Cyberattacks in the form of ransomwares are evolving in the global pandemic situation. Subhalakshmi Ganapathy, Product Evangelist, ManageEngine, explains how these new ransomware work.
With the spread of the Coronavirus disease (COVID-19) around the world, cybercriminals are leveraging the fear and uncertainty that’s prevailing around the pandemic and launching unscrupulous ransomware attacks on healthcare institutions that treat infected patients and also run tests for the COVID-19 vaccination.
In the past, ransomware attackers operated in a specific way by locking down the system and demanding a ransom for the decryption key. But the situation is fast changing. Let’s take a look at how these new ransomware work.
What’s the next ransomware?
Cybercriminals are now pairing ransomware encryption with data theft. Apart from encrypting data and asking for a ransom, adversaries have started stealing credentials while encrypting critical files. The recently spotted Dharma virus attack on a Dubai-based company is also a classic example of this new ransomware attack.
This attack arrives through a phishing email with a MS Word document and a password. Once the user clicks and opens the Word document, two payloads get injected into the user’s system. One of the payloads encrypts the files on the affected system while the other steals all the stored credentials, including online credentials. In fact, the encryption is just a cover-up for the credential theft payload.
How does ransomware 2.0 work?
With the spread of the COVID-19 pandemic, VPNs and remote access services have become Business Continuity lifelines. Their roles in corporate networks have been flipped. From supporting channels that carry a small fraction of network activity, these services have become the mainstream channels that provide most of the access to on-premises resources. Since these services used to be accessed only occasionally, many enterprises have not patched the services’ security vulnerabilities. Here lies a huge opportunity for the attackers.
The remote code execution vulnerabilities on Remote Desktop Protocol (RDP) are highly wormable. For instance, the BlueKeep vulnerability, which is extremely wormable, is still out there and attackers are trying to develop an exploit for this. Considering the seriousness of this security loophole, Microsoft even released patches for operating systems such as Windows XP and Vista, which were declared EOL. BlueKeep is just one such vulnerability. There are numerous known and unknown RDP and VPN-based vulnerabilities out there, providing attackers a large attacking landscape and also an easy way to intrude into the corporate network.
Further, attacks like Dharma ransomware are exploiting Microsoft Word Remote Code Execution vulnerabilities. In March 2020, Microsoft released a patch for one such vulnerability, CVE-2020-0852. This vulnerability can allow malware to execute on a system when the user merely views a specially crafted Word file in the MS Outlook Preview Pane. Microsoft has warned that the Outlook Preview Pane is also an attack vector for this vulnerability. Again, there are likely many similar unknown vulnerabilities out there. Patching the systems when your employees are working from home, is a time-consuming process. Apart from exploiting zero-day attacks, attackers can now take advantage of this extended patching window to launch attacks.
How can you tackle the new ransomware attacks?
1. Hunt for threats. Constantly update your threat intelligence system with its dynamic threat feeds and stay protected from the growing number of COVID-19-based attacks and malicious domains being created to leverage the panic.
2. Patch your systems regularly. Do not leave out the VPN and remote access platforms. Take the utmost care to patch the endpoint devices used by your remote workforce.
3. Stay updated. Keep a watch on newly discovered malware and configure indicators of compromises based on their file hashes and working methods. This will not prevent the attack from happening but will definitely stop the attack at the early stage and minimise the damage.
4. Make your behavioral analytics solution unlearn and relearn the user and entity behaviour patterns. Reconfigure the system to adjust the risk scores according to the remote working behaviours.
5. Don’t let your employees fall for phishing emails. Communicate with your employees through your internal forums or over email, addressing the phishing attacks going around and teaching them how to avoid bogus emails.
At this time, it is essential for us to take our digital health as seriously as we take our physical health. Stay strong and secured.