Ransomware is a significant cyberthreat to personal data in both SMEs and large companies. We tell you how to protect yourself.
We at the Spanish Data Protection Agency would like to spread awareness on the need for technical and organisational measures in order to avoid personal data breaches. This knowledge promotion is carried out within the accountability principle of the General Data Protection Regulation, especially in the case of individuals and SMEs that often have fewer resources to deal with these questions.
Nevertheless, in spite of applying appropriate security measures, personal data breaches can happen, which is why organisations must have ready the ability to detect and take action, thus minimising or avoiding damage to the rights and freedoms of individuals. With this goal, the AEPD has published the Guide on Personal Data Breach Management and Notification.
One of the measures on which the GDPR’s accountability principle is based is the obligation to notify the supervisory authority of personal data breaches, unless it is unlikely that the breach is a risk to the rights and freedoms of the data subjects, within the next 72 hours of the controller being aware of the incident.
Additionally, when the rights and freedoms of data subjects are at high risk, they must also be notified about the breach. The goal of communication to the data subjects is to allow them to take measures to protect themselves from the consequences of the breach.
The AEPD has made available a form on its Electronic Office to data controllers, for the notification of data breaches.
Of the data breach notifications received by the AEPD in 2018 from 25 May 2018 (date of application of the GDPR), 45% were the result of cyberattacks via hacking techniques, some type of malware or phishing. 71% of the notifications received indicate that personal data confidentiality was compromised and 36% indicate compromised availability. At the same time it is worth pointing out that more than 50% of the data breach notifications indicate an external and intentional context, and around 10% of the notifications indicate that the motive behind the breach was data encryption with some type of ransomware, and occasionally, the attack vector is through remote desktop protocols.
This is why we would like to demonstrate a use case of one of the data breach types that the AEPD has been notified about, which can have a significant impact on the private sector, and to provide recommendations on how to reduce the risk of a similar breach.
Users in SMEs and large companies often need to access a server or other devices on their network via the internet, to run certain applications, perform maintenance or support tasks. Sometimes, they also need to provide access to other organisations that provide a specific service to them.
Microsoft has incorporated Remote Desktop Protocol - RDP since Windows NT 4.0, which provides remote access to the computer’s graphical interface and lets companies fulfil the above-mentioned need. It is a commonly used service in servers with Windows operating systems, although it is also used in other operating systems, in order to avoid having to physically move to where the device is located.
With the knowledge of the device’s internet address (IP or DNS) and with valid credentials, it is possible to access the computer’s graphical interface which has the service activated and by default, uses the communications port 3389 TCP.
A practice that is not recommended, but is commonly used due to the simplicity of its implementation is enabling port forwarding in the router supplied by the internet provider, in order to allow remote access to a certain device in the organisation. Enabling this connection exposes a service that is normally protected only by a username and password.
Within a controlled test environment where the above-mentioned conditions were replicated, it was seen that in less than an hour, the exposing of the service is detected and hundreds of brute force attacks are made.
In recent years, ransomware attacks have gained special importance as they seek to encrypt information and then ask for money in exchange for the unencrypting password. Although on the decline, they still pose a significant threat that must be considered, especially in the case of SMEs, which are frequently targeted.
This attack is usually carried out by phishing, where an email is sent by someone posing as the legitimate sender, which contains a malware as an attachment that will encrypt computer files.
But other techniques are also currently used, such as ransomware like Crysis/Dharma or Matrix whose attack vector is precisely the remote desktop protocol. Using search engines such as SHODAN, they locate accessible devices that have weak passwords and users who by default are enabled as “guest”, “backup”, etc. Once the device is accessed, they proceed to disable protections such as volume snapshot services or restore points and encrypt all the system information, demanding a ransom in exchange for the decrypting password.
When a ransomware attack occurs, it is usually thought to be only a breach of availability, until the information is recovered, normally from backup copies when available. But what we don’t always realise is that different user accounts that may belong to a domain have been compromised, that other devices within the organisation have been accessed and credentials that are different from the affected server have been gained. We also don’t know if the malware was able to send information stored on our systems elsewhere.
The first preventive measure is to not expose remote desktop services directly to the Internet by port forwarding, as it is an unsafe practice.
It is recommended that at least one service such as Remote Desktop Gateway or better yet, a virtual private network (VPN) be set up, for all access from outside the organisational network. In this way we shall only have one exposed system, which must be monitored with greater diligence. We should also not forget basic recommendations such as disabling unnecessary user accounts or simple credentials, always updating systems and using two-factor authentication systems.
As a corrective measure, data backup is the most effective solution.
For more information on preventive measures and how to act when faced with ransomware that has locked down your devices, we at the Spanish Data Protection Agency recommend you consult the guide on Ransomware published by the Spanish National Cybersecurity Institute or INCIBE, the best practices report of CCN-CERT and the recommended security measures against ransomware, also by the CCN-CERT.