This video shows a simulation of a hacker that was able to steal files containing sensitive information and then using ransomware to cover their tracks, after compromising the system through RDP that was accessible through the Internet. In cases such as this, ransomware can impact not only the infected machine, but other systems that support production, finance, sales, customer service, HR, and shipping throughout the corporate facilities.

Preventing business disruption and financial loss is important. Some prudent leadership teams are proactive while other leadership teams believe it will not happen to them. Reactive leadership groups respond to disruption events as their reputation and profitability takes a hit. Understanding where loss is probable and then taking reasonable steps to protect that sensitive data and critical workflows is key.

Whether you are proactive or reactive, data backup is imperative. When cybersecurity efforts fail, having a reliable means to recover lost or corrupted data is very important. For businesses that have a sensitivity to downtime, backup is typically not adequate. Recovery from backup can take days or weeks. Businesses that have a moderate to high cost of downtime need the ability to recover quickly and that is called business continuity.

Attack Details

During the pandemic outbreak, social isolation mandates forced leaderships teams to quickly adapt business operations by supporting remote connectivity for employees working from home. In many instances, leadership and implementation teams sacrificed information security for speed of deployment. They intended to tighten up data and system security when they were less overwhelmed, but support issues have increased with the remote workforce. This has left little time to plug the holes.

In many cases, businesses utilize virtual private networks, also known as VPNs, to allow workers to securely connect to their business systems. However, businesses have also begun using a combination of Remote Desktop access and availability of the internet to allow workers to interact with Desktop systems in order to perform daily tasks.

Remote Desktop access can be a reliable way to interact with devices that are too large to carry around, having a Remote Desktop device that is openly available to the Internet is a major security risk. In the span from January to March, the number of open RDP ports exposed to the Internet jumped from 3 million to more than 4.5 million. Hackers and cyber criminals often target these open ports in password spray attacks, where the goal is to find vulnerable machines, package them as a portfolio, and then auction or sell them to criminal organizations that deploy ransomware for profit.

Many organizations hit with ransomware do not know if their sensitive data has been exfiltrated (copied) from their systems. A new trend is picking up momentum within the criminal community, because their deal size and close rate is improving. Criminal groups and enterprises are auctioning off the sensitive data stolen from the companies they compromise. This sales tactic is effective because it is aimed at coercing victims to pay and publicly shaming those who decided to not pay. During a time when businesses are struggling to meet goal during the unprecedented economic slowdown caused by the COVID-19 pandemic.