Ryuk Hack Highlights the Need for Better Secure Remote Access
Recently, a research institute lost a week’s work of valuable research data on COVID-19 due to a security incident. One of the main enablers of the attack was poor remote access security. This incident may have been averted if a solution like the cloud-based remote access VPN built into secure access service edge (SASE) were in place instead.
Student Causes Loss of Week of Biomolecular Research Data
A biomolecular research institute in the EU performing research on COVID-19 lost a week’s worth of research data. The reason for the loss was a Ryuk ransomware attack made possible by a student at the institute.
The student uses a licensed piece of modeling software for their work at the institute and was looking for a copy to use at home. Due to the cost of the software, the option of purchasing a license was discarded in favor of downloading a free, cracked version of the software.
This cracked version turned out to actually be malware. In order for the student to download and install the software on their machine, they needed to disable Windows Defender and the firewall. The malicious software was an infostealer, including a keylogger, cookie stealer, and other data collection functionality. While monitoring the student’s personal device, the malware was able to learn their access credentials for the biomolecular research institute.
These credentials allowed an attacker to log into the institute’s network using the Remote Desktop Protocol (RDP) under the student’s account. With this access, the attacker was able to plant and run the Ryuk ransomware, which encrypted files on the institute’s systems and resulted in the loss of a week of research data (the age of the latest backup).
What Went Wrong?
The obvious problem here was that a student installed and executed malware on their own computer despite numerous signs that something wasn’t right (such as Windows Defender and the firewall attempting to block the file in question). However, this on its own would not be enough to result in the Ryuk ransomware attack against the research institute.
The successful Ryuk ransomware attack was possible due to a number of security errors and oversights made by the research institute. These include:
- Lack of MFA: The attackers were able to gain access to the research institute’s systems by using RDP with the student’s credentials. This was only possible because the institute had not enabled multi-factor authentication (MFA), which would have required access to the one-time code as well as the credentials.
- Exposed RDP: The attackers were able to connect to RDP directly using the student’s credentials. RDP should be protected by a secure remote access solution – such as a VPN – to limit unauthorized access. While this did not contribute to the attack (since the attackers had the student’s credentials), it potentially exposed the institute to credential stuffing and similar attacks.
- No Traffic Inspection: The attackers were able to install and execute the Ryuk ransomware on the research institute’s network. In-depth inspection of network traffic entering and leaving the corporate network may have been able to detect and block the transfer of malware.
- Permissive Access Control: The result of the attack is that the organization lost a week of research data, indicating that the student had far-reaching access on the research institute’s network. If zero trust access controls were in place, the potential scope and impact of the incident could have been limited.
- Lack of Behavioral Analytics: The attackers used an RDP connection from somewhere other than where the student usually connects and that loaded a Russian language printer driver. Either of these anomalies should have triggered an alert if behavioral analytics were in place, which could have allowed the institute to prevent the attack.
The student’s attempt to get a free copy of the visualization software was a crucial first step in the process that led to a Ryuk ransomware attack on the research institute. However, a number of other security mistakes contributed to the success of the attack.
A Better Approach to Secure Remote Access
The research institute had a poor security posture that made the attack possible. However, even standard approaches to “secure” remote access would include many of the same security mistakes. For example, VPNs have the same lack of traffic inspection, access control policies, and behavioral analytics as the exposed RDP used by the research institute.
A better approach for achieving secure remote access is to use the zero-trust network access (ZTNA) – also called software-defined perimeter (SDP) – included in SASE solutions. With ZTNA/SDP and SASE, all traffic from remote users undergoes a full security inspection and is only granted access if it is in accordance with zero-trust security policies. This combination of in-depth security inspection and limited access might have identified and blocked the attacker’s attempted access to the research institute’s systems or at least limited where they could have deployed the Ryuk ransomware.