Extortionary attacks target Australian businesses due to poor security in their infrastructure. Is the security of your company's ICT sufficient?

Ransomware, a type of malware, is an increasingly popular type of extortionist cyberattack, which encrypts data on infected computers or completely locks you out and holds your data or device hostage, with the attackers offering a decryption or return of access in exchange for a ransom.

According to Avast, the number of ransomware attacks in Australia increased by 10% during the height of the pandemic in March and April, compared to January and February 2020, and ransomware attacks in Australia have still continued.

One of the latest attacks was on Isentia, an Australian media monitoring provider, which was attacked by ransomware in late October this year and experienced massive disruptions to its SaaS platform Mediaportal The company reported that the attack on its cloud platform would cut annual profits by between $7m to $8.5m after it severely compromised the delivery of services to customers.

Although you may only ever hear of ransomware attacks on large businesses in the media, like Isentia, small and medium businesses should still be very aware of ransomware and the potential vulnerabilities in their businesses infrastructure.

Dangerous business infrastructure

Attackers on businesses most often target out-of-date or poorly secured software, not only with malicious code on compromised websites, or through phishing emails, which is one of the most common approaches, but also through Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connection to the corporate network from remote computers.

With the COVID-19 crisis, the ability to remotely connect to another machine using RDP has essentially changed the way many companies around the world run their businesses, and employees are no longer tied to their workplaces.

The very principle of running an RDP client on a home laptop and connecting with an encrypted connection to the machine on which the software counterpart - the RDP server - is running is very simple. Unfortunately, if this feature is not properly managed and configured, it can serve as a way for hacker attacks. The first example can be the vulnerability of the RDP system itself. It appears from time to time and the attacks are most effective against older and out-of-date systems.

More often, we see so-called brute force attacks on weak credentials, where malware constantly tries to figure out the character combination until it finds the correct password. Weak passwords and, of course, reused passwords from other services that may have been compromised will therefore allow for easy access to a business’ system. The attacker then logs in as an authorised user (often with administrator rights) and then manually uploads and runs ransomware in the system. Data from the Shodan.io say that there are millions of such publicly available devices with RDP open worldwide.

The damage after such an attack can be astronomical. The amount that the victim has to pay (which is not recommended) varies from case to case. In ordinary attacks it is on average about 600 US dollars, in targeted attacks on specific organisations it can be even millions of dollars..

What to do for effective business cyber security?

It is better to protect yourself against ransomware attacks systemically, specifically by deploying strong security solutions that include the latest malware protection features.

The best way to prevent ransomware attacks is to stop the malware from accessing your computer or device, so you should have an effective, top-quality antivirus program with a strong ransomware protection tool and RDP protection, like Avast Business Antivirus which has Remote Access Shield to protect your devices from RDP vulnerabilities.

Common sense still works very well against phishing attacks, which are still the most popular way of distributing malware, including not clicking links you receive from unknown contacts. - However, if malware is downloaded making sure your antivirus, operating system and software is up to date can help prevent it from infiltrating your devices.

Apart from this, the entire business infrastructure should be remotely accessible only via a virtual private network (VPN). It is also essential to block the RDP access from the internet and leave it accessible only within the internal network. The default ports (port 3389 for RDP) can be secured at the firewall level. If the company does not need the RDP for its daily operations, it is better to turn it off completely.

Strong passwords and two-factor authentication where possible should also be commonplace for all employees, especially on administrator accounts.

It is also crucial to manage employees' access rights and to implement the Zero Trust principle - a security concept that requires all users, even those inside the organisation’s enterprise network, to be authenticated, authorised, and continuously validating security configurations, before being granted or keeping access to applications and data - to reduce the impact of potential security vulnerabilities, including removing access of administrative privileges for staff that don’t require them.

Finally, the absolute baseline prevention of company data loss due to a ransomware attack is regularly backing up, ideally to an external storage or the cloud, as the ransomware may not disappear in the foreseeable future and this way, you still have all your files.

Jakub Kroustek, is Malware Research Manager at Avast, a global leader in digital security and privacy products