Researchers from Fox-IT have discovered a new attack vector for ransomware aimed at the enterprise. The attack itself is not new, but the combination of this attack combined with persistence and network analysis prior to activating the ransom is new to Fox-IT.
The NCC Group-owned IT security company said in a blog post today that there are three common methods for distributing ransomware: in weaponized attachments, through phishing links to poisoned sites, and via malvertising. However, the company says it has found a new method: "activating ransomware from a compromised remote desktop server."
Attackers can leverage this approach by brute forcing their way into remote desktop servers that are connected to the Internet – or simply buying compromised credentials from the underground. Once in, they can use privilege escalation methods to seek domain admin status (if they haven't already got it). However, Fox-IT notes that this isn't always necessary "as the compromised user account might have access to all kinds of network shares with sensitive data."
Once in, the attackers have the normal possibilities: data exfiltration, recruiting into a botnet, delivering spam – and now holding the company hostage with ransomware. If internal defenses and network segmentation can limit the reach of the compromised workstation, then the effect of the ransom will be similarly limited. However, if the attacker can get access to more company servers, then the effect and harm of the ransomware will be more critical.
Read More:Compromised RDP Servers Used in Corporate Ransomware Attacks | SecurityWeek.Com
The NCC Group-owned IT security company said in a blog post today that there are three common methods for distributing ransomware: in weaponized attachments, through phishing links to poisoned sites, and via malvertising. However, the company says it has found a new method: "activating ransomware from a compromised remote desktop server."
Attackers can leverage this approach by brute forcing their way into remote desktop servers that are connected to the Internet – or simply buying compromised credentials from the underground. Once in, they can use privilege escalation methods to seek domain admin status (if they haven't already got it). However, Fox-IT notes that this isn't always necessary "as the compromised user account might have access to all kinds of network shares with sensitive data."
Once in, the attackers have the normal possibilities: data exfiltration, recruiting into a botnet, delivering spam – and now holding the company hostage with ransomware. If internal defenses and network segmentation can limit the reach of the compromised workstation, then the effect of the ransom will be similarly limited. However, if the attacker can get access to more company servers, then the effect and harm of the ransomware will be more critical.
Read More:Compromised RDP Servers Used in Corporate Ransomware Attacks | SecurityWeek.Com
