Remote work ransomware protection guide for businesses

COVID-19 prompted an unprecedented surge in remote working – and it’s likely to have a lasting impact on future working patterns.

While rapidly implemented remote working arrangements may have initially been viewed as a short-term fix for maintaining business continuity, many predict that remote working will remain a permanent fixture in the post-pandemic world.

From a security perspective, working from home introduces a plethora of serious risks. Corporate data is being accessed from vulnerable personal devices, IT teams are unable to rigidly enforce normal security protocols and enterprise-specific security solutions are floundering in the foreign home user environment.

In this guide, we’re going to explore the security risks involved with working from home and discuss what businesses need to do to protect both remote workers and corporate networks from ransomware.

Security challenges of remote working

Remote work amplifies existing security flaws and introduces new threats, making companies uniquely vulnerable to cyberattacks. Below are some of the biggest security challenges associated with remote work:

Insecure home devices being used to access corporate resources

COVID-19 forced a rapid (and in many cases, imperfect) transition to remote working. Compromises had to be made in the interest of business continuity and there simply wasn’t time for companies to ensure their employees’ home networks were completely secure and free of existing infections. In some parts of the world, a shortage of IT equipment meant that organizations could not provide staff with company-issued hardware.

With many remote workers using insecure personal devices to access corporate networks and sensitive data, attack surfaces have expanded dramatically. Every device connected to the home network – including other computers, smartphones, laptops, printers, smart home devices, etc. – is a potential new access point for attackers, while pre-existing infections on home devices may expose business networks to malware. In March 2020, 45 percent of U.S. companies observed at least one malware infection on their remote office networks, while just 13.3% observed an infection on their in-office corporate networks, according to figures from BitSight.

Weakened security controls

In a normal enterprise environment, IT teams can impose strict security policies on company-owned devices via EDR systems, restrictive group policies, whitelist solutions and so on. With remote working, maintaining the same level of control is difficult – if not impossible – because so many remote workers use their personal devices for work purposes.

Ethically, it’s tough for businesses to dictate what software employees can and can’t use on their home devices. From a technical perspective, the sheer diversity of the remote working environment makes it extremely challenging for companies to reliably secure the myriad of devices, operating systems and applications on every employee’s home network.

Diversity of the home-user software ecosystem

The corporate network is a carefully controlled environment where only approved software is installed by authorized users. Modern EDR and nextgen security products – which are often heavily reliant on machine learning – excel in this sanitized environment because applications can be easily grouped and recognized. An application should be either business software or operating system software – and if it’s neither, it’s likely malicious.

The home network is comparatively chaotic, a melting pot of working, gaming and entertainment applications downloaded from unvetted sources across the web. For enterprise security products, whose machine learning models have been trained with very black-and-white data sets, this is foreign ground. Relearning what constitutes a threat in this diverse environment takes time, and it’s not uncommon for products tailored to the enterprise market to trigger a flood of false positives and incompatibilities when exposed to the home-user software ecosystem.

Most common ransomware attack vectors for remote workers

Threat actors use a variety of methods to compromise remote workers and infect the companies they work for with ransomware. Below are the three most common attack vectors:

• Malicious spam: Attackers distribute emails containing a malicious attachment or URL, which leads to the download of malware (often a bot such as Emotet, Trickbot or Dridex). Attackers issue commands to these bots to gather information about the compromised system and the network it is connected to, before deploying additional malware tailored to the target environment. Threat actors have taken advantage of the public’s interest in the pandemic to create COVID-19-themed malicious spam campaigns that prey on people’s fear and curiosity. In April, about 60,000 COVID-19-related phishing messages were distributed daily, according to Microsoft, with attackers often impersonating trusted sources such as the World Health Organization or the Centers for Disease Control and Prevention.
• Remote access: Attackers take advantage of poorly secured remote access tools to gain access to corporate networks. Remote desktop protocol (RDP) is the most common remote access attack vector, but it’s important to remember that any remote access tool, as well as any software that connects with a company’s local active directory, can serve as an entry point if not properly secured. A number of remote access utilities have been compromised in the past, including TeamViewer, Kaseya and Citrix.
• Spear phishing: Spear phishing is a sophisticated and targeted form of phishing. Threat actors closely study the target organization in order to learn more about the people who work there and their communication habits, and use this information to send targeted phishing emails that appear to have been sent from a trusted source. The emails contain a malicious attachment or URL, which triggers the download of malware. Phishing is particularly problematic in the current work climate because employees may not yet be familiar with the interfaces and login screens of newly introduced remote working tools, and thus may find it difficult to distinguish phishing scams from legitimate websites.

How to secure remote endpoints and protect company networks

A change in the way we work requires a change in the way businesses approach security. The following best practices can help organizations secure new remote access points and protect company data.

• Train employees: Whether in the office or at home, employees across every level of an organization should receive regular cybersecurity training. Staff should have a fundamental understanding of current social engineering strategies and be familiar with reporting and response procedures in the event of an incident.
• Secure RDP: Remote desktop protocol and other forms of remote access should be disabled if possible. If RDP is necessary for the organization to function, it must be properly secured by using a VPN or RDP gateway, MFA and strong passwords, and limiting RDP access to specific users and IP ranges. See this blog post for more information on how to secure RDP from ransomware.
• Use MFA: Compromised user credentials is one of the leading causes of ransomware. This risk can be mitigated by enabling multi-factor authentication wherever possible, with special attention being given to collaborative services and remote access to company networks. Security software settings should also be secured with MFA, which can be easily enabled in cloud-based antivirus management platforms such as the Emsisoft Management Console.
• Maintain VPN appliances: The sudden shift to remote working resulted in a surge in demand for commercial VPNs. While VPN appliances play a key role in securing work-related data, they also act as a possible point of entry for attackers and should be monitored and regularly updated to ensure known security vulnerabilities are fixed as quickly as possible.
• Deploy reliable antivirus software: Organizations must have a robust antivirus solution in place to detect and stop the initial malware that is used for reconnaissance and propagation in the early stages of the attack chain. As noted, enterprise-specific security solutions may struggle when faced with the diversity of the home user environment, so organizations should consider antivirus vendors who have experience, and an established product, in the consumer market. Active infections may already be present on employees’ home devices, which makes classic detection and remediation as part of the onboarding process crucial for network security.
• Filter spam: A robust spam filter can stop the majority of malicious spam and reduce the risk of malware infection via malicious URLs and attachments. Filters can be configured to prevent the delivery of certain attachment types (e.g. macro-containing documents).
• Remove PowerShell: A powerful administrative tool, PowerShell is frequently used by threat actors in the early stages of an attack. Organizations should consider removing PowerShell from remote endpoints unless it is necessary. If PowerShell can’t be removed, it must be adequately secured (e.g. by limiting its use to only users who genuinely need it and only allowing digitally signed scripts to be executed).
• Confirm requests: Regular workflows have been disrupted and changed during the transition to remote working, which can increase the risk of fraud. Employees should be mindful of fraudulent activity and encouraged to seek confirmation of all unusual requests and instructions, including those from clients, colleagues, suppliers and superiors. Confirmation should be sought via a secondary communication channel in case the sender’s account has been compromised.
• Make backups: In the remote working environment, a reliable backup strategy remains a critical component of mitigating ransomware. Security concerns and bandwidth limitations may deter organizations from sending backups to their local NAS over VPN, while implementing local backups for every remote worker would be logistically challenging. With these factors in mind, a cloud-based backup system is probably the most practical option for most organizations. See this guide for more information on making ransomware-proof backups.

COVID-19 may have permanently changed the way the world works. The global transition to remote working has been critical for maintaining business continuity while respecting social distancing guidelines, but with this paradigm shift comes unique opportunities for cybercriminals looking to capitalize on the chaos.

Businesses of all sizes must be mindful of the security challenges involved with remote working and take steps to secure their remote endpoints, networks and corporate assets. Implementing the security practices described in this article can significantly reduce the risk of compromise and help companies avoid becoming the next ransomware victim.