Protecting Your Organization from the Latest Ransomware Threats: 6 Years After the WannaCry Attack

Ransomware remains a persistent threat to all organizations, with the ability to stop business operations, cause reputational damage, and have real-world consequences. Despite ransomware gaining the attention of everyday citizens with attacks like that on Colonial Pipeline that led to fuel shortages, and WannaCry that led to British hospitals diverting patients, ransomware attacks continue to plague organizations. As a result, Interpol has declared May 12, the anniversary of the WannaCry attack, as Anti-Ransomware Day.

One reason ransomware as a threat is so hard to eradicate is that cyber criminals find new pathways to deliver the malware. A newer attack vector is organizations’ digital supply chains, which include the vendors, suppliers, and other third-parties with network access. As organizations’ own internal networks become more secure, a third-party may have weaker security. If compromised, the attackers can spread to connected networks, leaving behind malware to enable a ransomware attack. Even if an organization isn’t ransomed itself, having a critical supplier facing an attack can hurt business operations.

Another common attack vector for ransomware is Remote Desktop Protocol (RDP), which is ironically what the cyber criminals exploited for the WannaCry attack. Given the rise of remote work, more organizations are looking for external remote access for employees, but may not always consider all the security implications.

Unfortunately, it is very easy to expose RDP unintentionally by leaving the RDP port open to the internet, including on a forgotten system, cloud instance, or network segment. This protocol, easily detected and exploited, can lead to loss of data, downtime, costly remediation, and brand damage for organizations.

Recently, according to BlueVoyant’s Emerging External Cyber Defense Trends report, threat actors have more frequently probed for open RDP ports as an easy-access attack vector, since they can find vulnerable open RDP services by simply running an external scan of an organization’s network. It is a foregone conclusion that RDP will be targeted at some point if left open on an organization’s network.

To help prevent ransomware attacks, organizations need to consider the security of their supply chain. They should know which vendors, suppliers, and other third-parties have network access and which are critical to business continuity. Organizations should then continuously monitor their supply chain so that if any signs or compromise occur, they can quickly work with third-parties to remediate the issue.

When it comes to RDP, organizations need awareness of the risks. The ports should always be closed unless there is a valid business reason. Any remote access should be regularly audited by security teams to ensure nothing is unnecessarily left open. For necessary access, organizations should require the use of VPN, multi-factor authentication, and limit login attempts.

If you are interested in learning more about how BlueVoyant’s platform can help prevent ransomware and other offerings, please contact us.

Lorri Janssen-Anessi is BlueVoyant’s Director of External Cyber Assessments.