I have a funny story about ransomware. You see, a long time ago (well not that long in real time, but very long ago in ransomware time) I had a lab in the public cloud that got hit by ransomware. My best guess? Remote Desktop Protocol (RDP), also known as Ransomware Deployment Protocol. There’s a new ransomware in town called Venus Ransomware that is using this method of compromise, and shocker, it still works.
All About Venus Ransomware
According to Bleeping Computer, Venus has been around since August 2022, so relatively new. It seems that Venus gets into environments via RDP, even when organizations are using a non-standard port number (did you really think that was going to help?). It encrypts files with the .venus extension, so it is nice and easy to tell who has gotten in and caused the damage.
There’s not much other news out there, other than it seems that more and more organizations are being hit. But why is this worth talking about if it is so new, and there is so little information?
The Risk of RDP
I’ll drop a link here from a blog from McAfee from 2020, talking about how threat actors are actively exploiting RDP. It isn’t a new concept though, while RDP is one of the most used protocols around it is also the most abused because of this.
Let’s face it, it’s just easier to expose RDP to the internet to get access to our environments, no matter where you are – on prem, or in the cloud. Honestly, it is probably worse in the cloud when we talk about mismanagement of RDP.
So why do people do it? Like I said, it is easy, which brings us back to the human element of cybersecurity. What’s worse, a user clicking on a link, or an administrator opening up RDP to the Internet? Honestly, they are both simple ways for threat actors to get in – and they both have the human element at play.
No amount of cybersecurity education is going to change the way humans operate. They do things because they are easier. It’s easier sometimes just to click the link because it looks so legitimate, just because it is easier to open up RDP to the Internet. The only difference in the RDP scenario are the people causing the problem are the ones that are going to have to clean up the problem. How’s that for ironic?
Securing RDP
One of the reasons we saw a rise in this type of attack in 2020 is pretty obvious. Suddenly people needed remote access to systems when they suddenly had it, so they did it the fastest way possible. It is worth reading this great asset on Microsoft’s security guidance. Let’s take a look at a couple of key considerations.
- Direct access over the Internet. This is a bad thing, and why we are seeing problems like Venus.
- Vulnerabilities in exposed systems. Patching has historically been a problem for most organizations, and will continue to be until the end of time, let’s face it.
These two are huge, so let’s stop there. If we are exposing systems to the Internet that are vulnerable, we have bigger problems than just an exposed system, or just a vulnerable system.
When it comes to a ransomware defense strategy, there is no single answer, there is no single bullet. The best thing we can do is understand the risks in our environment so that we can begin to take action to mitigate them. Unfortunately, this is often easier said than done, and ransomware groups like Venus are here to remind us of that.