust solution allows organizations to publish virtually every service at the application layer (including an RDP server) without limitations in terms of horizontal scalability.

It also requires minimal management overhead. Additional benefits are that internal systems are not directly exposed to the internet and the security posture of the user is checked before accessing the resource. Finally, always enforce effective endpoint security to prevent the remote employee’s device from being used as a hop and implement user education to the risks of the remote workplace.

What’s Hot on Infosecurity Magazine?