How Remote Working Could Expose You to Ransomware
The growing threat from sophisticated ransomware syndicates had already exposed the weaknesses of VPN security solutions. With the outbreak of COVID-19, the subsequent rush to remote working, and the resulting proliferation of corporate VPNs, the risk of ransomware attacks has only increased. Whether an organization pays the ransom or not, the disruption to operations can be debilitating.
Criminal developers quickly learned how to multiply the return on their ransomware operations by creating an affiliate-based business model. They not only provide software to encrypt targeted computers, but also package it with communications systems for conducting the extortion, and fulfillment systems for providing decrypt codes and accepting cryptocurrency payoffs. In exchange for a cut of the ransoms, these Ransomware-as-a-Service (RaaS) operations help other criminals conduct attacks.
Originally, RaaS customers were amateurish operations. They conducted high volume, low return attacks based on spamming and phishing individuals and smaller organizations. But now RaaS syndicates are moving upstream to the enterprise.
A recent report from threat prevention firm Advanced Intelligence documented the Russian-speaking NetWalker syndicate’s creation of an affiliate program for more sophisticated cybercriminal operations. Posting to Dark Web forums, they said they were “only interested in candidates who have a solid source for network extraction” and only wanted affiliates “who prioritize quality, not quantity.” These new players have deep experience in network infiltration and can attack enterprise-level targets for much higher payoffs.
Paralyzing your business systems to generate ransom payments is no longer the only goal these bad actors have in mind. Before unleashing the encryption, NetWalker’s software maps the network and all attached resources. It also includes tools for exfiltrating data from the network without detection.
In May 2020, another Russian syndicate, REvil, demanded a $21 million ransom from Grubman Shire Meiselas & Sacks, a law firm that counts prominent celebrities as clients. Not only had REvil encrypted the law firm’s systems, but they had also exfiltrated 756 gigabytes of data about the firm’s A-list clients. When the firm refused to pay, REvil released data about Lady Gaga and raised the ransom to $42 million.
Ransomware attacks have escalated in their frequency and severity over the past few years. In 2019 alone, more than 140 local governments and hospitals fell victim to ransomware attacks — a 65% increase over the previous year. DCH Health Systems stopped accepting new patients when ransomware paralyzed critical systems. Even after paying the ransom, the hospital’s IT staff spent weeks bringing the full network back online. Since then, DCH patients have filed a class-action lawsuit. Not only are they suing for disruption of care, but they also accuse DCH for potential loss of patient data and violations of HIPAA healthcare privacy regulations.
The COVID-19 pandemic has made things much worse as entire companies shifted to remote working and dramatically expanded the attack surface available to bad actors. The rush to install more VPN gateways punched holes in security procedures designed for the office-based workforce. And security administrators suddenly had to deal with a mishmash of work and personal devices accessing the most sensitive resources on their networks.
A Microsoft Threat Intelligence Center advisory highlighted the risk to healthcare organizations in particular. The company cited ransomware syndicates that target hospitals and other organizations “that haven’t had time or resources to double-check their security hygiene.” Reeling from the COVID-19 pandemic, hospital IT departments burdened with competing priorities are missing the basics. “We identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure,” Microsoft said.
In addition to healthcare organizations, the list of impacted companies includes various multinationals like cruise operator Carnival Corp., logistics provider Toll Group, and electronics companies LG and Xerox.
The US Cybersecurity & Infrastructure Security Agency (CISA) warned that in the midst of COVID-19, “As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.” The agency encouraged organizations to adopt a heightened security posture and make their networks more secure.
Unfortunately, network security too often falls below other priorities. The highest-profile ransomware attack of 2020 happened just as the clock struck twelve on New Years’ Eve. The currency exchange firm Travelex faced a multi-million-pound ransom demand from the Sodinokibi syndicate (another name for REvil). Not only were Travelex’s critical systems inaccessible, but the crime syndicate threatened to release confidential customer data if Travelex did not pay up. The company’s 1,200 retail outlets were relegated to processing transactions by hand, causing more than £25 million in losses. The attack and the business impact of COVID-19 ultimately pushed Travelex into insolvency.
How did the attack happen? Travelex relied on VPN solutions from Pulse Secure for network remote access. In early 2019, critical vulnerabilities were found in Pulse Secure’s enterprise VPN gateways. As outlined by CISA at the time, the vulnerability lets unauthorized users request the contents of /etc/passwd or obtain the data.mdb object which contains plaintext user credentials. Other vulnerabilities allowed remote code execution, session hijacking, and exposed the admin web console. Pulse Secure issued patches for all affected gateways in April 2019.
Travelex waited eight months to patch its VPN gateways and the damage was done.
Despite the availability of a patch since April 2019, and the publicity generated by the Travelex attack, at least 900 Pulse Secure VPN servers remained unpatched and vulnerable as recently as July 2020.
In October 2019, the US National Security Agency issued an alert reminding organizations with compromised enterprise VPNs from Pulse Secure, Palo Alto Networks, and Fortinet that they should:
- Immediately upgrade their VPN to the latest version;
- Reset credentials before reconnecting the upgraded devices to an external network;
- Review their network accounts to ensure adversaries did not create new accounts;
- Update VPN user, administrator, and service account credentials;
- Revoke and create new VPN server keys and certificates.
Regardless of which VPN solution an enterprise uses, the weaknesses inherent to VPN technology require a patchwork of countermeasures. VPNs announce their presence on the public internet along with other information useful to bad actors. Easy-to-find tools let anyone scan for entry points into the network. And if a VPN gateway is compromised, the actor has full access to the network.
Security teams have responded to these weaknesses by applying multiple layers of defense. Responding quickly when vendors issue patches is essential. But applying patches, revoking keys and credentials is disruptive — and VPN gateways must be available 24x7.
Grouping resources on subnetworks protected by separate VPN gateways limits the risk exposure. However, this increases the maintenance overhead and forces users to remember which VPN server they need to connect to.
Training all employees on security is essential. Yet employees are struggling with new work-from-home business processes, homeschooling children, and worrying about relatives vulnerable to COVID-19. Security is not their highest priority.
Even with a perfectly-executed backup strategy and a willingness to pay off the attackers, any ransomware attack will cause data loss. And if the bad actors have had free access to your network for months, the integrity of those backups will be questionable.
As a last resort, organizations should get cybersecurity insurance. Just keep in mind that these policies do not cover all of the expenses victims of an attack incur. Additionally, the funds may not arrive for months.
Twingate’s zero trust security solution provides the protection your remote workforce needs while eliminating the security weaknesses VPN solutions create. In Threat Post’s coverage of a recent ransomware attack, Tripwire executive Tim Erlin explained that “The first line of defense against ransomware is to prevent it from getting inside in the first place.” However, the VPN concept of a network-based perimeter leaves all of your network resources vulnerable to anyone the VPN gateway lets through.
Twingate treats the network itself as a potential threat vector and focuses on protecting each resource on it. Every user and every device must be authenticated and authorized to access a resource. Even then, users are not placed on the network. Traffic from the always-on Twingate client is proxied through to the resource — and fully encrypted. All sessions are ephemeral, forcing users and devices to re-authenticate or re-authorize every time.
Unlike VPN solutions which broadcast their presence on the open internet, Twingate operates on a need-to-know basis. There is no public gateway that can be scanned, so there are no obvious targets nor entryways that need to be vigilantly patched. All resources are hidden.
The rigidity and brittleness of VPN-based security solutions make applying least-privilege access policies very difficult. Since Twingate overlays onto your existing network and works with your existing identity provider, you can easily limit every employee’s access to just the resources they need and only let them access those resources from specific devices and in specific contexts. This limits lateral propagation of ransomware and other malware.
With Twingate security, you can prevent and contain ransomware and malware attacks. Groups like REvil and NetWalker may be able to social engineer their way into one resource, but that no longer means that the entire network is compromised.
Contact Twingate to learn more about securing your remote workforce.