Russian Hackers Move From Skimmers to Ransomware by Exploiting Vulnerable RDP Ports
FIN6, a Russian cybercrime group that has historically focused on attacking point-of-sale (POS) devices to steal credit card data, is now expanding their portfolio into ransomware distribution.
Over the last three years, the hacking group has targeted the hospitality and retail industries, successfully collecting millions of data sets from credit and debit cards. It is estimated FIN6 has been paid approximately $400 million for the data they have exfiltrated from POS systems. So, why make the leap to ransomware distribution? It’s even more lucrative.
Recently, FIN6 has been found targeting businesses with two different ransomware variants, LockerGoga and Ryuk. Both of these ransomware variants are considered to be newer threats. LockerGoga is the ransomware variant that infected the Norwegian aluminum company, Norsk Hydro, just last month.
Ryuk, although not as new, has proven to evade most security solutions, making it appealing to many cyber criminals. Ryuk does not infect via executable file; alternatively, it runs through PowerShell. It is because of this fileless attack method, that Ryuk is able to bypass most security programs. Ryuk has also been in the news lately for infecting Chicago-based Tribune Publishing, which in turn impacted newspaper distributions nationwide.
It is believed since making to switch to ransomware distribution in 2018, FIN6 has been paid millions in ransom demands. Now to the ground breaking question – how are they doing it? The hacking group has been seen using stolen credentials to access the network through the endpoint’s Remote Desktop Protocol (RDP) ports. Once they gain access to the network through the RDP port, the hackers abilities become unlimited. Attackers can drop a backdoor to allow for additional malware to be installed, execute ransomware, disable the antivirus protection, steal intellectual property, and more.
Prevention
In order to protect against RDP attacks, users can do two things. Disable the RDP port, if they are not using it. Or, if it must remain open for access, users should deploy a security solution that actively thwarts these types of attacks.
PC Matic Pro has made the following product enhancements to block these types of attacks:
- RDP Manager within the portal. This enables the IT professional to monitor and manage all RDP ports within the network, and disable any that are not being utilized.
- Early Launch Anti-Malware project, which is a joint effort between PC Matic and Microsoft.
- Enabling Windows lockout thresholds by limiting the number of login attempts.
- Restriction of the uninstallation process, which is a control put into place that will not allow the hacker to uninstall PC Matic Pro on the endpoint.
