Healthcare cybersecurity expert, True North ITG Co-Founder and CEO Matt Murren unpacks a common security threat his clients face: a ransomware attack via Remote Desktop Protocol. In this post, he shares a real-world example of a ransomware attack through Remote Desktop Protocol and how your organization can prevent a similar attack.
What is a ransomware attack?
The U.S. Cybersecurity and Infrastructure Security Agency describes ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” In an attack, malicious actors will then “demand ransom in exchange for decryption.”
Ransomware attacks can wreak havoc in any organization, but healthcare organizations are particularly vulnerable as they depend on technology and systems to care for human lives.
THE ATTACK: What is an example of a ransomware attack via Remote Desktop Protocol?
Malware and ransomware attacks are not as easy to spot out as they once were. Today’s attackers are more sophisticated, executing their plans slowly and tactically. Recently, we encountered a client case where attackers breached the internal network over nearly five weeks with no known impact.
The attackers methodically planted bits of software across all seven locations of the affected organization using the following vectors:
Remote Desktop Protocol: Accessed through a password provided via email
Infected files: Sent to internal users to gain access to various pieces of the network
Network controls: Infiltrated to allow traffic to traverse between networks
Lack of patching: Took advantage of security risks in the Remote Desktop Protocol software
Once the attackers thoroughly and strategically set the malware foundation in place, they disabled all systems. The server software was breached, workstations were erroring out, and all sites of care were shut down.
Predictably, a ransom request came through a few hours later demanding $4.2 million in exchange for returning the organization’s functionality.