Authored by: Subhalakshmi Ganapathy, Product Evangelist at ManageEngine
Cyberattacks, including ransomware, are evolving in this global pandemic situation. With the spread of the coronavirus disease 2019 (COVID-19) around the world, cybercriminals are leveraging the fear and uncertainty that's prevailing around the pandemic and launching unscrupulous ransomware attacks on organisations, including those in the healthcare sector.
In Malaysia, the National Cyber Security Agency (NACSA) has observed that "cyberattack campaigns, including business email compromise, malware, ransomware, and phone scams, are on the rise and are believed to be organised by APT groups and organised crime groups." As per official statistics, a total of 1091 cybersecurity incidents were reported to the Malaysia Computer Emergency Response Team (MyCERT) in the month of March 2020, the highest figure in the previous five months.
In the past, ransomware attackers operated in a specific way by locking down the system and demanding a ransom for the decryption key. But, the situation is fast changing now. Let's take a look at how these new-age ransomware work.
What's the next ransomware?
Cybercriminals are now pairing ransomware encryption with data theft. Apart from encrypting data and asking for a ransom, adversaries have started stealing credentials while encrypting critical files. The recently spotted MailTo attack is a classic example of this new age ransomware attack.
This attack arrives through a phishing email with a MS Word document and a password. Once the user clicks and opens the Word document, two payloads get injected into the user's system. One of the payloads encrypts the files on the affected system while the other steals all the stored credentials, including online credentials. In fact, the encryption is just a cover up for the credential theft payload.
How does ransomware 2.0 work?
With the spread of the COVID-19 pandemic, VPNs and remote access services have become business continuity lifelines. Their roles in corporate networks have been flipped. From supporting channels that carry a small fraction of network activity, these services have become the mainstream channels that provide most of the access to on-premises resources. Since these services used to be accessed only occasionally, many enterprises have not patched the services’ security vulnerabilities. Here lies a huge opportunity for the attackers.
The remote code execution vulnerabilities on Remote Desktop Protocol (RDP) are highly wormable. For instance, the BlueKeep vulnerability, which is extremely wormable, is still out there and attackers are trying to develop an exploit for this. Considering the seriousness of this security loophole, Microsoft even released patches for operating systems such as Windows XP and Vista, which were declared EOL. BlueKeep is just one such vulnerability. There are numerous known and unknown RDP and VPN-based vulnerabilities out there, providing attackers a large attacking landscape and also an easy way to intrude into the corporate network.
Further, attacks like MailTo ransomware are exploiting Microsoft Word Remote Code Execution vulnerabilities. In March 2020, Microsoft released a patch for one such vulnerability, CVE-2020-0852. This vulnerability can allow malware to execute on a system when the user merely views a specially crafted Word file in the MS Outlook Preview Pane. Microsoft has warned that the Outlook Preview Pane is also an attack vector for this vulnerability. Again, there are likely many similar unknown vulnerabilities out there. Patching the systems when your employees are working from home, is a time-consuming process. Apart from exploiting zero-day attacks, attackers can now take advantage of this extended patching window to launch attacks.
How can you tackle the new-age ransomware attacks?
1. Hunt for threats. Constantly update your threat intelligence system with its dynamic threat feeds and stay protected from the growing number of COVID-19-based attacks and malicious domains being created to leverage the panic.
2. Patch your systems regularly. Do not leave out the VPN and remote access platforms. Take the utmost care to patch the endpoint devices used by your remote workforce.
3. Stay updated. Keep a watch on newly discovered malware and configure indicators of compromises based on their file hashes and working methods. This will not prevent the attack from happening but will definitely stop the attack at the early stage and minimise the damage.
4. Make your behavioural analytics solution unlearn and relearn the user and entity behaviour patterns. Reconfigure the system to adjust the risk scores according to the remote working behaviours.
5. Don't let your employees fall for phishing emails. Communicate with your employees through your internal forums or over email, addressing the phishing attacks going around and teaching them how to avoid bogus emails.
At this time, it is essential for us to take our digital health as seriously as we take our physical health. Stay strong and secured.