Radware, leader of cyber security and application delivery solutions for physical, cloud and software defined data centres, has commented on the Toll Group ransomware breach.
Pascal Geenens, Director, Cyber Intelligence for Radware comments: “Netfilim is most likely distributed through exposed Remote Desktop services (Remote Desktop Protocol or RDP).
“We warned organisations in March about the risk of ransomware in relation to remote desktop services. Almost two-thirds of ransomware contains an infection vector based on RDP and that is not counting the manual installation of ransomware through RDP services that have had their credentials leaked and sold on the underground forums.”
Geenens says that RDP is one of the most persistent services when it comes to account takeover attacks. When there is an RDP server, it will be abused by automated malicious attacks trying to brute force or leverage credential stuffing to get inside the network.
Servers from enterprises are much wanted resources for malicious actors as they can be abused for spam distribution, lateral movement and exfiltration of sensitive information followed by ransom, command and control server for botnets, attack station for attacking other organisations, cryptocurrency mining, and finally deploying ransomware, sometimes after previous scenarios have been tried and dried, as a last resort to monetise on the successful breach.
Most ransomware operators are known to exfiltrate and leak the contents of the encrypted data if a victim refuses to pay the ransom, Netfilim leverages this tactic too, according to the researchers who discovered the ransomware (head of SentinelLabs Vitali Krimez and ID Ransomware’s Michael Gillespie).