Category

Ransomware preys on SMBs via RDP attacks, spam emails

August 05, 2019
Ransomware vectors SMB

Small and medium-sized businesses (SMBs) continue to be big targets for cybercrooks. A whopping 71 percent of ransomware attacks target SMBs, according to UK-based specialist insurer Beazley.

The report titled Beazley 2019 Breach Briefing is based on information gathered from investigations into more than 3,300 data incidents reported to Beazley Breach Response services in 2018. The report unveiled some facts every small business owner should know: Attackers are becoming better at crafting sophisticated spam emails that are successful with SMBs—and Remote Desktop Protocol (RDP) attacks are gaining steam.

Ransomware attacks via RDP

Threat actors using RDP as an attack vector to launch ransomware attacks has become increasingly common in the last few years. While RDP can be a very effective productivity tool -- it lets you connect to a remote desktop -- failing to configure it correctly will allow attackers to hack into your machines.

Cybercriminals scan the internet to look for systems with open RDP ports and employ brute force tools to login to a machine. Once they gain access, they disable any pre-installed security solution like antivirus and then launch ransomware.

Ransomware like SamSam, CryptON and CrySIS have all been spread through RDP attacks. So, what can an SMB do to prevent RDP attacks?

First, don’t leave your RDP ports open to the internet.

“We recommend disabling Microsoft's RDP if possible or any other potentially vulnerable services that could be used to access the machine. Use secure remote access tools that encrypt the traffic [and] that requires strict authentication (2FA/MFA). If you must use RDP, make sure that it is restricted based on IP or MAC address,” said Tyler Moffitt, security analyst at Webroot.

Spam email or invoice?

Spam emails continue to be a classic ransomware delivery method – more than 90% of all malware is delivered via email. Threat actors send out spam emails -- often disguised as invoices -- with an attached Office document embedded with malicious macros.

While macros can help you automate repetitive tasks, cybercriminals use malicious macros for executing ransomware attacks. 

The spam email is crafted in a way that tricks victims into enabling the macro. This in turn downloads the malware and allows it to perform its intended action.

“Disable macros if possible and any unused file types like scripts. Malware leverages many individual components to launch attacks; should a component be disabled (PowerShell for example) the attack can fail before any damage is done,” Moffitt said.

Protecting against ransomware

Successful ransomware attacks can be devastating for SMBs -- downtime continue to be a real threat of ransomware. Apart from implementing security awareness training to educate users on what attack methods look like, having an effective backup and recovery strategy is imperative for business continuity. 

“It's really good to have a backup and not just any backup, but one that has also stored cloud-based copies of your files,” Moffitt recommended.

Start protecting your endpoints today with Carbonite Endpoint 360. Implementing a comprehensive, automatic backup solution like Carbonite Endpoint 360, for all your endpoint devices and the data that resides on them -- including data in Microsoft O365 -- helps protect against ransomware, accidental deletions, overwriting and other threats.

Moffitt’s advice for SMBs: Learn about current malware trends, exploits and vectors of attack.

“Being educated in how attacks happen can help you prevent them for your users.”