Remote Encryption

Zack Link
11-26-2024 08:00 AM Comment(s)

What is remote encryption you ask ?

Remote Encryption is an attack technique used by ransomware groups.  Instead of detonating ransomware on the target server, attackers will use an unmanaged endpoint to run ransomware on, that will connect to servers over a Windows share, and encrypt the files on the remote machine.


Why do they do this ?

It’s an evasion technique.  If your file server has good security, say an advanced EDR solution and locked down controls, the attacker can just find an unmanaged endpoint to attack.  Unmanaged endpoints could be a BYOD device, a remote worker using their home PC, lab or dev VMs spun up by shadow IT that the security team doesn’t know about, or even a managed PC where the attackers were able to disable the EDR tool.

An unmanaged device is basically unprotected and attackers can launch their attacks against servers from the unmanaged endpoint without worrying about being blocked.  Most EDR solutions do not protect against remote encryption well, if at all.  The target server EDR solution has no visibility into the ransomware process itself, since it runs remotely on the unmanaged device.  The server then gets commands over the network to read data, write new (encrypted data), and to delete the original data.  This looks like pretty typical activity to the target server.


How common is Remote Encryption ?

According to the Microsoft Digital Defense Report for 2023 (MDDR), remote encryption was used in 80-90% of human-operated ransomware attacks.  

So yes, this is pretty common.

You can download the 2023 MDDR at https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023


What can I do to prevent remote encryption attacks ?

Check out our whitepaper at https://www.plumesecurity.com/files/understanding_remote_encryption.pdf


Zack Link