Human Operated Ransomware Is Avoidable

Forum Moderators: open

Message Too Old, No Replies

Human Operated Ransomware Is Avoidable

engine

10:15 am on Mar 11, 2020 (gmt 0)

Microsoft has described some of the today's ransomware as delivering devastating payloads, and it's not all automated attacks. The ransomware has variants of REvil or Samas.
Microsoft describes one "actor" it's called PARINACOTA
These appear to be from attackers that have already gained access to a network, and then seek weaknesses within the networks through misconfigurations, or weak passwords.

PARINACOTA:

The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour.

It's an interesting blog post from Microsoft's security team and worth reading.
[microsoft.com...]

lammert

12:52 pm on Mar 11, 2020 (gmt 0)

PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network.

Also one of the other groups the article mentions uses RDP as the first step in the penetration. This leaves me wondering why companies expose their RDP ports to the open Internet, instead of hiding them behind a VPN or other secondary security wall.

RDP is typically used by medium to larger companies to access their multi-user Windows Servers and that by itself makes them an interesting target for ransomware attacks. The common Linux entry port SSH can hide anything from a dollar-a-month shared hosting account to a large computer cluster. That makes it a gamble for an attacker if it is worth breaking into a system through an exposed SSH port. With an RDP port I would assume that the majority of open RDP ports lead to a valuable and exploitable target.