An Accelerating Threat: Remote Ransomware

In a typical ransomware attack, an adversary attempts to deploy ransomware directly on the machines they wish to encrypt. However, ransomware groups are increasingly adopting a newer tactic to ensure the success of their campaigns: remote encryption.

As the name suggests, remote encryption (or remote ransomware) occurs when compromised endpoints are used to encrypt data on other devices on the same network. The initial target is often an unmanaged device – i.e., one that has access to the organization’s network but does not have enterprise-grade endpoint protection. The rise in work-from-anywhere arrangements over the past several years has contributed to the popularity of remote ransomware since there are more unmanaged devices connecting to corporate networks.

remote ransomware

In a remote ransomware attack, a compromised machine is used to encrypt data on other devices on the network.

Common Attack Tactic That Is Difficult To Defend Against

Since the encryption and other malicious activity occur on already-compromised machines, these attacks are able to bypass security stacks. In essence, since the system process performs the encryption, process-based remediation measures are rendered ineffective. Another reason why cybercriminals are increasingly launching remote ransomware is due to the scalability of these attacks. Even if most devices are protected with endpoint security tools, it only takes one vulnerable endpoint to put the whole network in danger.

According to Microsoft’s 2023 Digital Defense Report, around 60% of human-operated ransomware attacks involved remote encryption over the past year in an effort to minimize their footprint. Additionally, over 80% of all compromises Microsoft observed originated from unmanaged devices, including bring-your own devices. And when cybercriminals exploit vulnerabilities in uncommon software, it is even more challenging to defend against these attacks.

What Can Be Done?

Of course, organizations should review their endpoint security and policies around unmanaged devices to ensure that endpoints are sufficiently protected. The more devices that are unprotected or underprotected, the greater the risk of remote ransomware. That said, no approach will be 100% effective, and it only takes one compromised device for such an attack to be successful.

More importantly, organizations must be able to quickly detect and recover from ransomware attacks, including remote ransomware. Since backup systems capture data (content and metadata) across critical workloads – and crucially, across time – analysis of backup data can be used to identify and remediate risks.

Because Rubrik manages a time-series history of your data across on-premises, SaaS, and cloud environments, customers are well-positioned to detect anomalous activity and restore to a clean recovery point with minimal delay. 

Rubrik Anomaly Detection analyzes backup snapshots over time, using machine learning to detect and alert on suspicious activity – such as encryption – regardless of whether the encryption is done remotely or locally. If there are unusual changes to your data, Rubrik will flag it so that you can promptly investigate. This anomaly detection helps identify the blast radius of a cyberattack so only the affected data needs to be recovered for the faster restoration of business operations. In addition, Rubrik customers can understand whether sensitive data may have been impacted by a cyberattack with Sensitive Data Monitoring, which automatically discovers what types of sensitive data you have and where it lives. And finally, recovery workflows are built into Rubrik’s Data Threat Analytics services so that you can recover to a clean state with just a few clicks.

Relying on prevention alone to defend against cybercrime is not enough. As adversaries continue to find new ways to target your data, it’s important to adopt an approach focused on cyber resilience. For more information, view the webinar How to Use Data Threat Analytics to Fight Ransomware.