Geeks for your information Security Security Vendors EmsiSoft Emsisoft Blog Articles v
Spike in ransomware predicted as remote workers return to office
Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Spike in ransomware predicted as remote workers return to office
harlan4096 Online
MalWare Zoo Team
*******
Posts: 12,794
Threads: 8,840
Thanks Received: 8,732 in 6,893 posts
Thanks Given: 9,634
Joined: 12 September 18
#1
Information  05 June 20, 10:25
Quote:
[Image: logo.svg]

COVID-19 set the scene for an explosion of ransomware incidents. As companies pivoted to remote working with little time to prepare, certain compromises had to be made in the interest of business continuity; for many businesses, this meant loosening security protocols to help employees remain productive.

But despite the near perfect-storm conditions, the rate of ransomware incidents remained stable. However, it’s unlikely that this trend will continue. While certain sectors have enjoyed a brief respite from ransomware, we believe that we may see a resurgence in attacks in the coming weeks as remote workers — and their potentially compromised devices — return to the office.
 
[Image: ID-Ransomware-Daily-Submissions-in-the-L...36x538.png]
ID Ransomware daily submissions in the last six months (from date of publication)

Ransomware not connecting to C2 servers

Most modern ransomware strains are delivered in multistage attacks that allow threat actors to learn more about the infected system before deciding whether or not to deploy ransomware.

The first stage of an attack is mostly reconnaissance. After a system has been compromised, attackers use first-stage malware to survey the infected endpoint and evaluate the value of the target. The malware uses multiple plugins to periodically query installed software, scan networks, and retrieve system information.
If the malware determines the system to be an appropriate target, it establishes a connection (sometimes referred to as a call home) with the attacker’s command and control (C&C) server, which is used to download ransomware and maintain communication between threat actors and the compromised system.

On the other hand, if the system is deemed to be an unsuitable target, the call home is not triggered and the ransomware is not deployed.
We believe that the latter scenario may explain the unexpectedly flat rate of ransomware incidents in recent months. Given that so many people are now working from home, a high number of compromised endpoints may have been categorized as unsuitable targets, which would prevent malware from establishing a connection with attackers’ C&C servers and contribute to the apparent lull in ransomware incidents.

Ransomware to spike when people return to workBecause call homes are not being triggered and ransomware is not being deployed, there’s a good chance that many remote workers are currently working from compromised endpoints, completely oblivious to the fact that they’re harboring malware. The malware may lay dormant for weeks or even months (the average dwell time, which is defined as the time between initial compromise and detection, is 56 days, according to FireEye) waiting for the right opportunity to connect to its C&C server.

That opportunity may be just around the corner. With states gradually reducing social distancing rules, we expect to see a spike in ransomware incidents as employees return to the office and connect compromised endpoints to corporate networks. This may trigger the malware’s call home function and trigger a sequence of events that ultimately leads to the deployment of ransomware.

Recommended actions for businesses

Organizations of all sizes must ensure devices used for remote work are not compromised prior to permitting them to be connected to the company network. Below are some effective strategies to mitigate the risks of bringing devices used to work from home, back into the workplace:
  • Network segmentation: The most effective way to protect the company network is to create a subnetwork specifically for endpoints that were previously used remotely. Segmentation prevents malware from moving laterally across a network and allows IT teams to easily isolate and control incidents.
  • Device security checkup: Make sure that there have been no policy violations such as missed scheduled scans, unapproved software installations, and unusual login patterns.
  • Reimage devices: If employees have been working remotely for a significant amount of time, businesses should consider reimaging work-issued devices to eliminate the risk of malware infection.
  • Cybersecurity awareness training: As employees return to the workplace, updated cybersecurity awareness training can help reduce malware infections, avoid security policy violations, improve company productivity, and achieve compliance.
Conclusion

While ransomware has remained stable or even declined in some sectors in recent weeks, this trend is unlikely to continue. We anticipate ransomware incidents spiking as remote workers return to the office with compromised devices, but companies have options to mitigate this threat.
...
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • ismail
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
AMD “Strix Halo” Zen5 & RDNA3.5 premium ...
AMD first ultra-hi...harlan4096 — 08:54
Malwarebytes 5.1.3.110
Malwarebytes 5.1.3...Mohammad.Poorya — 00:51
Music Videos
Billy Joel - The Riv...jAcos — 17:24
Movies! Movies!
Beverly Hills Cop: A...jAcos — 17:22
TV Series
Matlock Kathy Bat...jAcos — 17:16

[-]
Birthdays
Today's Birthdays
avatar (42)techlignub
avatar (41)Stevenmam
avatar (48)onlinbah
Upcoming Birthdays
avatar (43)wapedDow
avatar (49)steakelask
avatar (43)Termoplenka
avatar (41)bycoPaist
avatar (47)pieloKat
avatar (41)ilyagNeexy
avatar (49)donitascene
avatar (49)Toligo

[-]
Online Staff
harlan4096's profile harlan4096
Administrator
zevish's profile zevish

>