Ransomware Attackers Target Teleworkers to Boost Ransomware Payments

cyber attacks

Prior to COVID-19, few organizations had telework policies in place. Despite research to the contrary, many companies operated under the belief that employees are more efficient and effective while working from the office.

During the pandemic, many organizations were forced to rapidly transition many or all their employees to telework in order to maintain operations while complying with guidance designed to help curb the spread of the virus. Many organizations were unprepared to support this sudden shift to remote work in a secure fashion.

Exacerbating this issue, cybercriminals took advantage of the shift to telework. By targeting vulnerabilities in organizations’ remote work infrastructure, cybercriminals have increased the success of ransomware attacks, placing organizations’ data security at risk.

Teleworkers Create New Security Risks

Employees working from the home office introduce several cybersecurity threats. Common problems include susceptibility to phishing emails and “shadow IT”, where employees take actions to bypass the organizations’ security policies when these policies and procedures become annoying or impede their ability to work effectively.

When working remotely, employees have the same cyber risks as on-site staff. However, these teleworkers also create unique risks to the organization due to their offsite location. Some common cybersecurity risks introduced by telework include:

  • Use of untrusted devices: Many organizations lacked sufficient company-owned devices for teleworkers during the COVID-19 pandemic. To compensate, employees were allowed to work from personal devices, which are unlikely to comply with the organization’s security policy, install regular security updates, or run the corporate antivirus. Allowing these devices to be used for business purposes increases the probability of data breaches or other security incidents.
  • Connections to insecure networks: When working remotely, employees are connected to personal or public Wi-Fi networks rather than to one owned and operated by the business. This increases their exposure to cybercriminals who can use access to these insecure networks to eavesdrop on communications or steal data from machines configured to trust other devices on their home network.
  • Direct connectivity to the public Internet: Many organizations have required the use of a virtual private network (VPN) to secure communications with the enterprise network. However, issues with VPN scalability has resulted in some switching to split-tunnel VPNs, which only carry data intended for the corporate network. By allowing traffic bound for the public Internet to flow directly to its destination, these organizations lose visibility into business traffic and increase the probability that employees’ devices will be infected by malware since their Internet-bound traffic no longer benefits from the organizations’ cybersecurity deployment. These malware infections can then spread to the enterprise network via the employee’s secure VPN connection.
  • Increased exposure to account takeover attacks: With employees working from home, organizations are increasingly reliant upon cloud infrastructure and solutions that enable employees to remotely control on-site devices, such as the Remote Desktop Protocol (RDP). These solutions, which require exposing login pages to the public Internet, increase an organization’s vulnerability to credential stuffing and other account takeover attacks.

These are only a few of the cybersecurity risks that an organization introduces with a remote workforce if the proper steps are not taken to secure it. These increased risks are exacerbated by the fact that, with everyone working remotely, an organization’s ability to manage a cybersecurity incident is degraded since the incident response team is also off-site and incapable of responding in person.

Ransomware Operators Exploit Poor Telework Security

During any crisis – cybercriminals will take advantage of the atmosphere of fear, uncertainty, and doubt to increase the effectiveness of their attacks. The most obvious sign of this during COVID-19 was the massive increase in phishing emails using the pandemic as a pretext to trick targets into clicking links or opening malicious attachments.

However, this is not the only way in which cybercriminals took advantage of the pandemic. During COVID-19, ransomware operators achieved a greater level of success, with ransomware payouts growing by a third compared to the previous quarter.

This growth was made possible by the fact that organizations were increasingly reliant upon RDP to support their remote workforce. RDP enables a user to log into a device with their credentials for the system and remotely control it. Since password strength, security, and uniqueness are a major problem for the average employee, this makes RDP an easy target for cybercriminals.

COVID-19 inspired more organizations to open up RDP to the public Internet. As a result, cybercriminals were able to use it and lists of passwords exposed in data breaches to access corporate machines, install ransomware, and collect a higher rate of payouts from organizations desperate to maintain operations

Ensuring Data Security and Business Continuity

The switch to remote work caught many organizations off-guard. The lack of advance preparation meant that the initial focus was on ensuring that the business could continue operating at all during the pandemic. In this initial rush to support telework, security took second place and many employees worked remotely using insecure devices and workflows.

Cybercriminals took advantage of this, enabling a massive growth in successful ransomware attacks, in addition to other successful campaigns using COVID-themed phishing emails and other malware. As organizations consider extending their support for telework past the end of COVID – and possibly indefinitely – it is important to design and implement strategies and solutions that enable employees to work remotely not only efficiently but securely as well.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.