Ransomware Red Flags

Ransomware attacks are a growing concern for businesses of all sizes, but especially for mid-sized companies that may not have the extensive resources of larger corporations. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently released an advisory detailing common vulnerabilities and misconfigurations that ransomware operators exploit. Read on for the key findings and how to protect your business from the most common ransomware entry points.

Ransomware Targets

CISA’s advisory focuses on five primary areas that are often targeted by ransomware operators:

1. Remote Desktop Protocol (RDP): Attackers often exploit weak or compromised RDP credentials to gain unauthorized access. CISA recommends multi-factor authentication as a mitigation strategy.

2. File Transfer Protocol (FTP): FTP is vulnerable to unauthorized access and data manipulation.  Switch to SSH File Transfer Protocol (SFTP) to improve security.

3. TELNET: The cleartext userid/password authentication can be easily intercepted and is generally associated with very old devices or poorly secured home routers.  Use SSH with key-based authentication, or better don’t expose this admin interface to the internet.

4. Server Message Block (SMB): SMBv1 communicates in cleartext, making it susceptible to interception. Upgrading to the latest version and using encrypted VPNs is advised.  This really isn’t something that should be facing the internet.

5. Virtual Network Computing (VNC): VNC allows remote desktop sharing over an unencrypted connection, often with week password authentication. Use a VPN or SSH tunnels to protect VNC sessions with strong authentication.

The vulnerabilities listed by CISA are not new, but they continue to be exploited because so many businesses leave these exposed – often by accident. The key takeaway here is never to expose these services to the Internet and only to enable them where needed. It’s crucial to have a plan to retire outdated and insecure protocols like FTP, TELNET, and SMBv1.   All of these allow usernames and passwords to be easily captured; and they are often associated with legacy and outdated hardware and software.

Robust vulnerability management processes and regular security reviews can help you identify where these are in your network and help you with the security architecture to protect these admin interfaces.  

For mid-sized companies, the the CISA ‘Blueprint for Ransomware Defense’ can serve as an excellent starting point. It provides a comprehensive action plan for ransomware mitigation, response, and recovery.

How FoxTech Can Help

At FoxTech, we understand the unique challenges faced by mid-sized companies in the UK. Our suite of services is designed to help you address these vulnerabilities effectively:

1. FoxTech Defend: Our cloud-first managed SIEM service, backed by a UK SOC, provides real-time monitoring and alerts, helping you identify and respond to unauthorized access attempts on RDP, FTP, and other vulnerable protocols.

2. FoxTech Assure: This automated vulnerability scanning and detection service can help you identify outdated protocols and missing patches, enabling you to take corrective action before attackers exploit these weaknesses.

3. FoxTech Verify: Our penetration testing services offer plain English reports with actionable recommendations. We can identify vulnerabilities and suggest achievable remediation steps.

Conclusion

The recent CISA advisory serves as a timely reminder of the ever-present threat of ransomware attacks. By understanding these common vulnerabilities and taking proactive steps to mitigate them, you can significantly reduce your risk. FoxTech is here to assist you every step of the way, offering tailored solutions that fit the needs of mid-sized UK companies.

For more information on how FoxTech can help you bolster your cybersecurity defenses, feel free to get in touch with us

Further Reading

• Stop Ransomware | CISA
• A guide to ransomware – NCSC.GOV.UK