VPN Bugs and RDP – Top Exploits Used by Ransomware Gangs

VPN Bugs and RDP – Top Exploits Used by Ransomware Gangs

This year, more cybercrime gangs and ransomware attacks have been witnessed on companies spanning multiple industries. Cybercriminals are always finding new ways or circumstances to exploit in order to infiltrate a company, cause damage, or steal information.  

More specifically, this sharp increase in attacks by ransomware gangs on companies has been witnessed in the first half of 2020. The majority of these ransomware attacks were perpetrated by exploiting insecure RDP endpoints and corporate VPN appliances and phishing too. 

Remote Desktop Protocol (RDP), is regarded as the top intrusion vector used by all sorts of cybercriminals in ransomware incidents. RDP provides users a way to connect to remote systems. Threat actors used vulnerable RDP endpoints to gain unauthorized access into Windows computers. Afterward, they proceed to install malware or ransomware on their target. 

Since last year, there’s been a shift of ransomware gangs targeting users, to now focusing on companies. As RDP is a widely used technology, there are countless computers with exposed RDP ports. This makes RDP a prime intrusion method for a host of cybercriminals. 

There are RDP shops where ransomware groups can purchase compromised usernames and passwords for malicious use.  


Ransomware Response 

Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes cyber secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise.  


However, threat actors have not just stuck with RDP as a ransomware vector. This year, they have heavily targeted VPNs and other network appliances to infiltrate corporate networks. 

Palo Alto Networks, Citrix, Fortinet, and Pulse Secure include some of the disclosed VPN vulnerabilities since 2019. 

Once access was gained into corporate networks, cybercrime groups engaged in malicious activities including, nation-level cyber espionage or financial crime and intellectual property theft.  

Researchers point out that ransomware gangs have used Citrix systems and Pulse Secure VPNs as an entry point for attacking. Citrix systems have been vulnerable to bug CVE-2019-19781, and Pulse Secure VPNs vulnerable to bug CVE-2019-11510.   

Ransomware groups like Evil Corp that have exploited the Citrix systems vulnerability include Ragnarok, Maze, DoppelPaymer, REvil, CLOP, and Nefilim. Comparably, groups like Black Kingdom and REvil used Pulse Secure VPNs vulnerabilities to attack victims.   

Unpatched systems present a serious cybersecurity problem for companies. Securing your systems and patching against bugs means one less vector of attack for threat actors.