Spike in ransomware predicted as remote workers return to the office

COVID-19 set the scene for an explosion of ransomware incidents. As companies pivoted to remote working with little time to prepare, certain compromises had to be made in the interest of business continuity; for many businesses, this meant loosening security protocols to help employees remain productive.

But despite the near perfect-storm conditions, the rate of ransomware incidents remained stable. However, it’s unlikely that this trend will continue. While certain sectors have enjoyed a brief respite from ransomware, we believe that we may see a resurgence in attacks in the coming weeks as remote workers — and their potentially compromised devices — return to the office.

ID Ransomware daily submissions in the last six months (from date of publication)

Ransomware not connecting to C2 servers

Most modern ransomware strains are delivered in multistage attacks that allow threat actors to learn more about the infected system before deciding whether or not to deploy ransomware.

The first stage of an attack is mostly reconnaissance. After a system has been compromised, attackers use first-stage malware to survey the infected endpoint and evaluate the value of the target. The malware uses multiple plugins to periodically query installed software, scan networks, and retrieve system information.

If the malware determines the system to be an appropriate target, it establishes a connection (sometimes referred to as a call home) with the attacker’s command and control (C&C) server, which is used to download ransomware and maintain communication between threat actors and the compromised system. On the other hand, if the system is deemed to be an unsuitable target, the call home is not triggered and the ransomware is not deployed.

We believe that the latter scenario may explain the unexpectedly flat rate of ransomware incidents in recent months. Given that so many people are now working from home, a high number of compromised endpoints may have been categorized as unsuitable targets, which would prevent malware from establishing a connection with attackers’ C&C servers and contribute to the apparent lull in ransomware incidents.

Ransomware to spike when people return to work

Because call homes are not being triggered and ransomware is not being deployed, there’s a good chance that many remote workers are currently working from compromised endpoints, completely oblivious to the fact that they’re harboring malware. The malware may lay dormant for weeks or even months (the average dwell time, which is defined as the time between initial compromise and detection, is 56 days, according to FireEye) waiting for the right opportunity to connect to its C&C server.

That opportunity may be just around the corner. With states gradually reducing social distancing rules, we expect to see a spike in ransomware incidents as employees return to the office and connect compromised endpoints to corporate networks. This may trigger the malware’s call home function and trigger a sequence of events that ultimately leads to the deployment of ransomware.

Recommended actions for businesses

Organizations of all sizes must ensure devices used for remote work are not compromised prior to permitting them to be connected to the company network. Below are some effective strategies to mitigate the risks of bringing devices used to work from home, back into the workplace:

• Network segmentation: The most effective way to protect the company network is to create a subnetwork specifically for endpoints that were previously used remotely. Segmentation prevents malware from moving laterally across a network and allows IT teams to easily isolate and control incidents.
• Device security checkup: Make sure that there have been no policy violations such as missed scheduled scans, unapproved software installations, and unusual login patterns.
• Reimage devices: If employees have been working remotely for a significant amount of time, businesses should consider reimaging work-issued devices to eliminate the risk of malware infection.
• Cybersecurity awareness training: As employees return to the workplace, updated cybersecurity awareness training can help reduce malware infections, avoid security policy violations, improve company productivity, and achieve compliance.

Conclusion

While ransomware has remained stable or even declined in some sectors in recent weeks, this trend is unlikely to continue. We anticipate ransomware incidents spiking as remote workers return to the office with compromised devices, but companies have options to mitigate this threat.