Why BYOD Is the Favored Ransomware Backdoor

We Keep you Connected

Why BYOD Is the Favored Ransomware Backdoor

Chad Kime
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
When remote workers connect bring-your-own-device (BYOD) laptops, desktops, tablets, and phones to corporate assets, risk dramatically increases. These devices exist outside of direct corporate management and provide a ransomware gang with unchecked platforms for encrypting data.
Ransomware remains just one of many different threats and as security teams eliminate key vectors of attack, adversaries will shift tactics. Of course, to cause that shift in tactics, first make sure to eliminate the easy access that these ransomware gangs currently enjoy.
Table of Contents
Microsoft’s fourth annual Digital Defense Report for 2023 reveals that 80% of all ransomware compromises come from unmanaged devices and that 60% of those attacks use remote encryption. Naturally, this leads to three important questions: What are unmanaged devices? How does remote encryption work? Which unmanaged devices do attackers use?
Unmanaged devices consist of any device that connects to the network, cloud resources, or other assets without corporate-controlled security. Greg Fitzerald, co-founder of Sevco Security, disclosed to eSecurity Planet that their recent State of the Cybersecurity Attack Surface research found “11% of all IT assets are missing endpoint protection.”
Some of this 11% includes the common and recurring problem of overlooked legacy endpoints such as laptops, desktops, and mobile devices. This category also includes routers, switches, and Internet of Things (IoT) devices that can’t install traditional endpoint protection such as antivirus (AV) or endpoint detection and response (EDR) solutions.
BYOD devices deliver another significant source of unmanaged devices unique to our post-pandemic working environment as many remote workers connect to corporate resources using their own devices. According to the National Bureau of Economic Research, 42.8% of American employees work from home part- or full-time, which places an enormous burden on security teams to secure access across a variety of controlled and uncontrolled assets.
Remote encryption performs ransomware encryption on a device beyond the security solutions monitoring for malicious activity. Installed antivirus, EDR, extended detection and response (XDR), intrusion prevention systems (IPS), and next generation firewalls (NGFW) monitor endpoints and networks for signs of malicious activity – especially types of ransomware.
As endpoint security improved, attackers realized that these security solutions only work in two conditions. Either the ransomware protection must be installed on an endpoint, or the indicators of compromise for ransomware must flow through a monitoring solution (NGFW, IPS, etc.).
Unmanaged endpoints lack installed protections and ransomware file exfiltration and replacement mimics normal data access traffic between the unmanaged endpoint and the network data resource. The Sophos X-Ops team highlighted the issue in a recent blog, which details how remote encryption evades multiple layers of network security.
Attackers probably use BYOD and the research indirectly supports this. Ransomware attackers seek access to devices with sufficient local memory to perform resource-intensive encryption.
The US Cybersecurity and Infrastructure Security Agency (CISA) estimated that 90% of all successful attacks begin with phishing, which points at user’s devices instead of routers, IoT, and other types of unmanaged endpoints. While attackers often navigate laterally, network devices and IoT also lack the available memory to be common platforms for high volume encryption.
The best practice for security software installation starts with the primary user devices. Users typically don’t use old and slow legacy devices to check email and those devices typically lack the computing power that attackers need to perform remote encryption. Therefore, BYOD remains the most likely source for remote encryption.
To block ransomware operating on unmanaged sources, eliminate unmanaged connections or detect and block the file extraction and replacement processes. Various tools can be used for the key steps in these processes: add managed connections for BYOD devices, monitor data traffic and sources, and eliminate unmanaged corporate assets.
Add managed connections to BYOD devices to prevent completely unmonitored and unmanaged connections. Firewalls often implicitly trust virtual private network (VPN) connections and remote desktop (RD) connections, so instead choose a security solution that explicitly extends security to encompass BYOD, such as the following:
These solutions provide both indirect and direct control over BYOD devices without the need to install endpoint protections directly on the BYOD devices.
Monitor data traffic and data sources to detect the ransomware file access and replacement. Basic VPN and IPS focus on the connections between internal resources and external threats, which ignores network devices or trusted VPN connections.
However, file access and replacement generates high traffic volume that triggers detection in newer security solutions, such as the following:
Anomaly detection, often enhanced using artificial intelligence, can both improve detection and block activity, but only when traffic routes through these devices.
Additionally, some endpoint protection solutions offer file monitoring features, such as Sophos CryptoGuard, that track the status of each file on the endpoint. Instead of attempting to detect and block malicious activity, these tools monitor file integrity and detect when encrypted files replace unencrypted files.
These advanced tools can allow legitimate local encryption. However, when the security tool can’t view the entire process (e.g., remote encryption), the endpoint protection blocks the remote IP address and rolls back the file to its original, unencrypted state.
Locate unmanaged corporate devices and then either add controls or tightly restrict access to and from those devices through tools such as the following:
Although BYOD may pose a more likely risk, asset control remains fundamental to security and the risk posed by the 11% of unmanaged devices must be addressed.
Attackers eagerly exploit unmanaged devices to perform remote ransomware encryption out of the sight of otherwise-effective security tools. Every organization without effective asset discovery risks unmanaged assets within the network, but BYOD introduces the more likely risk, at least today, for both ransomware attacks and remote encryption.
Fortunately, managed connections and monitored data can meet these challenges and provide effective protection for today’s most pressing threats as well as going forward as attackers change tactics. Control BYOD risks now to improve visibility and make ransomware gangs work harder to execute their attacks.
For a more comprehensive solution for access and data control, consider a zero trust security solution that performs continuous monitoring and verification.