As telecommuters begin to return to an office setting post-COVID-19, experts are predicting a spike in new ransomware campaigns
When the Coronavirus pandemic took hold of the world, one of the most obviously caused disruption was how the new virus affected the workforce. Companies quickly pivoted towards a telecommuting model with little time to prepare, and many compromises had to be made in the interest of business continuity. Unfortunately, this meant loosening security procedures to aid employees in remaining productive.
Employees globally were forced to navigate through a plethora of new threats, but now experts are predicting that there may be a surge in further attacks in the coming weeks as these remote workers — and their potentially compromised devices — return to the office.
Ransomware not connecting to C2 servers
Ransomware is generally delivered in multistage attacks that allow hackers to learn more about the infected computer before deciding whether or not to activate the ransomware.
The first stage of the attack is reconnaissance. After the system is compromised, attackers use so-called “first-stage malware” to examine the target and determine its value. The malware uses plugins to evaluate the victim’s information periodically.
If the target has established value, the malware initiates a connection with the attacker’s command and control server. This facilitates the download of ransomware and maintains communication between hackers and the compromised system. Conversely, if the system is deemed to be an unsuitable target, the ransomware is not deployed.
Some experts believe that the latter scenario may explain the unexpectedly flat rate of overall ransomware incidents in recent months. Given that many people have been working from home, a high number of compromised computers may have been categorized as unsuitable targets.
Will Ransomware spike when people return to work
Remote workers may have their systems compromised and be completely oblivious to the fact that they’ve been infected with malware. The malware can lay dormant for weeks or even months waiting for the right opportunity to strike.
That opportunity to strike may be at hand as states are gradually reducing social distancing rules, and employees are beginning to return to the office and connect compromised computers to corporate networks. This may trigger the sequence of events that ultimately leads to ransomware deployment on those corporate networks.
Recommendations for businesses
Organizations of all sizes must ensure devices used by employees at home were not compromised before permitting them to be connected to the company network. Some effective strategies to lessen the probability of a hack are:
- Network segmentation: Perhaps the most effective way to protect the internal networks is to create a new subnetwork, which is specifically for computers that were previously used remotely. This prevents malware from moving laterally across a network and affords IT teams an opportunity to isolate and control incidents easily.
- Reimage devices: If employees have been working remotely for an extended period of time, businesses should consider re-imaging work-issued devices to prevent the risk of being victimized.
- Device security checkups: Scan computers for policy violations such as missed scheduled scans, new unapproved software installations, and unusual login activities.
- Cybersecurity awareness training: With employees returning to the workplace, updated cybersecurity awareness training can help reduce malware incidents.