Why does Ransomware keep appearing in your news feed?

Published on: December 9,2020 Published in: Cyber Security Insights

Ransomware is not new, it is not like a Zero-day vulnerability where nobody knows it’s coming, but it is still highly effective, and its impact should not be underestimated.

In this post we will investigate why it is so devastating to IT and networks and answer the question – what can you do to reduce your chance of being impacted?

What is Ransomware and why is it so effective at getting through cyber defences?

Ransomware is a form of Malware, ultimately it follows a consistent delivery mechanism, although the method of initial infection has been shifting slightly over the last few years. Fundamentally, Phishing emails and exposure of vulnerable services such as RDP are the most common initial attack vectors.


It seems as a collective, businesses are getting better at the detection of Phishing. Technology, such as Anti-Malware is now built into mail clients and employees are generally a lot more aware of what phishing is and what the suspicious emails look like.

However, we are a long way from total protection, and we should not consider staff awareness as a one-off exercise. Phishing patterns change, Covid-19 is the current trend, but no doubt Black Friday will make an appearance this month and then we will see Christmas related emails next. Ultimately though we can reduce the chance of a member of staff clicking a malicious link by making sure they understand the fundamentals. This includes ensuring trends are communicated regularly – Phishing is not going away and it will not sit still, so an awareness campaign cannot either.

Remote Desktop Protocol

The more interesting trend that we are starting to see is Remote Desktop Protocol (RDP) becoming an increasingly popular method of infection. With RDP, as a protocol it is generally a bad idea to expose it to the internet. It does not natively support Multi-Factor authentication or any other conditional access controls for example based on location, device status etc.

To show the scale of this problem, as I write this article according to Shodan there are 4.6 million devices with port 3389 (RDP) exposed to the internet. This is an incredibly oversimplified view, but it shows the scale of the problem. Not directly related in this case but there are also just under 20 million devices with port 22 exposed for SSH, *nix based operating systems are not immune to ransomware and we are starting to see an increase in malicious interest around this area.

The perfect storm

Right now, we are in the perfect storm. Rewind back to the middle of 2019, Microsoft released a fix for a vulnerability known as BlueKeep (CVE 2019-0708). For months, this was followed by other similar issues and as Microsoft dug deeper they found and fixed more holes – creating numerous patches. We all know though that very few businesses have a perfect patching regime, meaning there will be endpoints out there even now (18 months since BlueKeep) that are not patched.

The next circumstance in the perfect storm happened in January 2020; Microsoft stopped support for Windows 7 and Server 2008, an event we all knew was coming but never the less one that in some cases is not a simple case of upgrading. Microsoft are good at going the extra mile and 2020 still saw the release of some critical fixes for the unsupported OS’s but it is a fair assumption that there are plenty of vulnerabilities, including some in RDP ready to be exposed.

And then we have the final circumstance, Covid-19, something that ultimately led to businesses and organisations having to respond quickly. As businesses ultimately tried to solve the problem of remote working as quickly as possible, one solution was simply poking holes in the corporate firewall and exposing machines via RDP or SSH.

What is important now is that like with any incident, we take a step back and look at the actions we took during the initial stages and make sure they are not about to cause a potentially bigger, albeit more localised issue. Remote access can be done securely, exposing RDP is generally not the right way of doing it.

Ransomware in Local Authorities

As a case study, let’s take a look at ransomware attacks in the public sector. For those who follow cyber security, you will likely have seen the Hackney Council breach. The Council have not yet confirmed the cause but there is a strong belief that it is indeed ransomware. If we look back for a second at Local Government, this is not the first time they have been affected by ransomware. Back at the start of this year Redcar and Cleveland Borough Council were impacted, the estimated cost is currently placed at over £10 million and back in 2017, three Councils (Copeland, Salisbury and Islington) were all subjected to a ransomware attack. This begs the question – are Local Authorities being targeted?

The simple fact is that hackers who deploy ransomware are doing it primarily for financial gain. This is usually achieved from the ‘ransom’ and promise of releasing the files back to the owner, although more recently we are also seeing blackmail and extortion come into the mix but that’s a point for another time. Like any business, the hackers look at the revenue they can make and the complexity and therefore cost of undertaking the attack. For Local Authorities, it is unlikely that they are being targeted because they are a local authority but rather because the cost and complexity to infect them is low.

What’s the impact?

We have a huge reliance on technology for everything we do both at home and in business. For example, my home solar panels have a Raspberry Pi connected to them to collect data, my electric vehicle charging point is connected to allow grid balancing in the future. And in businesses, we see HVAC systems connected to the corporate network and have shifted nearly all processes to online services – when did you last get a bill through the post?

What has not changed though is networks, technology has always existed to allow separation, VLANs have been around in some form since the 1980’s. The challenge is finding a balance between security and usability, anyone who has ever managed firewalls on a network with multiple VLAN’s will know what I mean when I say it can be time consuming. However, if we look back at what is currently happening in Hackney, after nearly a month they still do not have basic services back online.

Interestingly they can process parking permits but are unable to take housing repair requests or up until very recently take payments. This really sounds like a case of very little network segregation, which is unfortunately common across the board. The whole concept of Zero Trust is a fundamental step change and one that should be looked at wherever technology constraints allow.

What can be done?

So back to where I started this post, how do you stop ransomware? The answer in my opinion is you cannot, just like the old analogy that no bank vault is ever unbreakable. Any network or piece of IT equipment can be breached, that could be because a user clicks a link in an email which downloads a malicious payload or it could be because a service has been exposed which is either insecure or has not been patched correctly.

However, the approach should be defence in depth, which will move the bar much closer to being 100% secure. This can be achieved by following basic practices, some of which businesses are probably already are doing. We should always employ defence in depth, don’t rely on just an email client stopping a phishing attack, make sure staff are aware and that awareness is maintained. Don’t just assume something has been patched, verify it, the tools exist, and many are low cost or even free.

Finally, I touched upon the point above about how hackers are now employing extortion and blackmail to the data. This is something that has increased because businesses and organisations are getting better at backing up data and keeping it offline. Do not underestimate the importance of this, remember you cannot get to 100% secure, so a back-up plan is crucial.

Getting your data back and systems operational is critical and is where most remediation costs come from. Always keep offline backups and make sure there are multiple – this takes into account that some ransomware will wait before revealing itself.

So, what is appropriate?

As every business is different, determining what is appropriate is crucial to ensuring effective protection plans. As an example, let us look at a theoretical system that costs £1000 a year to protect. Business number one may determine that the cost if that system were down for 1 week is £10000 and is a critical business system (perhaps an ecommerce system), meaning they should likely determine the protection is the best business choice. However, business number two uses this same system but for them the cost for the system being down for a week is negligible and as a result they accept the risk without protection. As we can see, these decisions are both theoretically right for the individual businesses, but would not be appropriate if swapped. We must do what’s right for our situation not just what our peers are doing.

As touched upon previously, ransomware is a problem that you simply cannot solve. Keeping this in mind, the strategy must be to reduce the likelihood of an attack as much as possible. Combining this with ensuring you are prepared for when it happens, such as backups and incident response processes.

Start by establishing what your critical systems and data are and focus on them to review security, which should form part of a business impact analysis. Follow this up with ensuring backups are appropriate and meet the requirements that are often defined in your Business Continuity Plan.

I hope this article has given you an insight into ransomware and the varied routes we can take to protect ourselves from it.

For further information or if you would like to discuss how to best protect your organisation, feel free to contact me at i3Secure. We are here to support, we are a business who wants to do the right thing and we offer complimentary consultations. Please get in touch.

Related Insights

Forces Friendly Insights News

Harnessing the Value of Mentorship: From the RAF to i3Secure

October 26,2023
Insights News

Matt Chapman Joins i3Secure

September 26,2023
Insights News

International Women in Cyber Day: Reflections from COO and Principal Consultant Vici Fox

September 1,2023
Insights News

i3Secure Welcomes Consultant Steen Stewart

July 25,2023
Forces Friendly Insights

From the Military to Cyber Security: Making the Leap

June 16,2023