Ransomware gangs are now exploiting vulnerabilities in VPNs and EDR systems to gain unauthorized access to corporate networks. For instance, Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) VPNs were found to have a zero-day vulnerability that allowed attackers to conduct brute-force attacks against existing accounts, enabling unauthorized access to networks.
Similarly, ransomware groups have been observed exploiting remote access services, such as VPN and Remote Desktop Protocol (RDP), to gain initial access to corporate networks. This highlights the importance of securing remote access points and ensuring that all systems are up to date with the latest security patches.
One of the tactics employed by ransomware gangs is the "Bring Your Own Driver" (BYOD) technique. This involves deploying a legitimate, vulnerable driver on targeted devices to escalate privileges, disable security solutions, and take control of the system. By exploiting these vulnerabilities, attackers can disable EDR tools and other security measures, making it easier to deploy ransomware and exfiltrate sensitive data.
To protect your organization from these evolving threats, consider implementing the following measures:
This article explains how modern ransomware gangs are bypassing VPNs and Endpoint Detection and Response (EDR) tools and what Ohio business leaders should do to protect their organizations. It uses examples like the Columbus ransomware attack to show why ransomware is no longer a question of if but when.
Attackers increasingly target VPN and remote access services to gain an initial foothold in business networks. The article highlights real-world issues, such as a zero-day vulnerability in Cisco ASA and Firepower Threat Defense (FTD) VPNs that allowed brute-force attacks against existing accounts. Ransomware groups also abuse remote access tools like RDP (Remote Desktop Protocol) to move deeper into the network if these services are not properly secured and patched.
The Bring Your Own Driver (BYOD) technique involves deploying a legitimate but vulnerable driver onto a target system. Once loaded, this driver can be exploited to:
• Escalate privileges
• Disable EDR and other security tools
• Take control of the endpoint
By abusing trusted but flawed drivers, attackers can turn security tools off before launching ransomware or exfiltrating data.
The article recommends several best practices to strengthen remote access security:
• Enforce Multi-Factor Authentication (MFA) on VPN, RDP, and other remote access services
• Keep VPN appliances and remote access tools fully patched with the latest security updates
• Restrict remote access to only the users and devices that truly need it
• Regularly review access logs for unusual sign-in patterns
These steps make it much harder for ransomware gangs to exploit remote access as a “back door” into your network.
Ransomware gangs often lurk in networks before encrypting data, so continuous monitoring helps detect suspicious behavior early. The article urges businesses to:
• Monitor and audit network activity for unusual logins or large data transfers
• Use a Managed Service Provider (MSP) to perform regular vulnerability scans that reveal weak points and exposed services
• Fix or “plug” the vulnerabilities those scans uncover
This proactive approach lets you close security gaps before attackers can use them as workarounds.
Human error is still one of the biggest ransomware risk factors. The article stresses that ongoing employee education on cybersecurity best practices is essential. This includes:
• Recognizing phishing emails and malicious links
• Reporting suspicious activity quickly
• Following company policies on passwords and remote access
Cloud Cover even offers a free Cybersecurity Policy Template to help organizations formalize these best practices and make training more effective.