Why BYOD Is the Favored Ransomware Backdoor

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

When remote workers connect bring-your-own-device (BYOD) laptops, desktops, tablets, and phones to corporate assets, risk dramatically increases. These devices exist outside of direct corporate management and provide a ransomware gang with unchecked platforms for encrypting data.

Ransomware remains just one of many different threats and as security teams eliminate key vectors of attack, adversaries will shift tactics. Of course, to cause that shift in tactics, first make sure to eliminate the easy access that these ransomware gangs currently enjoy.

Most Compromises Exploit Unmanaged Devices 

Microsoft’s fourth annual Digital Defense Report for 2023 reveals that 80% of all ransomware compromises come from unmanaged devices and that 60% of those attacks use remote encryption. Naturally, this leads to three important questions: What are unmanaged devices? How does remote encryption work? Which unmanaged devices do attackers use?

What Are Unmanaged Devices? 

Unmanaged devices consist of any device that connects to the network, cloud resources, or other assets without corporate-controlled security. Greg Fitzerald, co-founder of Sevco Security, disclosed to eSecurity Planet that their recent State of the Cybersecurity Attack Surface research found “11% of all IT assets are missing endpoint protection.”

Some of this 11% includes the common and recurring problem of overlooked legacy endpoints such as laptops, desktops, and mobile devices. This category also includes routers, switches, and Internet of Things (IoT) devices that can’t install traditional endpoint protection such as antivirus (AV) or endpoint detection and response (EDR) solutions.

BYOD devices deliver another significant source of unmanaged devices unique to our post-pandemic working environment as many remote workers connect to corporate resources using their own devices. According to the National Bureau of Economic Research, 42.8% of American employees work from home part- or full-time, which places an enormous burden on security teams to secure access across a variety of controlled and uncontrolled assets.

How Does Remote Encryption Work?

Remote encryption performs ransomware encryption on a device beyond the security solutions monitoring for malicious activity. Installed antivirus, EDR, extended detection and response (XDR), intrusion prevention systems (IPS), and next generation firewalls (NGFW) monitor endpoints and networks for signs of malicious activity – especially types of ransomware.

As endpoint security improved, attackers realized that these security solutions only work in two conditions. Either the ransomware protection must be installed on an endpoint, or the indicators of compromise for ransomware must flow through a monitoring solution (NGFW, IPS, etc.).

Unmanaged endpoints lack installed protections and ransomware file exfiltration and replacement mimics normal data access traffic between the unmanaged endpoint and the network data resource. The Sophos X-Ops team highlighted the issue in a recent blog, which details how remote encryption evades multiple layers of network security.

Sophos X-Ops illustrates how remote encryption operates beyond security tool detection.
Sophos X-Ops illustrates how remote encryption operates beyond security tool detection.

Which Unmanaged Devices Do Attackers Use?

Attackers probably use BYOD and the research indirectly supports this. Ransomware attackers seek access to devices with sufficient local memory to perform resource-intensive encryption.

The US Cybersecurity and Infrastructure Security Agency (CISA) estimated that 90% of all successful attacks begin with phishing, which points at user’s devices instead of routers, IoT, and other types of unmanaged endpoints. While attackers often navigate laterally, network devices and IoT also lack the available memory to be common platforms for high volume encryption.

The best practice for security software installation starts with the primary user devices. Users typically don’t use old and slow legacy devices to check email and those devices typically lack the computing power that attackers need to perform remote encryption. Therefore, BYOD remains the most likely source for remote encryption.

How to Block Unmanaged Device Attacks

To block ransomware operating on unmanaged sources, eliminate unmanaged connections or detect and block the file extraction and replacement processes. Various tools can be used for the key steps in these processes: add managed connections for BYOD devices, monitor data traffic and sources, and eliminate unmanaged corporate assets.

Add Managed Connections for BYOD Devices

Add managed connections to BYOD devices to prevent completely unmonitored and unmanaged connections. Firewalls often implicitly trust virtual private network (VPN) connections and remote desktop (RD) connections, so instead choose a security solution that explicitly extends security to encompass BYOD, such as the following:

  • Virtual desktop infrastructure (VDI) controls unmanaged BYOD risk with a fully-controlled endpoint that eliminates most file transfer needs.
  • Browser isolation prevents BYOD risk with a containerized application that acts as a VDI operating on the BYOD device to limit file transfers and access.
  • Network access control (NAC) can reduce BYOD risk through endpoint status evaluation, device quarantine, and traffic monitoring.

These solutions provide both indirect and direct control over BYOD devices without the need to install endpoint protections directly on the BYOD devices.

Monitor Data Traffic & Sources

Monitor data traffic and data sources to detect the ransomware file access and replacement. Basic VPN and IPS focus on the connections between internal resources and external threats, which ignores network devices or trusted VPN connections.

However, file access and replacement generates high traffic volume that triggers detection in newer security solutions, such as the following:

  • XDR can monitor traffic and may detect increased file access and file transmission activity.
  • NGFWs can decrypt and inspect VPN traffic to monitor file exfiltration as well as detect increased and anomalous traffic.
  • User and entity behavior analytics (UEBA) can detect, track, and block unusual access to sensitive data.
  • Secure web gateways (SWG) can sometimes inspect traffic and potentially detect increased and anomalous traffic.

Anomaly detection, often enhanced using artificial intelligence, can both improve detection and block activity, but only when traffic routes through these devices.

Additionally, some endpoint protection solutions offer file monitoring features, such as Sophos CryptoGuard, that track the status of each file on the endpoint. Instead of attempting to detect and block malicious activity, these tools monitor file integrity and detect when encrypted files replace unencrypted files.

These advanced tools can allow legitimate local encryption. However, when the security tool can’t view the entire process (e.g., remote encryption), the endpoint protection blocks the remote IP address and rolls back the file to its original, unencrypted state.

Eliminate Unmanaged Corporate Assets

Locate unmanaged corporate devices and then either add controls or tightly restrict access to and from those devices through tools such as the following:

  • Asset management (ITAM) and asset discovery tools locate unmanaged corporate devices for endpoint protection security software installation.
  • Attack surface management (ASM) tools combine asset discovery, vulnerability management, and breach and attack simulation for both the network and the cloud.
  • IoT security protects against direct attacks on IoT devices.
  • Network segmentation isolates IoT or legacy devices that can’t accommodate other security solutions to prevent unmonitored connections.

Although BYOD may pose a more likely risk, asset control remains fundamental to security and the risk posed by the 11% of unmanaged devices must be addressed.

Bottom Line: Address BYOD Risks

Attackers eagerly exploit unmanaged devices to perform remote ransomware encryption out of the sight of otherwise-effective security tools. Every organization without effective asset discovery risks unmanaged assets within the network, but BYOD introduces the more likely risk, at least today, for both ransomware attacks and remote encryption.

Fortunately, managed connections and monitored data can meet these challenges and provide effective protection for today’s most pressing threats as well as going forward as attackers change tactics. Control BYOD risks now to improve visibility and make ransomware gangs work harder to execute their attacks.

For a more comprehensive solution for access and data control, consider a zero trust security solution that performs continuous monitoring and verification.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis